Virtualization network theme - Namespace

Posted by Earnan on Thu, 10 Feb 2022 01:41:34 +0100


Namespace is a global resource isolation scheme provided by the Linux kernel. Programs running in a specific namespace think that all resources in the system are exclusive, just like owning an independent physical machine. Processes in different namespace spaces are completely isolated, and processes in one namespace space are completely unaware of the existence of other namespace processes.

Container technology uses the namespace feature of the kernel to realize the complete isolation of processes between different containers.

Catalogue of series articles

Tip: you can add the directories of all articles in the series here. You need to add the directories manually
For example: the first chapter is the use of pandas, an introduction to Python machine learning

Tip: after writing the article, the directory can be generated automatically. For how to generate it, please refer to the help document on the right


Tip: Here you can add the general contents to be recorded in this article:
For example, with the continuous development of artificial intelligence, machine learning technology is becoming more and more important. Many people have started learning machine learning. This paper introduces the basic content of machine learning.

Tip: the following is the main content of this article. The following cases can be used for reference

1, What is pandas?

Example: pandas is a NumPy based tool created to solve data analysis tasks.

2, Use steps

1. Import and storage

The code is as follows (example):

import numpy as np
import pandas as pd
import matplotlib.pyplot as plt
import seaborn as sns
import warnings
import  ssl
ssl._create_default_https_context = ssl._create_unverified_context

2. Read in data

The code is as follows (example):

data = pd.read_csv(

The url used here is the data requested by the network.


Tip: here is a summary of the article:
For example, the above is what we want to talk about today. This paper only briefly introduces the use of pandas, which provides a large number of functions and methods that enable us to process data quickly and conveniently.

Resource isolation

What resources are isolated by the kernel? Here is the list:

Namespace Flag            Page                  Isolates
Cgroup    CLONE_NEWCGROUP cgroup_namespaces(7)  Cgroup root directory
IPC       CLONE_NEWIPC    ipc_namespaces(7)     System V IPC, POSIX message queues
Network   CLONE_NEWNET    network_namespaces(7) Network devices, stacks, ports, etc.
Mount     CLONE_NEWNS     mount_namespaces(7)   Mount points
PID       CLONE_NEWPID    pid_namespaces(7)     Process IDs
Time      CLONE_NEWTIME   time_namespaces(7)    Boot and monotonic clocks
User      CLONE_NEWUSER   user_namespaces(7)    T{User and group IDs T}
UTS       CLONE_NEWUTS    uts_namespaces(7)     Hostname and NIS domain name

Column Description:

  • The first column is the namespace name;
  • The second column is the Flag value used when calling through API;
  • The third column corresponds to the man page description;
  • The fourth column describes the list of resources isolated by this Namespace

View the process namespace

The namespace attribute information used by each process is saved in the / proc/PID/ns / directory of each process:

hxg@hubuntu:~/github$ sudo ls -l /proc/1/ns/
Total consumption 0
lrwxrwxrwx 1 root root 0  5 November 2:15 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0  5 November 2:15 ipc -> 'ipc:[4026531839]'
lrwxrwxrwx 1 root root 0  5 November 2:15 mnt -> 'mnt:[4026531840]'
lrwxrwxrwx 1 root root 0  5 November 2:15 net -> 'net:[4026531992]'
lrwxrwxrwx 1 root root 0  5 November 2:15 pid -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0  5 November 2:15 pid_for_children -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0  5 November 2:15 time -> 'time:[4026531834]'
lrwxrwxrwx 1 root root 0  5 November 2:15 time_for_children -> 'time:[4026531834]'
lrwxrwxrwx 1 root root 0  5 November 2:15 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0  5 November 2:15 uts -> 'uts:[4026531838]'

The last column is represented by deviceid: inodeNumber. If different processes have the same inodeNumber pointed to by their namespace resources, it proves that the two processes belong to the same namespace.

Maximum number of namespace s supported by the system

/Max in proc/sys/user / directory_ XXX_ The namespaces file records the number of supported namespaces of XXX type. The list is as follows:

hxg@hubuntu:~/github$ sudo ls /proc/sys/user/
max_cgroup_namespaces  max_ipc_namespaces  max_pid_namespaces	max_uts_namespaces
max_inotify_instances  max_mnt_namespaces  max_time_namespaces
max_inotify_watches    max_net_namespaces  max_user_namespaces

The number of PID namespace s supported is 23074:

hxg@hubuntu:~/github$ sudo cat /proc/sys/user/max_pid_namespaces 

Operational network namespace


The purpose of this series of articles is to clarify the virtualization network, so we will focus on the network namespace.

The system provides the ip netns command to operate the network namespace. The functions are as follows:

[root@worker2 ~]# ip netns help
Usage: ip netns list
       ip netns add NAME
       ip netns set NAME NETNSID
       ip [-all] netns delete [NAME]
       ip netns identify [PID]
       ip netns pids NAME
       ip [-all] netns exec [NAME] cmd ...
       ip netns monitor
       ip netns list-id

View namespace

By default, there is no network namespace in the system. In order to verify the function, we need to create it manually.

The following command is used to create the network namespace nst1:

[root@worker2 ~]# ip netns add nst1

The created namespace file is located in the / var/run/netns / Directory:

[root@worker2 ~]# ls /var/run/netns

Next, let's look at the network configuration in the nst1 namespace. The empty namespace has only lo devices, which really looks like an independent physical machine:

[root@worker2 ~]# ip netns exec nst1 ifconfig lo up
[root@worker2 ~]# ip netns exec nst1 ifconfig -a
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet  netmask

reference resources


Topics: Linux Docker network Cloud Native namespace