Menu
When I create a new docker container like with
docker run -it -m 560m --cpuset-cpus=1,2 ubuntu sleep 120 and check its namespaces, I can see that new namespaces have been created (example for pid 7047).
root@dude2:~# ls /proc/7047/ns -la total 0 dr-x--x--x 2 root root 0 Jul 7 12:17 . dr-xr-xr-x 9 root root 0 Jul 7 12:16 .. lrwxrwxrwx 1 root root 0 Jul 7 12:17 ipc -> ipc:[4026532465] lrwxrwxrwx 1 root root 0 Jul 7 12:17 mnt -> mnt:[4026532463] lrwxrwxrwx 1 root root 0 Jul 7 12:17 net -> net:[4026532299] lrwxrwxrwx 1 root root 0 Jul 7 12:17 pid -> pid:[4026532466] lrwxrwxrwx 1 root root 0 Jul 7 12:17 user -> user:[4026531837] lrwxrwxrwx 1 root root 0 Jul 7 12:17 uts -> uts:[4026532464] root@dude2:~# ls /proc/self/ns -la When I check with ip netns list I cannot see the new net namespace.
dude@dude2:~/docker/testroot$ ip netns list dude@dude2:~/docker/testroot$ Any idea why?
873
ip netns list - show all of the named network namespaces This command displays all of the network namespaces in /var/run/netns ip netns add NAME - create a new named network namespace If NAME is available in /var/run/netns this command creates a new network namespace and assigns NAME.
Docker uses many Linux namespace technologies for isolation, there are user namespace, process namespace, etc. For network isolation docker uses Linux network namespace technology, each docker container has its own network namespace, which means it has its own IP address, routing table, etc.
Network Namespaces Both of the mechanisms work together to provide the process and resources isolation in Docker container that we leverage. For example, cgroups limit the resources a process can use. On the other hand, namespace controls the visibility of resources between processes.
That's because docker is not creating the reqired symlink:
# (as root) pid=$(docker inspect -f '{{.State.Pid}}' ${container_id}) mkdir -p /var/run/netns/ ln -sfT /proc/$pid/ns/net /var/run/netns/$container_id Then, the container's netns namespace can be examined with ip netns ${container_id}, e.g.:
# e.g. show stats about eth0 inside the container ip netns exec "${container_id}" ip -s link show eth0 As @jary indicates, the ip netns command only works with namespace symlinks in /var/run/netns. However, if you you have the nsenter command available (part of the util-linux package), you can accomplish the same thing using the PID of your docker container.
To get the PID of a docker container, you can run:
docker inspect --format '{{.State.Pid}}' <container_name_or_Id> To get a command inside the network namespace of a container:
nsenter -t <contanier_pid> -n <command> E.g:
$ docker inspect --format '{{.State.Pid}}' weechat 4432 $ sudo nsenter -t 4432 -n ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 75: eth0@if76: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:1b brd ff:ff:ff:ff:ff:ff inet 172.17.0.27/16 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::42:acff:fe11:1b/64 scope link valid_lft forever preferred_lft forever The above was equivalent to running ip netns exec <some_namespace> ip addr show.
As you can see here, you will need to run nsenter with root privileges.
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
