1 00:00:00,120 --> 00:00:06,720 Hello and welcome to this video and this video we get introduced to network names, spaces in Linux 2 00:00:07,410 --> 00:00:13,830 networks, names, faces are used by containers like Docker to implement network isolation. 3 00:00:13,860 --> 00:00:15,480 We'll start with a simple host. 4 00:00:15,930 --> 00:00:21,810 As we know already, containers are separated from the underlying host using names faces. 5 00:00:21,930 --> 00:00:23,460 So what are names, faces? 6 00:00:23,850 --> 00:00:30,390 If your host was your house, then names, faces are the rooms within the house that you assign to each 7 00:00:30,390 --> 00:00:31,220 of your children. 8 00:00:31,380 --> 00:00:34,740 The room helps in providing privacy to each child. 9 00:00:35,130 --> 00:00:39,060 Each child can only see what's within his or her room. 10 00:00:39,510 --> 00:00:41,940 They cannot see what happens outside their room. 11 00:00:42,180 --> 00:00:45,750 As far as they're concerned, they're the only person living in the house. 12 00:00:46,000 --> 00:00:52,590 However, as a parent, you have visibility into all the rooms in the house as well as other areas of 13 00:00:52,590 --> 00:00:53,040 the house. 14 00:00:53,250 --> 00:00:57,830 If you wish, you can establish connectivity between two rooms in the house. 15 00:00:57,840 --> 00:01:03,990 When you create a container, you want to make sure that it is isolated, that it does not see any other 16 00:01:03,990 --> 00:01:07,320 processes on the host or any other containers. 17 00:01:07,330 --> 00:01:12,210 So we create a special room for it on our host using a namespace. 18 00:01:12,210 --> 00:01:19,050 As far as the container is concerned, it only sees the processes run by it and thinks that it is on 19 00:01:19,050 --> 00:01:20,040 its own host. 20 00:01:20,280 --> 00:01:26,410 The underlying host, however, has visibility into all of the processes, including those running inside 21 00:01:26,410 --> 00:01:27,170 the containers. 22 00:01:27,210 --> 00:01:31,110 This can be seen when you list the processes from within the container. 23 00:01:31,320 --> 00:01:34,380 You see a single process with the process of one. 24 00:01:34,590 --> 00:01:41,310 When you list the same processes as a route user from the underlying host, you see all the other processes 25 00:01:41,310 --> 00:01:45,660 along with the process running inside the container, this time with a different process. 26 00:01:45,660 --> 00:01:51,480 I think it's the same process running with different process ideas inside and outside the container. 27 00:01:51,660 --> 00:01:53,280 That's how namespace is work. 28 00:01:55,240 --> 00:02:01,300 When it comes to networking, our host has its own interfaces that connect to the local area network. 29 00:02:01,330 --> 00:02:06,730 Our host has its own routing and our tables with information about rest of the network. 30 00:02:06,760 --> 00:02:09,850 We want to seal all of those details from the container. 31 00:02:11,200 --> 00:02:17,440 When the container is created, we create a network namespace for it, that way it has no visibility 32 00:02:17,440 --> 00:02:22,730 to any network related information on the host within its namespace. 33 00:02:23,050 --> 00:02:27,880 The container can have its own virtual interfaces, routing and other tables. 34 00:02:28,270 --> 00:02:30,760 The container has its own interface. 35 00:02:31,960 --> 00:02:40,300 To create a new network namespace on a Linux host, run the IP and add command, in this case, we create 36 00:02:40,360 --> 00:02:46,600 two network names, faces to list the network names faces, run the IP network and as command. 37 00:02:48,000 --> 00:02:54,330 To list the interfaces on my host, I run the IP link command, I see that my host has the Lookback 38 00:02:54,330 --> 00:02:56,400 interface and the e0 interface. 39 00:02:56,430 --> 00:03:00,310 Now, how do we view the same within the network namespace that we created? 40 00:03:00,690 --> 00:03:04,320 How do we run the same command within the red or blue namespace? 41 00:03:04,320 --> 00:03:11,350 Prefix the command with the command IP net and as exec followed by the namespace name, which is red. 42 00:03:11,460 --> 00:03:16,290 Now the IP link command will be executed inside the red namespace. 43 00:03:16,330 --> 00:03:21,560 Another way to do it is to add the dash end option to the original IP link command. 44 00:03:21,900 --> 00:03:23,100 Both of these are the same. 45 00:03:23,460 --> 00:03:25,020 The second one is similar. 46 00:03:25,200 --> 00:03:30,000 But remember, this only works if you intend to run the IP command inside the namespace. 47 00:03:30,250 --> 00:03:33,270 As you can see, it only lets the Lobach interface. 48 00:03:33,390 --> 00:03:36,120 You cannot see the zero interface on the host. 49 00:03:36,360 --> 00:03:41,710 So with names faces, we have successfully prevented the container from seeing the host's interface. 50 00:03:42,210 --> 00:03:44,000 The same is true with the ARB table. 51 00:03:44,220 --> 00:03:50,040 If you run the ARB command on the host, you see a list of entries, but if you run it inside the container, 52 00:03:50,160 --> 00:03:51,570 you see no entries. 53 00:03:55,260 --> 00:03:56,910 And the same for routing table. 54 00:03:58,600 --> 00:04:04,690 Now, as of now, these network names, faces have no network connectivity, they have no interfaces 55 00:04:04,690 --> 00:04:07,930 of their own, and they cannot see the underlying host network. 56 00:04:07,960 --> 00:04:13,330 Let's first look at establishing connectivity between the name spaces themselves, just like how we 57 00:04:13,330 --> 00:04:19,260 would connect to physical machines together using a cable to an Internet interface on each machine, 58 00:04:19,270 --> 00:04:24,680 you can connect to namespace spaces together using a virtual Ethernet pair or a virtual cable. 59 00:04:24,700 --> 00:04:30,940 It's often referred to as a pipe, but I'd like to call it a virtual cable with two interfaces on either 60 00:04:30,940 --> 00:04:33,740 ends to create the cable or on the IP link. 61 00:04:33,760 --> 00:04:40,170 Add command with a type set to visit and specify the two ends with red and blue. 62 00:04:40,390 --> 00:04:44,410 The next step is to attach each interface to the appropriate namespace. 63 00:04:44,710 --> 00:04:50,370 Use the command IP link set with red and red to do that. 64 00:04:50,740 --> 00:04:54,250 Similarly, attach the blue interface to the blue namespace. 65 00:04:54,550 --> 00:04:58,300 We can then assign IP addresses to each of these names faces. 66 00:04:58,630 --> 00:05:05,590 We will use the usual IP ADR command to assign the IP address, but within each namespace we will assign 67 00:05:05,590 --> 00:05:14,270 the red namespace and IP 192 168 15 dot one within assigned the blue namespace and IP 192 168 15 the 68 00:05:14,290 --> 00:05:14,620 two. 69 00:05:14,740 --> 00:05:20,560 We then bring up the interface using the IP link, set up command for each device within the respective 70 00:05:20,560 --> 00:05:27,070 namespace as the links are up and the namespace can now reach each other tripping from the red namespace 71 00:05:27,160 --> 00:05:28,750 to reach the IP of the blue. 72 00:05:28,780 --> 00:05:32,740 If you look at the ARB table on the red namespace, you see it's identified. 73 00:05:32,740 --> 00:05:37,720 It's blue number at 190 to 168, 15 or two with a Mac address. 74 00:05:37,750 --> 00:05:42,190 Similarly, if you list the arc table on the blue namespace, you see it's identified. 75 00:05:42,190 --> 00:05:43,270 It's the red number. 76 00:05:43,540 --> 00:05:49,090 If you compare this with the arc table of the host, you see that the Hosaka table has no idea about 77 00:05:49,090 --> 00:05:54,370 this new namespace, as we have created and no idea about the interfaces we created in them. 78 00:05:55,440 --> 00:05:58,020 You know that word when you have just two names, faces? 79 00:05:58,050 --> 00:05:59,580 What do you do when you have more of them? 80 00:05:59,850 --> 00:06:02,460 How do you enable all of them to communicate with each other? 81 00:06:02,610 --> 00:06:08,090 Just like in the physical world, you create a virtual network inside your host, create a network, 82 00:06:08,100 --> 00:06:08,960 you need a switch. 83 00:06:09,180 --> 00:06:10,830 So to create a virtual network. 84 00:06:10,980 --> 00:06:12,410 You need a virtual switch. 