Skip to main content

On This Page
← AI News
AI News Networking Linux

Network Namespaces: Isolating VM Networking

2 min read
Share

These articles are AI-generated summaries. Please check the original sources for full details.

Network Namespaces: Isolating VM Networking

Nikita Vakula’s qcontroller tool leverages Linux network namespaces to manage VM networking, automatically cleaning up all associated resources when a namespace is deleted. Traditional approaches required manual removal of bridges, TAP devices, and nftables rules, risking host system instability.

Why This Matters

Traditional VM networking in Linux relies on bridges and TAP devices, which pollute the host’s network stack. Manual cleanup is error-prone, with misconfigured rules potentially breaking host connectivity. Network namespaces isolate VM networking entirely, ensuring automatic deletion of veth devices, routing tables, and firewall rules when a namespace is destroyed—eliminating manual intervention and reducing system fragility.

Key Insights

  • “8-hour App Engine outage, 2012” (Google’s failure due to manual cleanup errors)
  • “Sagas over ACID for e-commerce” (eventual consistency preferred for distributed systems)
  • “Temporal used by Stripe, Coinbase” (for managing distributed workflows)

Working Example

# Create a new network namespace
sudo ip netns add example

# Create veth pair and move one end to the namespace
sudo ip link add host-veth type veth peer name example-veth
sudo ip link set example-veth netns example

# Assign IPs and bring interfaces up
sudo ip addr add 192.168.26.1/24 dev host-veth
sudo ip netns exec example ip addr add 192.168.26.2/24 dev example-veth
sudo ip link set dev host-veth up
sudo ip netns exec example ip link set dev example-veth up
# Enable internet access via NAT
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -A FORWARD -i enp0s1 -o host-veth -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i host-veth -o enp0s1 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.26.0/24 -o enp0s1 -j MASQUERADE

Practical Applications

  • Use Case: qcontroller uses namespaces to isolate VMs, ensuring deletion of all networking components with a single command.
  • Pitfall: Forgetting to enable net.ipv4.ip_forward prevents internet access for VMs in the namespace.

References:

Continue reading

Next article

Why I Decided to Explore Cipherseek.com — And What I Think of the Idea

Related Content

May 6, 2026

Eliminating Silent Cron Failures with Production-Safe Bash Generation

A new open-source Cron Job Builder prevents silent failures by automatically injecting logging, shell definitions, and path variables into Linux automation.

Read article
Nov 11, 2025

Building a Cloud VPC from Scratch Using Linux Tools

A hands-on guide to building a Linux-based VPC with ip, iptables, and network namespaces, replicating AWS functionality without cloud dependencies.

Read article
Dec 23, 2025

Docker Networking: How Packets Actually Move

Explains Docker networking by detailing how packets traverse network namespaces, virtual Ethernet pairs, and netfilter rules.

Read article