 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Would a rose by any other namespace still smell as sweet?
Shakespeare is now pounding on his casket, begging that I remove that twisted quote, but to the Bard, I say, “nay, nay.”
Namespaces have been a Linux kernel feature since 2002. Since then, they’ve evolved into a very important aspect of Linux security. But it wasn’t until the advent of containers that the importance of namespaces became obvious.
Essentially, namespaces restrict resources that a containerized process can see so that one process can’t see the resources being used by another. This feature is crucial to the likes of containers and orchestration tools such as Kubernetes because, otherwise, one deployed container would be able to access or view resources used by another.
That, my friends, is a security issue. If one container was capable of interacting with another at the resource level, a malicious bit of code could wreak havoc on your system, network, and data.
The isolation of namespaces happens at the kernel level to isolate processes from one another.
There are different types of Linux namespaces, which are:
Let’s say you want to create two network namespaces and then allow them to connect to one another.
The first step is to create the namespaces. We’ll call these namespaces net1 and net2 and create them with the following commands:
sudo ip netns add net1 sudo ip netns add net2
We next have to create a pipe (a virtual ethernet pair) for the two interfaces, which is done with the following command:
sudo ip link add veth0 type veth peer name veth1
We now have to associate our namespaces with the pipe like so:
sudo ip link set veth0 netns net1 sudo ip link set veth1 netns net2
The next step is to provide an IP address for each virtual interface. Make sure you do not set an IP address that is already in use on your network; otherwise, you’ll wind up with conflicts. We’ll assign 192.168.1.100 to veth0 and 192.168.1.101 to veth1 with the commands:
sudo ip -n s1 addr add 192.168.1.100/24 dev veth0 sudo ip -n s1 addr add 192.168.1.101/24 dev veth1
Outstanding.
You can now verify that the IP addresses have been assigned and view the arp table. To view the IP address of net1, the command would be:
sudo ip netns exec net1 ip addr
The output should look something like this:
As you can see, the correct IP address has been assigned to net1. The same thing can be done for net2 with the command:
sudo ip netns exec net2 ip addr
We can now bring up those interfaces with the commands:
sudo ip -n net1 link set veth0 up sudo ip -n net2 link set veth1 up
Let’s now test to see if they can ping one another. We’ll ping net2 from net1 with the command:
sudo ip netns exec net1 ping 192.168.1.101
Ping net1 from net2 with:
sudo ip netns exec net2 ping 192.168.1.100
In both instances, you should see successful ping results.
Now, let’s attempt to ping the 192.168.1.100 IP address from the host machine. So long as there is no device on your network with that address, it should be unreachable:
ping 192.168.1.100
You shouldn’t be able to reach that address.
What you’ve essentially done is create two network namespaces that can access one another but cannot be accessed by any other resources. That is what namespaces are all about.