85 00:06:12,540 --> 00:06:17,220 So you create a virtual switch within our host and connect the namespace us to it. 86 00:06:17,320 --> 00:06:19,620 Well, how do you create a virtual switch between our host? 87 00:06:19,650 --> 00:06:24,900 There are multiple solutions available, such as the unity of solution called as Linux print and the 88 00:06:24,900 --> 00:06:26,870 open we switch, etc.. 89 00:06:26,970 --> 00:06:32,060 In this example, we will use the Linux Bridge option to create an internal bridge network. 90 00:06:32,070 --> 00:06:35,670 We add a new interface to the host using the IP link. 91 00:06:35,670 --> 00:06:38,300 Add command with the type set to bridge. 92 00:06:38,790 --> 00:06:40,650 We will name it we net zero. 93 00:06:40,650 --> 00:06:47,970 As far as our host is concerned, it is just another interface, just like the interface, it appears 94 00:06:47,970 --> 00:06:52,130 in the output of the IP link command along with the other interfaces. 95 00:06:52,260 --> 00:06:53,190 It's currently down. 96 00:06:53,220 --> 00:06:57,610 So you need to turn it up, use the IP link, set up command to bring it up. 97 00:06:57,630 --> 00:06:58,650 Now for the namespace. 98 00:06:58,920 --> 00:07:02,220 This interface is like a switch that it can connect to. 99 00:07:02,370 --> 00:07:06,720 So think of it as an interface for the host and a switch for the namespace. 100 00:07:06,780 --> 00:07:11,820 So the next step is to connect the names faces to this new virtual network switch. 101 00:07:11,850 --> 00:07:18,300 Earlier we created the cable or the E pair with the Rethread interface on one end and boot interface 102 00:07:18,300 --> 00:07:22,060 on the other because we wanted to connect the two names faces directly. 103 00:07:22,260 --> 00:07:28,330 Now we will be connecting all name spaces to the bridge network, so we need new cables for that purpose. 104 00:07:28,620 --> 00:07:31,850 This cable doesn't make sense anymore, so we will get rid of it. 105 00:07:31,860 --> 00:07:34,770 Use the IP link, delete command to delete the cable. 106 00:07:35,010 --> 00:07:39,710 When you delete the link with one end, the other end gets deleted automatically. 107 00:07:39,720 --> 00:07:45,510 Since they are the repair that has now created new cables to connect the namespace to the bridge from 108 00:07:45,510 --> 00:07:48,750 the IP link and command and create a pair with. 109 00:07:48,750 --> 00:07:53,580 We either add on one end like before, but this time the other end will be named. 110 00:07:53,580 --> 00:07:57,390 We eat red BRM as it connects to the bridge network. 111 00:07:57,630 --> 00:08:03,810 This naming convention will help us easily identify the interfaces that associate to the red namespace. 112 00:08:03,810 --> 00:08:07,920 Similarly, create a cable to connect the blue namespace to the bridge network. 113 00:08:08,130 --> 00:08:12,210 Now that we have the cables ready, it's time to get them connected to the names faces. 114 00:08:12,210 --> 00:08:15,930 To attach one end of this of the interface to the red namespace run. 115 00:08:15,930 --> 00:08:17,070 The IP link said. 116 00:08:17,280 --> 00:08:24,900 We need Red nitens Red Command to attach the other end to the first network run the IP link said command 117 00:08:24,900 --> 00:08:30,870 on the V Repromed and specify the master for it as the Venette Zero Network. 118 00:08:32,940 --> 00:08:38,520 Followed the same procedure to attach the cable to the blue namespace and the bridge network that is 119 00:08:38,520 --> 00:08:41,850 now said IP addresses for these links and turned them up. 120 00:08:42,060 --> 00:08:49,560 We will use the same IP addresses that we used before, 190 to 160 at 15 dot one and 190 to the 168 121 00:08:49,560 --> 00:08:52,470 or 15 or two and finally turn the devices up. 122 00:08:52,500 --> 00:08:55,410 The containers can now reach each other over the network. 123 00:08:55,530 --> 00:09:00,280 So we follow the same procedure to connect the remaining two names faces to the same network. 124 00:09:00,780 --> 00:09:06,360 We now have all four names, faces connected to our internal network, and they can all communicate 125 00:09:06,360 --> 00:09:06,960 with each other. 126 00:09:07,370 --> 00:09:12,210 They have all IP addresses, 190 to 168 for one, two, three and four. 127 00:09:12,240 --> 00:09:17,580 And remember, we assigned our host the IP 190 to 168, one or two from my host. 128 00:09:17,600 --> 00:09:22,280 What if I tried to reach one of these interfaces in this namespace as well at work? 129 00:09:22,800 --> 00:09:26,910 Now my host is on one network and the name spaces are on another. 