Wednesday, March 16, 2016

Network namespaces and NetworkManager

This post documents a process to implement support for network namespaces in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NetworkManager. The code described in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post can be found on GitHub. While my personal motivation to add namespace support to NetworkManager was to be able to add support for provisioning domains as specified by IETF MIF WG, it also brings benefits to existing users by allowing isolation of different applications into different network namespaces. The best example is a VPN connection isolation. When network namespaces are used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n certain applications can be started in namespace in which only network connectivity is via VPN. Those applications can access VPN resources while all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r applications, that are in different network namespaces, will not see VPN connection and thus couldn't use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. The additional benefit would be from using multiple connections, as described by MIF Architecture RFC.

Note that after I started to work on this, Thomas Haller implemented basic support for namespaces in NetworkManager that was a bit different in some implementation details from mine.

The idea


The intention of implementing support for network namespaces was to allow applications to be isolated so that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y use specific network connections. Network namespaces in Linux kernel have some properties that anyone that wants to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m must be aware of. This is documented in a separate post.

So, an application can not be moved between different network namespace by some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r application, i.e. only application itself can change network namespaces, and only if it has appropriate permissions.

So, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following one. Application is started in some network namespace. This can be done easily (e.g. see 'ip netns exec' command). Then, this network namespace is manipulated by eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application itself - it is aware of NM's support for network namespaces, or by third party application (that application could be nmcli). The manipulation means that requests are sent to NetworkManager via D-Bus to make changes to network namespace. The changes can be activation and deactivation of certain connections. NetworkManager, based on those requests and on specifics of connections and devices those connections are bound to, determines what to do. For example, it can create virtual device in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network namespace, or can move physical device. Basically, this part isn't important to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application itself, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only thing that is important is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 application is assigned requested connections.

Implementation


The following changes were made to NetworkManager in order to introduce support for network namespaces:

  1. Created new object NMNetnsController whose purpose is to allow management of all network namespaces controlled by NetworkManager. Via cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interface org.freedesktop.NetworkManager.NetworkNamespacesController it is possible to create a new network namespace, or to remove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 existing one. It is also possible to obtain a list of existing network namespaces.
     
  2. Created new object NMNetns that represents a single network namespace. So, when new network namespace is created a new object NMNetns is created and exposed on D-Bus. This object allows manipulation with network namespace via cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interface org.freedesktop.NetworkManager.NetNsInstance. So, it is possible to get a list of all devices within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network namespace, take certain device from some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r network namespace and to activate some connection.
     
  3. NMSettings is now singleton object. This wasn't so significant change because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was also one object of this type before, but now it is more explicitly exposed as such.
     
  4. NMPlatform, NMDefaultRouteManager and NMRouteManager aren't singleton objects any more. They are now instantiated for each new network namespace that is created.


VPN isolation


VPN isolation was done as a first user of network namespaces implementation. It was easier cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r connections because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 assumption was that VPN connection should live only in single network namespace and it should be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only available connection.

At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 beginning, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was doubt on where to place cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 knowledge of network namespace and two places were candidates, in NMActiveConnection and NMVPNConnection classes. NMActiveConnection is actually a base class of NMVPNConnection class. The modification of NMVPNConnection approach is better for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following reason because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea was to introduce new configuration parameter in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 configuration file of a VPN connection that will specify that isolation is necessary and also some additional behaviors:
  • netns-isolate

    Boolean parameter (yes/no) which defines weacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r VPN connection should be isolated within a network namespace or not. For backwards compatibility reasons
     
  • netns-persistent

    Should network namespace be persistant (yes) or not (no). Persistant namespace will be retained when VPN connection is terminated, while non-persistant will be removed.
     
  • netns-name

    Network namespace name. Special value is uuid which means connection's UUID should be used, also name is special value that requests connection's name to be used. Finally, any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r string is taken as-is and used as a network namespace name.
     
  • netns-timeout

    How much time to wait (in milliseconds) for device to appear in target namespace.
Basically, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 implementation is such that when device appears in root network namespace it is taken from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re (using TakeDevice method, but called directly instead via D-Bus).  When device appears in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target network namespace network parameters are assigned to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interface. This was tested with OpenVPN type of VPN.

The implementation has two problems. First, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case of VPN connections that don't create virtual devices but instead just modify packet processing rules in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Linux kernel (i.e. XFRM). Secondly, hostname and name resolution parameters aren't assigned because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 infrastructure is lacking in that respect.

Conclusion


The initial goal of having network namespaces support in NetworkManager was achieved. There are functionalities missing like isolation of any connection, hostname handling and DNS resolution handling. Those are things that will have to be resolved in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future.

No comments:

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive