You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
214 lines
5.7 KiB
214 lines
5.7 KiB
.TH IP\-NETNS 8 "16 Jan 2013" "iproute2" "Linux"
|
|
.SH NAME
|
|
ip-netns \- process network namespace management
|
|
.SH SYNOPSIS
|
|
.sp
|
|
.ad l
|
|
.in +8
|
|
.ti -8
|
|
.B ip
|
|
.RI "[ " OPTIONS " ]"
|
|
.B netns
|
|
.RI " { " COMMAND " | "
|
|
.BR help " }"
|
|
.sp
|
|
.ti -8
|
|
.BR "ip netns" " [ " list " ]"
|
|
|
|
.ti -8
|
|
.B ip netns add
|
|
.I NETNSNAME
|
|
|
|
.ti -8
|
|
.B ip [-all] netns del
|
|
.RI "[ " NETNSNAME " ]"
|
|
|
|
.ti -8
|
|
.B ip netns set
|
|
.I NETNSNAME NETNSID
|
|
|
|
.ti -8
|
|
.BR "ip netns identify"
|
|
.RI "[ " PID " ]"
|
|
|
|
.ti -8
|
|
.BR "ip netns pids"
|
|
.I NETNSNAME
|
|
|
|
.ti -8
|
|
.BR "ip [-all] netns exec "
|
|
.RI "[ " NETNSNAME " ] " command ...
|
|
|
|
.ti -8
|
|
.BR "ip netns monitor"
|
|
|
|
.ti -8
|
|
.BR "ip netns list-id"
|
|
|
|
.SH DESCRIPTION
|
|
A network namespace is logically another copy of the network stack,
|
|
with its own routes, firewall rules, and network devices.
|
|
|
|
By default a process inherits its network namespace from its parent. Initially all
|
|
the processes share the same default network namespace from the init process.
|
|
|
|
By convention a named network namespace is an object at
|
|
.BR "/var/run/netns/" NAME
|
|
that can be opened. The file descriptor resulting from opening
|
|
.BR "/var/run/netns/" NAME
|
|
refers to the specified network namespace. Holding that file
|
|
descriptor open keeps the network namespace alive. The file
|
|
descriptor can be used with the
|
|
.B setns(2)
|
|
system call to change the network namespace associated with a task.
|
|
|
|
For applications that are aware of network namespaces, the convention
|
|
is to look for global network configuration files first in
|
|
.BR "/etc/netns/" NAME "/"
|
|
then in
|
|
.BR "/etc/".
|
|
For example, if you want a different version of
|
|
.BR /etc/resolv.conf
|
|
for a network namespace used to isolate your vpn you would name it
|
|
.BR /etc/netns/myvpn/resolv.conf.
|
|
|
|
.B ip netns exec
|
|
automates handling of this configuration, file convention for network
|
|
namespace unaware applications, by creating a mount namespace and
|
|
bind mounting all of the per network namespace configure files into
|
|
their traditional location in /etc.
|
|
|
|
.TP
|
|
.B ip netns list - show all of the named network namespaces
|
|
.sp
|
|
This command displays all of the network namespaces in /var/run/netns
|
|
|
|
.TP
|
|
.B ip netns add NAME - create a new named network namespace
|
|
.sp
|
|
If NAME is available in /var/run/netns/ this command creates a new
|
|
network namespace and assigns NAME.
|
|
|
|
.TP
|
|
.B ip [-all] netns delete [ NAME ] - delete the name of a network namespace(s)
|
|
.sp
|
|
If NAME is present in /var/run/netns it is umounted and the mount
|
|
point is removed. If this is the last user of the network namespace the
|
|
network namespace will be freed and all physical devices will be moved to the
|
|
default one, otherwise the network namespace persists until it has no more
|
|
users. ip netns delete may fail if the mount point is in use in another mount
|
|
namespace.
|
|
|
|
If
|
|
.B -all
|
|
option was specified then all the network namespace names will be removed.