130 00:09:26,910 --> 00:09:31,280 But what if I really want to establish connectivity between my host and this namespace? 131 00:09:32,110 --> 00:09:36,810 Remember we said that the bridge switch is actually a network interface for the host. 132 00:09:36,900 --> 00:09:43,020 So we do have an interface on the one hand, to do 168 Wi-Fi network on our host since is just another 133 00:09:43,020 --> 00:09:43,570 interface. 134 00:09:43,590 --> 00:09:49,590 All we need to do is assign an IP address to it so we can reach the namespace through it, run the IP 135 00:09:49,590 --> 00:09:55,410 ADR command to set the IP 192 to 168 or 15, not five to this interface. 136 00:09:55,590 --> 00:09:58,770 We can now bring the red namespace from our local host. 137 00:09:59,160 --> 00:10:06,240 Now remember, this entire network is still private and restricted within the host from within the namespace 138 00:10:06,240 --> 00:10:11,820 as you can't reach the outside world, nor can anyone from the outside world reach the services or applications 139 00:10:11,820 --> 00:10:12,780 hosted inside. 140 00:10:12,840 --> 00:10:17,340 The only door to the outside world is the Internet port and the host. 141 00:10:17,430 --> 00:10:22,030 So how do we configure this bridge to reach the network through the Internet port? 142 00:10:22,200 --> 00:10:27,270 So there is another host attached to our network with the address 190 to 168, one or three. 143 00:10:27,720 --> 00:10:30,890 How can I reach this host from within my name spaces? 144 00:10:30,930 --> 00:10:34,410 What happens if I try to ping this host from my namespace? 145 00:10:34,440 --> 00:10:40,770 The blue namespace sees that I'm trying to reach a network at 190 to 160 dot one, which is different 146 00:10:40,770 --> 00:10:44,710 from my current network of 190 to the 168 or 15. 147 00:10:44,730 --> 00:10:48,150 So it looks at its routing table to see how to find that network. 148 00:10:48,160 --> 00:10:53,400 The routing table has no information about other network, so it comes back saying that the network 149 00:10:53,400 --> 00:10:54,240 is unreachable. 150 00:10:54,240 --> 00:11:00,250 So we need to add an entry into the routing table to provide a gateway or door to the outside world. 151 00:11:00,780 --> 00:11:02,400 So how do we find that gateway? 152 00:11:02,460 --> 00:11:08,400 A door or a gateway, as we discussed before, is a system on the local network that connects to the 153 00:11:08,400 --> 00:11:09,180 other network. 154 00:11:09,300 --> 00:11:15,030 So what is a system that has one interface on the network local to the blue namespace, which is the 155 00:11:15,030 --> 00:11:20,220 one only to 160 WiFi network and is also connected to the outside LAN network? 156 00:11:20,340 --> 00:11:21,480 Here's a logical view. 157 00:11:21,660 --> 00:11:26,430 It's the localhost that have all these names faces on so you can bring the names faces. 158 00:11:26,470 --> 00:11:31,650 Remember, our local host has an interface to attach to the private network so you can ping the name 159 00:11:31,740 --> 00:11:32,210 faces. 160 00:11:32,220 --> 00:11:36,180 So our local host is the gateway that connects the two networks together. 161 00:11:36,310 --> 00:11:44,250 We can now add a rote entry in the blue namespace to say all traffic to the 192 168 one network through 162 00:11:44,250 --> 00:11:47,610 the gateway at 190 to 168 15 dot five. 163 00:11:47,640 --> 00:11:55,500 Now remember, our host has two IP addresses, one on the network at 192, 168, 15 or five and another 164 00:11:55,530 --> 00:11:58,890 on the external network and one only two one six eight one two. 165 00:11:58,890 --> 00:12:01,110 Can you use any in the route now? 166 00:12:01,110 --> 00:12:07,530 Because the blue namespace can only reach the gateway and its local network at 190 to 160 at fifty five. 167 00:12:07,530 --> 00:12:12,300 The default gateway should be reachable from your namespace when you add it to your route. 168 00:12:12,480 --> 00:12:15,780 When you try to ping now you no longer get the network unreachable. 