书名：Learning OpenStack Networking
作者名：James Denton
本章字数：529字
更新时间：2025-02-24 14:51:46

Network namespaces

OpenStack was designed with multi-tenancy in mind, and provides users with the ability to create and manage their own compute and network resources. Neutron supports each tenant having multiple private networks, routers, firewalls, load balancers, and other networking resources, and is able to isolate many of these objects through the use of network namespaces.

A network namespace is defined as a logical copy of the network stack with its own routes, firewall rules, and network interfaces. When using the open source reference plugins and drivers, every DHCP server, router, and load balancer that is created by a user is implemented in a network namespace. By using network namespaces, Neutron is able to provide isolated DHCP and routing services to each network, allowing users to create overlapping networks with other users in other projects and even other networks in the same project.

The following naming convention for network namespaces should be observed:

DHCP Namespace: qdhcp-<network UUID>
Router Namespace: qrouter-<router UUID>
Load Balancer Namespace: qlbaas-<load balancer UUID>

A qdhcp namespace contains a DHCP service that provides IP addresses to instances using the DHCP protocol. In a reference implementation, dnsmasq is the process that services DHCP requests. The qdhcp namespace has an interface plugged into the virtual switch and is able to communicate with instances and other devices in the same network. A qdhcp namespace is created for every network where the associated subnet(s) have DHCP enabled.

A qrouter namespace represents a virtual router, and is responsible for routing traffic to and from instances in subnets it is connected to. Like the qdhcp namespace, the qrouter namespace is connected to one or more virtual switches depending on the configuration. In some cases, multiple namespaces may be used to plumb the virtual router infrastructure. These additional namespaces, known as fip and snat, are used for distributed virtual routers (DVR) and will be discussed later in this book.

A qlbaas namespace represents a virtual load balancer, and contains a service such as HAProxy that load balances traffic to instances. The qlbaas namespace is connected to a virtual switch and can communicate with instances and other devices in the same network.

Fun fact: The leading q in the name of the network namespaces stands for Quantum, the original name for the OpenStack Networking service.

Network namespaces of the aforementioned types will only be seen on nodes running the Neutron DHCP, L3, or LBaaS agents, respectively. These services are typically only configured on controllers or dedicated network nodes. When distributed virtual routers are configured, you may find router-related namespaces on compute nodes as well. The ip netns list command can be used to list available namespaces, and commands can be executed within the namespace using the following syntax:

ip netns exec NAMESPACE_NAME <command>

Commands that can be executed in the namespace include ip, route, iptables, and more. The output of these commands corresponds to data that's specific to the namespace they are executed in. Tools such as tcpdump can also be executed in a network namespace to assist in troubleshooting the virtual network infrastructure.

For more information on network namespaces, see the man page for ip netns at the following URL: http://man7.org/linux/man-pages/man8/ip-netns.8.html.