Linux Network Namespace

Namespace Terminology

  1. 每个network namespace拥有其对应的路由表(routing table)&其对应的iptables,并且运行程序运行其中。With network namespaces, you can have different and separate instances of network interfaces and routing tables that operate independent of each other.

  2. 虚拟交换机/veth(virtual Ethernet) interfaces 虚以太网接口 Virtual Ethernet interfaces are an interesting construct; they always come in pairs, and they are connected like a tube—whatever comes in one veth interface will come out the other peer veth interface --- 虚拟以太网接口是一个有趣的结构; 它们总是成对出现,并且它们像管子一样连接 - 一个veth接口中出现的任何东西都会出现在另一个对等的veth接口上。

  3. By default, a network namespace with name NAME is stored in the filesystem at “/var/run/netns/NAME”
    List out Linux namespace: lsns

  4. Namespaces are feature of Linux kernal, to provide a virtual grouping and isolation of processes for accessing a particular global resource in the system --- 命名空间是Linux内核的特性,用于提供虚拟分组和隔离用于访问系统中特定全局资源的进程 Which means your process inside namespace will have a virtual isolated copy of the global system resource.

  5. In Linux, each running process communicates within a network namespace that provides a logical networking stack with its own routes, firewall rules, and network devices. In essence, a network namespace provides a brand new network stack for all the processes within the namespace. 在Linux中,每个正在运行的进程都在一个网络名称空间内进行通信,该名称空间为逻辑网络堆栈提供了自己的路由、防火墙规则和网络设备。本质上,网络名称空间为名称空间中的所有进程提供了一个全新的网络堆栈。

  6. Each veth pair works like a patch cable, connecting the two sides and allowing traffic to flow between them --- 每对veth的工作原理都像一根接插电缆,连接两侧,并允许交通在它们之间流动。

  7. A Linux Ethernet bridge is a virtual Layer 2 networking device used to unite two or more network segments, working transparently to connect two networks together. The bridge operates by maintaining a forwarding table between sources and destinations by examining the destination of the data packets that travel through it and deciding whether or not to pass the packets to other network segments connected to the bridge --- Linux以太网网桥是一个虚拟的第2层网络设备,用于连接两个或更多的网段,透明地将两个网络连接在一起。桥接器的工作原理是,通过检查通过桥接器传输的数据包的目的地并决定是否将数据包传递到桥接器连接的其他网段,来维护源和目的地之间的转发表。Bridges implement the ARP protocol to discover the link-layer MAC address associated with a given IP address.

  8. List network bridge command: brctl show

  9. When this DNAT happens, this info is stored in conntrack — the Linux connection tracking table (stores 5-tuple translations iptables has done: protocol, srcIP, srcPort, dstIP, dstPort). This is so that when a reply comes back, it can un-DNAT, meaning change the source IP from the Pod IP to the Service IP.

CGroup Terminology

  1. Cgroups provide resource limitation and reporting capability within the container space.They allow granular control over what host resources are allocated to the containers and when they are allocated. Common control groups:

    1. CPU

    2. Memory

    3. Network Bandwidth

    4. Disk

    5. Priority

  2. dd

Blogs

  1. Introducing Linux Network Namespaces
  2. Linux Network Namespace Usage (Good)
  3. Virtual Ethernet Device

CGroup

  1. chroot, cgroups and namespaces — An overview
  2. Docker Namespace and Cgroups

I

results matching ""

    No results matching ""