169 00:12:15,780 --> 00:12:16,610 Message what? 170 00:12:16,620 --> 00:12:19,410 You still don't get any response back from the ping. 171 00:12:19,590 --> 00:12:20,820 What might be the problem? 172 00:12:20,940 --> 00:12:26,760 We talked about a similar situation in one of our earlier lectures where from our home network we tried 173 00:12:26,760 --> 00:12:29,490 to reach the external Internet through our router. 174 00:12:29,490 --> 00:12:35,250 Our whole network has our internal private IP addresses that the Destination Network don't know about. 175 00:12:35,250 --> 00:12:37,520 So they cannot reach back for this. 176 00:12:37,530 --> 00:12:43,770 We need not enable on our host acting as the gateway here so that it can send the messages to the LAN 177 00:12:43,770 --> 00:12:46,010 in its own name with its own address. 178 00:12:46,020 --> 00:12:48,570 So how do we add that functionality to our host? 179 00:12:49,020 --> 00:12:55,500 You should do that using IP tables at a new rule in the net IP table, in the post routing chain to 180 00:12:55,500 --> 00:13:00,570 masquerade or replace the from address on all packets coming from the source network. 181 00:13:00,840 --> 00:13:05,040 One entity you don't want 68 or 15 or zero with its own IP address. 182 00:13:05,170 --> 00:13:09,960 That way, anyone receiving these packets outside the network will think that they're coming from the 183 00:13:09,960 --> 00:13:11,490 host and not from within. 184 00:13:11,490 --> 00:13:16,140 The namespace is when we try to be now we see that we are able to reach the outside world. 185 00:13:17,840 --> 00:13:20,940 Finally said the land is connected to the Internet. 186 00:13:21,320 --> 00:13:27,210 We want the name spaces to reach the Internet, so we try to bring a server on the Internet at a later 187 00:13:27,210 --> 00:13:32,290 date or later from the blue namespace, we receive a familiar message that the network is unreachable. 188 00:13:32,450 --> 00:13:33,830 But now we know why that is. 189 00:13:34,070 --> 00:13:39,770 We look at the routing table and see that we have routes to the network 100 to 168 one, but not to 190 00:13:39,770 --> 00:13:40,460 anything else. 191 00:13:40,470 --> 00:13:44,120 Since these names visitors can reach any network our hosts can reach. 192 00:13:44,330 --> 00:13:50,660 We can simply say that to reach any external network, talk to our host so we add a default gateway 193 00:13:50,660 --> 00:13:52,060 specifying our host. 194 00:13:52,070 --> 00:13:56,590 We should now be able to reach the outside world from within this namespace. 195 00:13:57,730 --> 00:14:03,460 Now, what about connectivity from the outside world to inside the name spaces, say, for example, 196 00:14:03,460 --> 00:14:07,180 the blue namespace hosts a Web application on for 80. 197 00:14:07,180 --> 00:14:13,690 As of now, the name spaces are on an internal private network and no one from the outside world knows 198 00:14:13,690 --> 00:14:14,160 about that. 199 00:14:14,170 --> 00:14:16,650 We can only access these from the host itself. 200 00:14:16,660 --> 00:14:22,060 If you try to ping the private IP of the namespace from another host on another network, you will see 201 00:14:22,060 --> 00:14:27,760 that it's not reachable, obviously, because that host doesn't know about this private network in order 202 00:14:27,760 --> 00:14:29,770 to make that communication possible. 203 00:14:29,800 --> 00:14:30,820 You have two options. 204 00:14:31,120 --> 00:14:34,580 The two options that we saw in the previous lecture on that. 205 00:14:34,660 --> 00:14:38,760 The first is to give away the identity of the private network to the second host. 206 00:14:38,780 --> 00:14:44,500 So we basically add an IP wrote entry to the second host, telling the host that the network wanted 207 00:14:44,500 --> 00:14:50,350 it to 168 of 15 can be reached through the host at 190 to at one or two. 208 00:14:50,350 --> 00:14:51,580 But we don't want to do that. 209 00:14:51,790 --> 00:14:59,380 The other option is to add a port forwarding rule using IP tables to say any traffic coming to Port 210 00:14:59,380 --> 00:15:06,110 80 on the localhost is to be forwarded to Port 80 on the IP assigned to the blue namespace. 211 00:15:06,130 --> 00:15:07,920 Well, that's it for this video. 212 00:15:08,140 --> 00:15:09,130 Thank you for watching.