Netns management overview¶
Pyroute2 provides basic namespaces management support. Here’s a quick overview of typical netns tasks and related pyroute2 tools.
Move an interface to a namespace¶
Though this task is managed not via netns module, it should be mentioned here as well. To move an interface to a netns, one should provide IFLA_NET_NS_FD nla in a set link RTNL request. The nla is an open FD number, that refers to already created netns. The pyroute2 library provides also a possibility to specify not a FD number, but a netns name as a string. In that case the library will try to lookup the corresponding netns in the standard location.
Create veth and move the peer to a netns with IPRoute:
from pyroute2 import IPRoute ipr = IPRoute() ipr.link('add', ifname='v0p0', kind='veth', peer='v0p1') idx = ipr.link_lookup(ifname='v0p1') ipr.link('set', index=idx, net_ns_fd='netns_name')
Create veth and move the peer to a netns with IPDB:
from pyroute2 import IPDB ipdb = IPDB() ipdb.create(ifname='v0p0', kind='veth', peer='v0p1').commit() with ipdb.interfaces.v0p1 as i: i.net_ns_fd = 'netns_name'
Manage interfaces within a netns¶
This task can be done with NetNS objects. A NetNS object spawns a child and runs it within a netns, providing the same API as IPRoute does:
from pyroute2 import NetNS ns = NetNS('netns_name') # do some stuff within the netns ns.close()
One can even start IPDB on the top of NetNS:
from pyroute2 import NetNS from pyroute2 import IPDB ns = NetNS('netns_name') ipdb = IPDB(nl=ns) # do some stuff within the netns ipdb.release() ns.close()
Spawn a process within a netns¶
For that purpose one can use NSPopen API. It works just as normal Popen, but starts a process within a netns.
List, set, create, attach and remove netns¶
These functions are described below. To use them, import netns module:
from pyroute2 import netns netns.listnetns()
Please be aware, that in order to run system calls the library uses ctypes module. It can fail on platforms where SELinux is enforced. If the Python interpreter, loading this module, dumps the core, one can check the SELinux state with getenforce command.
List available network namespaces.
List pids in all netns
If a pid is in a unknown netns do not return it
Return netns name which matches the given pid, None otherwise
Create a network namespace.
attach(netns, pid, libc=None)¶
Attach the network namespace of the process pid to netns as if it were created with create.
Remove a network namespace.
setns(netns, flags=64, libc=None)¶
Set netns for the current process.
The flags semantics is the same as for the open(2) call:
O_CREAT – create netns, if doesn’t exist
O_CREAT | O_EXCL – create only if doesn’t exist
Note that “main” netns has no name. But you can access it with:
setns('foo') # move to netns foo setns('/proc/1/ns/net') # go back to default netns
See also pushns()/popns()/dropns()
Changed in 0.5.1: the routine closes the ns fd if it’s not provided via arguments.
Save the current netns in order to return to it later. If newns is specified, change to it:
# --> the script in the "main" netns netns.pushns("test") # --> changed to "test", the "main" is saved netns.popns() # --> "test" is dropped, back to the "main"
Restore the previously saved netns.
Discard the last saved with pushns() namespace
A NetNS object is IPRoute-like. It runs in the main network namespace, but also creates a proxy process running in the required netns. All the netlink requests are done via that proxy process.
NetNS supports standard IPRoute API, so can be used instead of IPRoute, e.g., in IPDB:
# start the main network settings database: ipdb_main = IPDB() # start the same for a netns: ipdb_test = IPDB(nl=NetNS('test')) # create VETH ipdb_main.create(ifname='v0p0', kind='veth', peer='v0p1').commit() # move peer VETH into the netns with ipdb_main.interfaces.v0p1 as veth: veth.net_ns_fd = 'test' # please keep in mind, that netns move clears all the settings # on a VETH interface pair, so one should run netns assignment # as a separate operation only # assign addresses # please notice, that `v0p1` is already in the `test` netns, # so should be accessed via `ipdb_test` with ipdb_main.interfaces.v0p0 as veth: veth.add_ip('172.16.200.1/24') veth.up() with ipdb_test.interfaces.v0p1 as veth: veth.add_ip('172.16.200.2/24') veth.up()
Please review also the test code, under tests/test_netns.py for more examples.
By default, NetNS creates requested netns, if it doesn’t exist, or uses existing one. To control this behaviour, one can use flags as for open(2) system call:
# create a new netns or fail, if it already exists netns = NetNS('test', flags=os.O_CREAT | os.O_EXCL) # create a new netns or use existing one netns = NetNS('test', flags=os.O_CREAT) # the same as above, the default behaviour netns = NetNS('test')
To remove a network namespace:
from pyroute2 import NetNS netns = NetNS('test') netns.close() netns.remove()
One should stop it first with close(), and only after that run remove().
NetNS is the IPRoute API with network namespace support.
Why not IPRoute?
The task to run netlink commands in some network namespace, being in another network namespace, requires the architecture, that differs too much from a simple Netlink socket.
NetNS starts a proxy process in a network namespace and uses multiprocessing communication channels between the main and the proxy processes to route all recv() and sendto() requests/responses.
Any specific API calls?
Nope. NetNS supports all the same, that IPRoute does, in the same way. It provides full socket-compatible API and can be used in poll/select as well.
The only difference is the close() call. In the case of NetNS it is mandatory to close the socket before exit.
Try to remove this network namespace from the system.
The NSPopen class has nothing to do with netlink at all, but it is required to have a reasonable network namespace support.
NSPopen(nsname, *argv, **kwarg)¶
A proxy class to run Popen() object in some network namespace.
Sample to run ip ad command in nsname network namespace:
nsp = NSPopen('nsname', ['ip', 'ad'], stdout=subprocess.PIPE) print(nsp.communicate()) nsp.wait() nsp.release()
The NSPopen class was intended to be a drop-in replacement for the Popen class, but there are still some important differences.
The NSPopen object implicitly spawns a child python process to be run in the background in a network namespace. The target process specified as the argument of the NSPopen will be started in its turn from this child. Thus all the fd numbers of the running NSPopen object are meaningless in the context of the main process. Trying to operate on them, one will get ‘Bad file descriptor’ in the best case or a system call working on a wrong file descriptor in the worst case. A possible solution would be to transfer file descriptors between the NSPopen object and the main process, but it is not implemented yet.
The process’ diagram for NSPopen(‘test’, [‘ip’, ‘ad’]):
+---------------------+ +--------------+ +------------+ | main python process |<--->| child python |<--->| netns test | | NSPopen() | | Popen() | | $ ip ad | +---------------------+ +--------------+ +------------+
As a workaround for the issue with file descriptors, some additional methods are available on file objects stdin, stdout and stderr. E.g., one can run fcntl calls:
from fcntl import F_GETFL from pyroute2 import NSPopen from subprocess import PIPE proc = NSPopen('test', ['my_program'], stdout=PIPE) flags = proc.stdout.fcntl(F_GETFL)
In that way one can use fcntl(), ioctl(), flock() and lockf() calls.
Another additional method is release(), which can be used to explicitly stop the proxy process and release all the resources.
Explicitly stop the proxy process and release all the resources. The NSPopen object can not be used after the release() call.