Docker Container Network Namespace Is Invisible

This article examines why Docker container network namespaces are invisible to the ip netns ls command and provides a solution to make them accessible for network debugging and management.

Containerization

Containerization is a lightweight virtualization technology where applications and their dependencies are packaged into portable containers. Unlike traditional virtual machines, containers share the host OS kernel and system resources, making them faster to start and more resource-efficient. Containers include only the necessary libraries, binaries, and runtime components needed for the application to run consistently across different environments.

Docker

Docker is a containerization platform that enables developers to build, ship, and run applications in containers. Docker organizes software into standardized units called containers, which contain everything needed to run the application ? libraries, system tools, code, and runtime. This ensures consistent behavior across development, testing, and production environments.

Network Namespaces

Linux network namespaces are a kernel feature that provides network isolation. Each namespace has its own network interfaces, routing tables, and firewall rules, completely separated from other namespaces. Linux supports six types of namespaces: pid, net, uts, mnt, ipc, and user.

Listing System Namespaces

The lsns command displays all existing namespaces on your system:

$ lsns

 NS         TYPE   NPROCS   PID USER    COMMAND
4026531836  pid        2  7358 sachin  -bash
4026531837  user       2  7358 sachin  -bash
4026531838  uts        2  7358 sachin  -bash
4026531839  ipc        2  7358 sachin  -bash
4026531840  mnt        2  7358 sachin  -bash
4026532185  net        2  7358 sachin  -bash

The Invisible Docker Network Namespace Problem

When Docker creates a container, it generates namespace pseudo-files in /proc/<pid>/ns/, where <pid> is the container's process ID. Let's create a container and examine its namespaces:

$ sudo docker run --rm -d ubuntu:latest sleep infinity
c5503724a3ab4339e9246f0ef4cddf475e1f4f98964df834bfacaf5ff170fb03

$ docker inspect --format '{{.State.Pid}}' c5503724a3ab
1946

Examining the container's namespace directory shows all namespace files including the network namespace:

$ sudo ls -la /proc/1946/ns

total 0
dr-x--x--x 2 root root 0 Oct  6 17:25 .
dr-xr-xr-x 9 root root 0 Oct  6 17:25 ..
lrwxrwxrwx 1 root root 0 Oct  6 17:28 ipc -> ipc:[4026532177]
lrwxrwxrwx 1 root root 0 Oct  6 17:25 mnt -> mnt:[4026532175]
lrwxrwxrwx 1 root root 0 Oct  6 17:25 net -> net:[4026532180]
lrwxrwxrwx 1 root root 0 Oct  6 17:28 pid -> pid:[4026532178]
lrwxrwxrwx 1 root root 0 Oct  6 17:28 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 Oct  6 17:28 uts -> uts:[4026532176]

Despite the network namespace file existing, running ip netns ls returns no results:

$ ip netns ls
$

Root Cause: Missing File Reference

The ip netns ls command searches for network namespace files in the /var/run/netns directory. However, Docker does not create symbolic links or bind mounts in this directory when containers are created. This causes Docker network namespaces to be invisible to standard network namespace tools.

Solution: Creating the File Reference

To make Docker network namespaces visible, we need to create the necessary directory structure and bind mount the namespace file:

$ mkdir -p /var/run/netns
$ touch /var/run/netns/c5503724a3ab

Next, bind mount the container's network namespace file to the expected location:

$ mount -o bind /proc/1946/ns/net /var/run/netns/c5503724a3ab

Now ip netns ls successfully displays the Docker container's network namespace:

$ ip netns ls

c5503724a3ab (id: 1)

Accessing the Network Namespace

With the file reference established, you can now execute network commands within the container's namespace using ip netns exec:

$ ip netns exec c5503724a3ab ip addr list

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.3/16 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe11:3/64 scope link
       valid_lft forever preferred_lft forever

Conclusion

Docker containers create isolated network namespaces that are invisible to ip netns ls because Docker doesn't create the expected file references in /var/run/netns. By manually bind mounting the namespace file to the correct location, you can make Docker network namespaces visible to standard Linux networking tools, enabling easier debugging and network management.