|
|
|
|
It is possible to lose the physical device when it was moved to netns and
|
|
then this netns was deleted with a running process:
|
|
|
|
.RS 10
|
|
$ ip netns add net0
|
|
.RE
|
|
.RS 10
|
|
$ ip link set dev eth0 netns net0
|
|
.RE
|
|
.RS 10
|
|
$ ip netns exec net0 SOME_PROCESS_IN_BACKGROUND
|
|
.RE
|
|
.RS 10
|
|
$ ip netns del net0
|
|
.RE
|
|
|
|
.RS
|
|
and eth0 will appear in the default netns only after SOME_PROCESS_IN_BACKGROUND
|
|
will exit or will be killed. To prevent this the processes running in net0
|
|
should be killed before deleting the netns:
|
|
|
|
.RE
|
|
.RS 10
|
|
$ ip netns pids net0 | xargs kill
|
|
.RE
|
|
.RS 10
|
|
$ ip netns del net0
|
|
.RE
|
|
|
|
.TP
|
|
.B ip netns set NAME NETNSID - assign an id to a peer network namespace
|
|
.sp
|
|
This command assigns a id to a peer network namespace. This id is valid
|
|
only in the current network namespace.
|
|
This id will be used by the kernel in some netlink messages. If no id is
|
|
assigned when the kernel needs it, it will be automatically assigned by
|
|
the kernel.
|
|
Once it is assigned, it's not possible to change it.
|
|
|
|
.TP
|
|
.B ip netns identify [PID] - Report network namespaces names for process
|
|
.sp
|
|
This command walks through /var/run/netns and finds all the network
|
|
namespace names for network namespace of the specified process, if PID is
|
|
not specified then the current process will be used.
|
|
|
|
.TP
|
|
.B ip netns pids NAME - Report processes in the named network namespace
|
|
.sp
|
|
This command walks through proc and finds all of the process who have
|
|
the named network namespace as their primary network namespace.
|
|
|
|
.TP
|
|
.B ip [-all] netns exec [ NAME ] cmd ... - Run cmd in the named network namespace
|
|
.sp
|
|
This command allows applications that are network namespace unaware
|
|
to be run in something other than the default network namespace with
|
|
all of the configuration for the specified network namespace appearing
|
|
in the customary global locations. A network namespace and bind mounts
|
|
are used to move files from their network namespace specific location
|
|
to their default locations without affecting other processes.
|
|
|
|
If
|
|
.B -all
|
|
option was specified then
|
|
.B cmd
|
|
will be executed synchronously on the each named network namespace even if
|
|
.B cmd
|
|
fails on some of them. Network namespace name is printed on each
|
|
.B cmd
|
|
executing.
|
|
|
|
.TP
|
|
.B ip netns monitor - Report as network namespace names are added and deleted
|
|
.sp
|
|
This command watches network namespace name addition and deletion events
|
|
and prints a line for each event it sees.
|
|
|
|
.TP
|
|
.B ip netns list-id - list network namespace ids (nsid)
|
|
.sp
|
|
Network namespace ids are used to identify a peer network namespace. This
|
|
command displays nsid of the current network namespace and provides the
|
|
corresponding iproute2 netns name (from /var/run/netns) if any.
|
|
|
|
.SH EXAMPLES
|
|
.PP
|
|
ip netns list
|
|
.RS
|
|
Shows the list of current named network namespaces
|
|
.RE
|
|
.PP
|
|
ip netns add vpn
|
|
.RS
|
|
Creates a network namespace and names it vpn
|
|
.RE
|
|
.PP
|
|
ip netns exec vpn ip link set lo up
|
|
.RS
|
|
Bring up the loopback interface in the vpn network namespace.
|
|
.RE
|
|
|
|
.SH SEE ALSO
|
|
.br
|
|
.BR ip (8)
|
|
|
|
.SH AUTHOR
|
|
Original Manpage by Eric W. Biederman
|