Having a look at the state of Linux namespaces from a system administration perspective, I found myself confused by incomplete or misleading examples. So here’s a breakdown of what worked for me as a test setup on Debian Sid.
The objective is simple: run a bash shell in a pid namespace with it’s own network namespace, bridged with the host’s network.
Running a shell in a new pid namespace
This is simple enough, use ‘unshare’ like this:
1 2 3
Adding a network namespace
In order to isolate the networking too, we can use ‘unshare’ with a new network namespace via the ‘ip’ command:
You should now have an isolated bash process, with it’s own network stack:
1 2 3 4 5
Bridging the network
Network interfaces can only live in one namespace, in order to communicate between namespaces we can use veth device pairs which provide a sort of pipe behavior.
We can create a veth pair like this:
On my Debian Sid system this didn’t create ‘veth-b’, and subsequent commands failed with ‘Cannot find device “veth-b”’. So I had to issue the reciprocal command:
Now, we’ll assign one end of the veth pair to the ‘foo’ namespace:
It should now appear under the ‘eth0’ name from inside our isolated bash shell. We can assign it an appropriate IP address normally with ‘ip addr add
On the host’s side, we now want to bridge ‘veth-a’ with ‘eth0’ in order for our little container to access the network.
Warning: this might break your host’s network temporarily.
1 2 3
Make sure they are all in state UP, and we should be able to ping the outside world from our isolated namespace. Now, the hosts was probably setup to use ‘eth0’, and as it is now part of the bridge it will not work anymore. To get an equivalent setup, we’ll need to transfer the IPs assigned to ‘eth0’, to ‘br0’, and update our routing table. (I’m assuming a very simple setup here, e.g.: my laptop connected via ethernet with a static ip)
1 2 3 4
Now, your host’s networking should be back on track (actually, I had to bring interfaces down and back up for it work), and you can ping your host and isolated namespace transparently using their respective ip addresses. A thing of beauty.
Of course you probably don’t want to start setting up systems manually like this, but doing so does help me grasp a bit better how LXC, Docker and the like are working.