Now let's dive deep into how docker works with various networking setups. With this, we are done with a basic setup on how docker actually implements linux network stack to isolate containers. This is similar to SNAT, except that it does not require the machine's IP address to be known in advance.īasically, what we are doing here is that we are adding an entry to NAT table, to masquerade the outgoing traffic from the bridge, except for the bridge traffic itself. MASQUERADE modifies the source address of the packet, replacing it with the address of a specified network interface. When either device is down, the link state of the pair is down. vETH is a local Ethernet tunnel, and devices are created in pairs.Packets transmitted on one device in the pair are immediately received on the other device. The vETH (virtual Ethernet) device helps in making this connection. We need to go ahead and connect these namespaces to our host network. So with that said, let's quickly move forward and create two isolated network namespaces (similar to two containers) This would be important to note moving forward. This is the host namespace, which implies whatever services that you run simply on your VM or your machine, is run under this namespace. You can notice the default namespace that is created. This means that the process runs within its own network stack, separate from the host, and can communicate only through the interfaces defined in the network namespace.īefore you read ahead, I'd like to draw your attention on the default namespace for the host network. This was pretty neat! The exec $namespace $command executes $command in the named network namespace $namespace. Now you can go ahead and run any process inside this namespace. A network namespace isolates network related resources - a process running in a distinct network namespace has its own networking devices, routing tables, firewall rules etc.Let's create one quickly.Īnd voila! You have your isolated network namespace ( ns1) created just like that. How do platforms virtualise network resources to isolate containers by assigning them a dedicated network stack, and making sure these containers do not interfere with the host (or neighbouring containers)? Network Namespace. Network isolation is what we are interested in, so we will be discussing in depth about network namespaces.Īll the examples in this article have been made on a fresh vagrant Ubuntu Bionic virtual machine. There are currently 7 types of namespaces Cgroup, IPC, Network, Mount, PID, User, UTS Namespaces are like separate houses with their own sets of isolated resources. TLDR, a linux namespace is an abstraction over resources in the operating system. In this series, my aim is to dig deep to understand the various ways in which these container orchestration platforms implement network internals underneath. Linux Networking is a very interesting topic.
These series of articles are my log of learning about various networking concepts related to Container Orchestration Platforms (Docker, Kubernetes, etc)