connection between 2 namespaces

Question

I wrote the following code to make two namespaces ns1 and ns2 and making connection between them with using bridge(br), tap0 and tap1. But at the end with "ping" I have unreachable network. Could u please guide me what is the problem?

ip netns add ns1
ip netns add ns2

ip link add name br type bridge 

ip tuntap add dev tap0 mode tap 
ip tuntap add dev tap1  mode tap

ip link set dev tap0 master br
ip link set tap0 up


ip link set dev tap1 master br
ip link set tap1 up

ip link set tap0 netns ns1
ip link set tap1 netns ns2


ip netns exec ns1 ip addr add 10.0.0.1/24 dev tap0 
ip netns exec ns2 ip addr add 10.0.0.2/24 dev tap1 

ip netns exec ns1 ip link set dev tap0 up
ip netns exec ns2 ip link set dev tap1 up

ip netns exec ns1 ip link set dev lo up
ip netns exec ns2 ip link set dev lo up


ip link set br up

ip netns exec ns1 ping 10.0.0.2

Answer 1

The problem would probably become more obvious if you were to inspect the state of your bridge periodically in your script. Before you set the namespace of one of your tap devices, it looks like this:

# ip netns exec ip link show tap0
10: tap0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast master br state DOWN mode DEFAULT qlen 500
    link/ether b2:e6:85:8a:43:61 brd ff:ff:ff:ff:ff:ff

After the setns operation, it looks like this:

10: tap0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 500
    link/ether b2:e6:85:8a:43:61 brd ff:ff:ff:ff:ff:ff

Notice that you no longer see master br in this output; when you moved the interface out of the global namespace it was removed from the bridge (because it is no longer visible).

Generally, to connect namespaces to a bridge on your host you would use veth devices, rather than tap devices. A veth device is a connected pair of interfaces (think of it like a virtual patch cable). You add one side of the pair to your bridge, and the other end goes into the network namespace. Something like this:

ip netns add ns1
ip netns add ns2

ip link add name br0 type bridge

for ns in ns1 ns2; do

        # create a veth pair named $ns-inside and $ns-outside
        # (e.g., ns1-inside and ns1-outside)
        ip link add $ns-inside type veth peer name $ns-outside

        # add the -outside half of the veth pair to the bridge
        ip link set dev $ns-outside master br0
        ip link set $ns-outside up

        # add the -inside half to the network namespace
        ip link set $ns-inside netns $ns

done

ip netns exec ns1 ip addr add 10.0.0.1/24 dev ns1-inside
ip netns exec ns2 ip addr add 10.0.0.2/24 dev ns2-inside

ip netns exec ns1 ip link set dev ns1-inside up
ip netns exec ns2 ip link set dev ns2-inside up

ip link set br0 up

After the above:

# ip netns exec ns1 ping -c2 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.034 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.044 ms

--- 10.0.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.034/0.039/0.044/0.005 ms