NetNS management

Basic network namespace management

Pyroute2 provides basic namespaces management support. Here's a quick overview of typical netns tasks and related pyroute2 tools.

Move an interface to a namespace

Though this task is managed not via netns module, it should be mentioned here as well. To move an interface to a netns, one should provide IFLA_NET_NS_FD nla in a set link RTNL request. The nla is an open FD number, that refers to already created netns. The pyroute2 library provides also a possibility to specify not a FD number, but a netns name as a string. In that case the library will try to lookup the corresponding netns in the standard location.

Create veth and move the peer to a netns with IPRoute:

from pyroute2 import IPRoute
ipr = IPRoute()
ipr.link('add', ifname='v0p0', kind='veth', peer='v0p1')
idx = ipr.link_lookup(ifname='v0p1')[0]
ipr.link('set', index=idx, net_ns_fd='netns_name')

Create veth and move the peer to a netns with IPDB:

from pyroute2 import IPDB
ipdb = IPDB()
ipdb.create(ifname='v0p0', kind='veth', peer='v0p1').commit()
with ipdb.interfaces.v0p1 as i:
    i.net_ns_fd = 'netns_name'

Manage interfaces within a netns

This task can be done with NetNS objects. A NetNS object spawns a child and runs it within a netns, providing the same API as IPRoute does:

from pyroute2 import NetNS
ns = NetNS('netns_name')
# do some stuff within the netns
ns.close()

One can even start IPDB on the top of NetNS:

from pyroute2 import NetNS
from pyroute2 import IPDB
ns = NetNS('netns_name')
ipdb = IPDB(nl=ns)
# do some stuff within the netns
ipdb.release()
ns.close()

Spawn a process within a netns

For that purpose one can use NSPopen API. It works just as normal Popen, but starts a process within a netns.

List, set, create, attach and remove netns

These functions are described below. To use them, import netns module:

from pyroute2 import netns
netns.listnetns()

Please be aware, that in order to run system calls the library uses ctypes module. It can fail on platforms where SELinux is enforced. If the Python interpreter, loading this module, dumps the core, one can check the SELinux state with getenforce command.

pyroute2.netns.listnetns(nspath=None)

List available network namespaces.

pyroute2.netns.ns_pids(nspath='/var/run/netns')

List pids in all netns

If a pid is in a unknown netns do not return it

pyroute2.netns.pid_to_ns(pid=1, nspath='/var/run/netns')

Return netns name which matches the given pid, None otherwise

pyroute2.netns.create(netns, libc=None)

Create a network namespace.

pyroute2.netns.attach(netns, pid, libc=None)

Attach the network namespace of the process pid to netns as if it were created with create.

pyroute2.netns.remove(netns, libc=None)

Remove a network namespace.

pyroute2.netns.setns(netns, flags=64, libc=None)

Set netns for the current process.

The flags semantics is the same as for the open(2) call:

  • O_CREAT -- create netns, if doesn't exist

  • O_CREAT | O_EXCL -- create only if doesn't exist

Note that "main" netns has no name. But you can access it with:

setns('foo')  # move to netns foo
setns('/proc/1/ns/net')  # go back to default netns

See also pushns()/popns()/dropns()

Changed in 0.5.1: the routine closes the ns fd if it's not provided via arguments.

pyroute2.netns.pushns(newns=None, libc=None)

Save the current netns in order to return to it later. If newns is specified, change to it:

# --> the script in the "main" netns
netns.pushns("test")
# --> changed to "test", the "main" is saved
netns.popns()
# --> "test" is dropped, back to the "main"
pyroute2.netns.popns(libc=None)

Restore the previously saved netns.

pyroute2.netns.dropns(libc=None)

Discard the last saved with pushns() namespace

A proxy class to run Popen() object in some network namespace.

Sample to run ip ad command in nsname network namespace:

nsp = NSPopen('nsname', ['ip', 'ad'], stdout=subprocess.PIPE)
print(nsp.communicate())
nsp.wait()
nsp.release()

The NSPopen class was intended to be a drop-in replacement for the Popen class, but there are still some important differences.

The NSPopen object implicitly spawns a child python process to be run in the background in a network namespace. The target process specified as the argument of the NSPopen will be started in its turn from this child. Thus all the fd numbers of the running NSPopen object are meaningless in the context of the main process. Trying to operate on them, one will get 'Bad file descriptor' in the best case or a system call working on a wrong file descriptor in the worst case. A possible solution would be to transfer file descriptors between the NSPopen object and the main process, but it is not implemented yet.

The process' diagram for NSPopen('test', ['ip', 'ad']):

+---------------------+     +--------------+     +------------+
| main python process |<--->| child python |<--->| netns test |
| NSPopen()           |     | Popen()      |     | $ ip ad    |
+---------------------+     +--------------+     +------------+

As a workaround for the issue with file descriptors, some additional methods are available on file objects stdin, stdout and stderr. E.g., one can run fcntl calls:

from fcntl import F_GETFL
from pyroute2 import NSPopen
from subprocess import PIPE

proc = NSPopen('test', ['my_program'], stdout=PIPE)
flags = proc.stdout.fcntl(F_GETFL)

In that way one can use fcntl(), ioctl(), flock() and lockf() calls.

Another additional method is release(), which can be used to explicitly stop the proxy process and release all the resources.