Netns: Difference between revisions
m (→NETNS-based Service Isolation: Use path template.) |
(add category networking) |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
''' | {{DISPLAYTITLE:netns}} | ||
'''netns''' (network namespaces) are another instance of the network stack with its own network devices (links), ip setup and firewall rules. Besides of using netns for building containers they can be used to get a stricter isolation than using [[VRF]]s. | |||
== Prerequisites == | == Prerequisites == | ||
Line 5: | Line 7: | ||
The packages and patches described in this article are available in Alpine edge and ≥3.19. | The packages and patches described in this article are available in Alpine edge and ≥3.19. | ||
== | == netns management == | ||
=== iproute2 === | === iproute2 === | ||
Line 11: | Line 13: | ||
Netns can be ad-hoc managed using the <code>ip netns</code> commands. | Netns can be ad-hoc managed using the <code>ip netns</code> commands. | ||
< | {{cmd|<nowiki># ip netns | ||
ip netns | # ip netns add tenant1 | ||
ip netns add tenant1 | # ip netns del tenant1 | ||
ip netns del tenant1 | # ip netns exec tenant1 ip -br link | ||
ip netns exec tenant1 ip -br link | </nowiki>}} | ||
</ | |||
=== ifstate === | === ifstate === | ||
Line 22: | Line 23: | ||
[https://ifstate.net IfState], a declarative network configuration tool, is full netns aware since IfState 1.9.0. The following config example creates a wireguard tunnel and a vlan sub-interface. The wireguard link <code>wg0</code> and the vlan sub-interface are moved into the <code>vpn</code> netns. | [https://ifstate.net IfState], a declarative network configuration tool, is full netns aware since IfState 1.9.0. The following config example creates a wireguard tunnel and a vlan sub-interface. The wireguard link <code>wg0</code> and the vlan sub-interface are moved into the <code>vpn</code> netns. | ||
< | {{cat|/etc/ifstate/config.yml|<nowiki># root netns | ||
# root netns | |||
interfaces: | interfaces: | ||
- name: eth0 | - name: eth0 | ||
Line 72: | Line 72: | ||
dev: wg0 | dev: wg0 | ||
rules: [] | rules: [] | ||
</ | </nowiki>}} | ||
== | == netns-based Service Isolation == | ||
Services can be run isolated in a | Services can be run isolated in a netns ('''and''' [[VRF]] inside the netns) when running at least OpenRC 0.49.0-r1. You can set the <code>$netns</code> variable for the service in {{path|/etc/conf.d}} in most cases. | ||
''The netns must already be created before a service can be started inside of it!'' | ''The netns must already be created before a service can be started inside of it!'' | ||
== | == netns-compatible initd scripts == | ||
Not all initd scripts might be netns compatible. Some network stack related packages have been patched to be netns aware: | Not all initd scripts might be netns compatible. Some network stack related packages have been patched to be netns aware: | ||
Line 87: | Line 87: | ||
* iptables | * iptables | ||
* nftables | * nftables | ||
[[Category:Networking]] |
Revision as of 10:52, 10 November 2023
netns (network namespaces) are another instance of the network stack with its own network devices (links), ip setup and firewall rules. Besides of using netns for building containers they can be used to get a stricter isolation than using VRFs.
Prerequisites
The packages and patches described in this article are available in Alpine edge and ≥3.19.
netns management
iproute2
Netns can be ad-hoc managed using the ip netns
commands.
# ip netns # ip netns add tenant1 # ip netns del tenant1 # ip netns exec tenant1 ip -br link
ifstate
IfState, a declarative network configuration tool, is full netns aware since IfState 1.9.0. The following config example creates a wireguard tunnel and a vlan sub-interface. The wireguard link wg0
and the vlan sub-interface are moved into the vpn
netns.
Contents of /etc/ifstate/config.yml
netns-based Service Isolation
Services can be run isolated in a netns (and VRF inside the netns) when running at least OpenRC 0.49.0-r1. You can set the $netns
variable for the service in /etc/conf.d in most cases.
The netns must already be created before a service can be started inside of it!
netns-compatible initd scripts
Not all initd scripts might be netns compatible. Some network stack related packages have been patched to be netns aware:
- ipset
- iptables
- nftables