ip-netns

ip [ OPTIONS ] netns { COMMAND | help }

COMMON COMMANDS:
  ip netns add NAME
  ip netns attach NAME PID
  ip netns delete NAME
  ip netns exec NAME COMMAND [ ARGUMENTS ]...
  ip netns identify PID
  ip netns list [ all ]
  ip netns monitor
  ip netns pids NAME
  ip netns rename OLDNAME NEWNAME
  ip netns set NAME { up | down }

add NAME
    Creates a new network namespace named NAME. This namespace will initially be empty of devices.

delete NAME
    Deletes the specified network namespace NAME. The namespace will only be fully removed by the kernel when all processes inside it have exited and its filesystem reference (e.g., /var/run/netns/NAME) is unmounted/removed.

list [ all ]
    Lists all currently active network namespaces discovered by ip. The optional all argument also shows associated process IDs (PIDs) that have entered the namespace.

exec NAME COMMAND [ ARGUMENTS ]...
    Executes the specified COMMAND with its ARGUMENTS within the network namespace NAME. This is commonly used to configure network interfaces, run applications, or inspect the network configuration inside the isolated environment.

identify PID
    Identifies and reports the network namespace that the process with PID belongs to. This is useful for debugging or verifying process isolation.

pids NAME
    Lists all process IDs (PIDs) currently residing within the network namespace NAME. This command helps in understanding which processes are using a specific namespace.

monitor
    Monitors and reports network namespace events as they occur in real-time, such as the creation or deletion of namespaces.

attach NAME PID
    Attaches an existing process, identified by PID, to the network namespace NAME. This modifies the process's network context to the specified namespace.

set NAME { up | down }
    Marks the network namespace NAME as 'up' or 'down'. This is primarily for administrative metadata and does not directly affect network device state within the namespace.

rename OLDNAME NEWNAME
    Renames an existing network namespace from OLDNAME to NEWNAME. This operation updates its filesystem reference.

The ip netns command is a powerful sub-command of the ip utility used to manage network namespaces in Linux. Network namespaces provide a lightweight, isolated network stack for a group of processes. This means each namespace has its own network devices, IP addresses, routing tables, firewall rules, and more, completely separate from the host system's network configuration or other namespaces.

Network namespaces are a fundamental technology underpinning containerization platforms like Docker and LXC, enabling multiple applications to run on the same host while having distinct and isolated network environments.

The ip netns command allows users to create, delete, list, and execute commands within these isolated network environments, making it an essential tool for network virtualization and container management.

• Root Privileges: Most ip netns operations require root privileges (or specific Linux capabilities like CAP_SYS_ADMIN and CAP_NET_ADMIN).
• Namespace Persistence: A network namespace persists as long as there is at least one process referencing it, or as long as its corresponding bind-mounted file under /var/run/netns/ (or /run/netns/) exists. Simply using ip netns delete removes the reference, but the namespace object itself may not be fully garbage collected until all associated processes exit.
• Resource Management: Creating many network namespaces can consume kernel resources. Proper cleanup is essential to prevent resource leaks.

When a network namespace is created using ip netns add NAME, iproute2 typically creates a bind mount at /var/run/netns/NAME (or /run/netns/NAME). This file serves as a persistent reference to the network namespace object in the kernel. As long as this file exists and is mounted, the namespace object remains available. Deleting this file manually (e.g., with rm) without first using ip netns delete NAME can sometimes lead to an inconsistent state or orphaned namespaces, although the kernel will eventually clean up unreferenced namespaces once all processes within them have exited.

After creating a network namespace with ip netns add, it's typically an empty environment with no network interfaces (except for the loopback interface, which is usually brought up automatically within the namespace). To make the namespace functional, you must add and configure network interfaces, such as virtual Ethernet (veth) pairs to connect it to the host or other namespaces, or by moving physical interfaces into it. All configuration of interfaces, IP addresses, and routes within the namespace is done using ip commands run via ip netns exec.

Network namespaces were introduced into the Linux kernel starting around version 2.6.24, significantly enhancing the kernel's capability for network virtualization and isolation. The ip command, including the netns sub-command, is part of the iproute2 suite. This modern networking utility collection superseded the older net-tools package (which included commands like ifconfig and route) due to its more robust design, consistent syntax, and superior support for advanced Linux networking features like namespaces, policy routing, and tunnels. The ip netns command quickly became an indispensable tool for managing network isolation, particularly with the rise of container technologies like Docker and LXC.

ip(8), netns(7), unshare(1), nsenter(1), mount(8), clone(2), setns(2)