Description
The network namespace is a private set of network resources assignedto one or several processes. These have their own set of networkdevices, IP addresses, routes, sockets and so on ... Other processesoutside of the namespace cannot access these network resources,neither know they exist.
That allows:
- virtualization : the processes inside the network namespaces do notknow anything about the network resources outside the namespace and usethe resources without conflicting with other network namespaces.
For examples: - several network namespaces can have eth0 and lo network devices.
- several apache servers listening on *:80 can be launched into differents network namespaces.
- isolation : the processes cannot access to the network resources which are outside the namespace.
For examples:- a process cannot sniff traffic related to another network namespace.
- a process cannot shutdown an interface belonging to another network namespace.
The virtualization/isolation allows to implement different interestingfeatures:
- security : a server can be ran into a network namespace and thisone will ensure, if the server is hacked, the rest of network systemwill not be compromised
- resource management : the resources management acting at thenetwork device can be easily implemented because the network resourcescan be assigned to a specific set of processes
- traffic control : is more flexible because it can be set by network devices and obviously by network namespaces
- consolidation : a powerful host can aggregate several serversin different network namespaces without impacting the servers' networkconfigurations
- mobility : it is easy to find and checkpoint the networkresources because they are by namespace. The virtualization allows tomove IP accross the network and avoid conflicts at restart
Some other details can be found .
阅读(2422) | 评论(0) | 转发(0) |