Netns: Difference between revisions

From Alpine Linux
m (→‎NETNS-based Service Isolation: Use path template.)
(add category networking)
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
'''Netns''' (network namespaces) are another instance of the network stack with its own network devices (links), ip setup and firewall rules. Besides of using netns for building containers they can be used to get a stricter isolation than using [[VRF]]s.
{{DISPLAYTITLE:netns}}
 
'''netns''' (network namespaces) are another instance of the network stack with its own network devices (links), ip setup and firewall rules. Besides of using netns for building containers they can be used to get a stricter isolation than using [[VRF]]s.


== Prerequisites ==
== Prerequisites ==
Line 5: Line 7:
The packages and patches described in this article are available in Alpine edge and ≥3.19.
The packages and patches described in this article are available in Alpine edge and ≥3.19.


== NETNS management ==
== netns management ==


=== iproute2 ===
=== iproute2 ===
Line 11: Line 13:
Netns can be ad-hoc managed using the <code>ip netns</code> commands.
Netns can be ad-hoc managed using the <code>ip netns</code> commands.


<pre>
{{cmd|<nowiki># ip netns
ip netns
# ip netns add tenant1
ip netns add tenant1
# ip netns del tenant1
ip netns del tenant1
# ip netns exec tenant1 ip -br link
ip netns exec tenant1 ip -br link
</nowiki>}}
</pre>


=== ifstate ===
=== ifstate ===
Line 22: Line 23:
[https://ifstate.net IfState], a declarative network configuration tool, is full netns aware since IfState 1.9.0. The following config example creates a wireguard tunnel and a vlan sub-interface. The wireguard link <code>wg0</code> and the vlan sub-interface are moved into the <code>vpn</code> netns.
[https://ifstate.net IfState], a declarative network configuration tool, is full netns aware since IfState 1.9.0. The following config example creates a wireguard tunnel and a vlan sub-interface. The wireguard link <code>wg0</code> and the vlan sub-interface are moved into the <code>vpn</code> netns.


<pre>
{{cat|/etc/ifstate/config.yml|<nowiki># root netns
# root netns
interfaces:
interfaces:
   - name: eth0
   - name: eth0
Line 72: Line 72:
           dev: wg0
           dev: wg0
       rules: []
       rules: []
</pre>
</nowiki>}}


== NETNS-based Service Isolation ==
== netns-based Service Isolation ==


Services can be run isolated in a NETNS ('''and''' [[VRF]] inside the NETNS) when running at least OpenRC 0.49.0-r1. You can set the <code>$netns</code> variable for the service in {{path|/etc/conf.d}} in most cases.
Services can be run isolated in a netns ('''and''' [[VRF]] inside the netns) when running at least OpenRC 0.49.0-r1. You can set the <code>$netns</code> variable for the service in {{path|/etc/conf.d}} in most cases.


''The netns must already be created before a service can be started inside of it!''
''The netns must already be created before a service can be started inside of it!''


== NETNS-compatible initd scripts ==
== netns-compatible initd scripts ==


Not all initd scripts might be netns compatible. Some network stack related packages have been patched to be netns aware:
Not all initd scripts might be netns compatible. Some network stack related packages have been patched to be netns aware:
Line 87: Line 87:
* iptables
* iptables
* nftables
* nftables
[[Category:Networking]]

Revision as of 10:52, 10 November 2023


netns (network namespaces) are another instance of the network stack with its own network devices (links), ip setup and firewall rules. Besides of using netns for building containers they can be used to get a stricter isolation than using VRFs.

Prerequisites

The packages and patches described in this article are available in Alpine edge and ≥3.19.

netns management

iproute2

Netns can be ad-hoc managed using the ip netns commands.

# ip netns # ip netns add tenant1 # ip netns del tenant1 # ip netns exec tenant1 ip -br link

ifstate

IfState, a declarative network configuration tool, is full netns aware since IfState 1.9.0. The following config example creates a wireguard tunnel and a vlan sub-interface. The wireguard link wg0 and the vlan sub-interface are moved into the vpn netns.

Contents of /etc/ifstate/config.yml

# root netns interfaces: - name: eth0 addresses: - 198.51.100.2/31 link: state: up kind: physical routing: routes: - to: 0.0.0.0/0 via: 198.51.100.1 rules: [] namespaces: # "vpn" netns vpn: interfaces: - name: eth0.42 addresses: - 192.0.2.1/25 link: state: up kind: vlan vlan_id: 42 link: eth0 # link to eth0 in root netns link_netns: null - name: wg0 addresses: - 192.0.2.254/30 link: state: up kind: wireguard # bind wireguard to the root netns bind_netns: null wireguard: private_key: !include /etc/wireguard/secret.key peers: - public_key: 3Eimby+9YtJwtx+peCsz6RiubRqAp+cATHNiGWsUsEU= endpoint: 203.0.113.42 persistent_keepalive_interval: 30 allowedips: - 0.0.0.0/0 routing: routes: [] - to: 0.0.0.0/0 dev: wg0 rules: []

netns-based Service Isolation

Services can be run isolated in a netns (and VRF inside the netns) when running at least OpenRC 0.49.0-r1. You can set the $netns variable for the service in /etc/conf.d in most cases.

The netns must already be created before a service can be started inside of it!

netns-compatible initd scripts

Not all initd scripts might be netns compatible. Some network stack related packages have been patched to be netns aware:

  • ipset
  • iptables
  • nftables