←back to thread

How to escape the Linux networking stack

(blog.cloudflare.com)
148 points meysamazad | 1 comments | 17 Nov 25 15:49 UTC | HN request time: 0.206s | source
Show context
marginalia_nu ◴[17 Nov 25 23:18 UTC] No.45959577[source]
This is extremely tangential, but I was working on setting up some manual network namespaces recently, basically manually reproducing what docker does to fix some of its faulty assumptions regarding containers having multiple IPs and a single name causing all sort of jank, and had to freshen up on a lot of Linux virtual networking concepts (namespaces, veths, bridge networks, macvlans and various other interfaces), made a ton of fairly informal notes to make myself sufficiently familiar with the thing to set it up.

Would anyone be interested if I polished it up and maybe added a refresher on the relevant layer 2 networking needed to reason about it? It's a fair bit of work and it's a niche topic, so I'm trying to poll a bit to see if the juice is worth the squeeze.

replies(11): >>45959749 #>>45959968 #>>45960118 #>>45960266 #>>45960554 #>>45960755 #>>45961911 #>>45961983 #>>45962002 #>>45962168 #>>45967111 #
HumanOstrich ◴[18 Nov 25 01:05 UTC] No.45960266[source]
I was actually going down rabbitholes today trying to figure out how to do a sane Docker setup where all the containers couldn't connect to each other. Your notes would be valuable at most any level of polish.
replies(2): >>45961588 #>>45966377 #
esseph ◴[18 Nov 25 05:06 UTC] No.45961588[source]
If you create each container in its own network namespace, they won't be able to.
replies(1): >>45961736 #
HumanOstrich ◴[18 Nov 25 05:35 UTC] No.45961736[source]
It's a little more complex than that for any non-trivial layout where some containers do need to talk to other containers, but most don't.
replies(2): >>45961964 #>>45968890 #
brirec ◴[18 Nov 25 06:22 UTC] No.45961964[source]
You could also create a network for each pair of containers that need to communicate with one another.
replies(2): >>45962220 #>>45964993 #
1. marginalia_nu ◴[18 Nov 25 12:49 UTC] No.45964993[source]
If you want point-to-point communication between two network namespaces, you should use veths[1]. I think virtual patch cables is a good mental model for veths.

If you want multiple participants, you use bridges, which are roughly analogous to switches.

[1] https://man7.org/linux/man-pages/man4/veth.4.html