neutron/doc/source/admin/intro-network-namespaces.rst

.. _intro-network-namespaces:

==================
Network namespaces
==================

A namespace is a way of scoping a particular set of identifiers. Using a
namespace, you can use the same identifier multiple times in different
namespaces. You can also restrict an identifier set visible to particular
processes.

For example, Linux provides namespaces for networking and processes, among
other things. If a process is running within a process namespace, it can only
see and communicate with other processes in the same namespace. So, if a shell
in a particular process namespace ran :command:`ps waux`, it would only show
the other processes in the same namespace.

Linux network namespaces
~~~~~~~~~~~~~~~~~~~~~~~~

In a network namespace, the scoped 'identifiers' are network devices; so a
given network device, such as ``eth0``, exists in a particular namespace.
Linux starts up with a default network namespace, so if your operating system
does not do anything special, that is where all the network devices will be
located. But it is also possible to create further non-default namespaces, and
create new devices in those namespaces, or to move an existing device from one
namespace to another.

Each network namespace also has its own routing table, and in fact this is the
main reason for namespaces to exist. A routing table is keyed by destination IP
address, so network namespaces are what you need if you want the same
destination IP address to mean different things at different times - which is
something that OpenStack Networking requires for its feature of providing
overlapping IP addresses in different virtual networks.

Each network namespace also has its own set of iptables (for both IPv4 and
IPv6). So, you can apply different security to flows with the same IP
addressing in different namespaces, as well as different routing.

Any given Linux process runs in a particular network namespace. By default this
is inherited from its parent process, but a process with the right capabilities
can switch itself into a different namespace; in practice this is mostly done
using the :command:`ip netns exec NETNS COMMAND...` invocation, which starts
``COMMAND`` running in the namespace named ``NETNS``. Suppose such a process
sends out a message to IP address A.B.C.D, the effect of the namespace is that
A.B.C.D will be looked up in that namespace's routing table, and that will
determine the network device that the message is transmitted through.

Virtual routing and forwarding (VRF)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Virtual routing and forwarding is an IP technology that allows multiple
instances of a routing table to coexist on the same router at the same time.
It is another name for the network namespace functionality described above.
import the networking guide content from openstack-manuals Change-Id: Ibcedc9389dbea4a5810f2cecf890f6ba9887a07b 2017-06-24 12:51:32 +00:00			`.. _intro-network-namespaces:`

			`==================`
			`Network namespaces`
			`==================`

			`A namespace is a way of scoping a particular set of identifiers. Using a`
			`namespace, you can use the same identifier multiple times in different`
			`namespaces. You can also restrict an identifier set visible to particular`
			`processes.`

			`For example, Linux provides namespaces for networking and processes, among`
			`other things. If a process is running within a process namespace, it can only`
			`see and communicate with other processes in the same namespace. So, if a shell`
			in a particular process namespace ran :command:`ps waux`, it would only show
			`the other processes in the same namespace.`

			`Linux network namespaces`
			`~~~~~~~~~~~~~~~~~~~~~~~~`

			`In a network namespace, the scoped 'identifiers' are network devices; so a`
			given network device, such as ``eth0``, exists in a particular namespace.
			`Linux starts up with a default network namespace, so if your operating system`
			`does not do anything special, that is where all the network devices will be`
			`located. But it is also possible to create further non-default namespaces, and`
			`create new devices in those namespaces, or to move an existing device from one`
			`namespace to another.`

			`Each network namespace also has its own routing table, and in fact this is the`
			`main reason for namespaces to exist. A routing table is keyed by destination IP`
			`address, so network namespaces are what you need if you want the same`
			`destination IP address to mean different things at different times - which is`
			`something that OpenStack Networking requires for its feature of providing`
			`overlapping IP addresses in different virtual networks.`

			`Each network namespace also has its own set of iptables (for both IPv4 and`
			`IPv6). So, you can apply different security to flows with the same IP`
			`addressing in different namespaces, as well as different routing.`

			`Any given Linux process runs in a particular network namespace. By default this`
			`is inherited from its parent process, but a process with the right capabilities`
			`can switch itself into a different namespace; in practice this is mostly done`
			using the :command:`ip netns exec NETNS COMMAND...` invocation, which starts
			``COMMAND`` running in the namespace named ``NETNS``. Suppose such a process
			`sends out a message to IP address A.B.C.D, the effect of the namespace is that`
			`A.B.C.D will be looked up in that namespace's routing table, and that will`
			`determine the network device that the message is transmitted through.`

			`Virtual routing and forwarding (VRF)`
			`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

			`Virtual routing and forwarding is an IP technology that allows multiple`
			`instances of a routing table to coexist on the same router at the same time.`
			`It is another name for the network namespace functionality described above.`