haproxy/doc/network-namespaces.txt
KOVACS Krisztian b3e54fe387 MAJOR: namespace: add Linux network namespace support
This patch makes it possible to create binds and servers in separate
namespaces.  This can be used to proxy between multiple completely independent
virtual networks (with possibly overlapping IP addresses) and a
non-namespace-aware proxy implementation that supports the proxy protocol (v2).

The setup is something like this:

net1 on VLAN 1 (namespace 1) -\
net2 on VLAN 2 (namespace 2) -- haproxy ==== proxy (namespace 0)
net3 on VLAN 3 (namespace 3) -/

The proxy is configured to make server connections through haproxy and sending
the expected source/target addresses to haproxy using the proxy protocol.

The network namespace setup on the haproxy node is something like this:

= 8< =
$ cat setup.sh
ip netns add 1
ip link add link eth1 type vlan id 1
ip link set eth1.1 netns 1
ip netns exec 1 ip addr add 192.168.91.2/24 dev eth1.1
ip netns exec 1 ip link set eth1.$id up
...
= 8< =

= 8< =
$ cat haproxy.cfg
frontend clients
  bind 127.0.0.1:50022 namespace 1 transparent
  default_backend scb

backend server
  mode tcp
  server server1 192.168.122.4:2222 namespace 2 send-proxy-v2
= 8< =

A bind line creates the listener in the specified namespace, and connections
originating from that listener also have their network namespace set to
that of the listener.

A server line either forces the connection to be made in a specified
namespace or may use the namespace from the client-side connection if that
was set.

For more documentation please read the documentation included in the patch
itself.

Signed-off-by: KOVACS Tamas <ktamas@balabit.com>
Signed-off-by: Sarkozi Laszlo <laszlo.sarkozi@balabit.com>
Signed-off-by: KOVACS Krisztian <hidden@balabit.com>
2014-11-21 07:51:57 +01:00

107 lines
3.5 KiB
Plaintext

Linux network namespace support for HAProxy
===========================================
HAProxy supports proxying between Linux network namespaces. This
feature can be used, for example, in a multi-tenant networking
environment to proxy between different networks. HAProxy can also act
as a front-end proxy for non namespace-aware services.
The proxy protocol has been extended to support transferring the
namespace information, so the originating namespace information can be
kept. This is useful when chaining multiple proxies and services.
To enable Linux namespace support, compile HAProxy with the `USE_NS=1`
make option.
## Setting up namespaces on Linux
To create network namespaces, use the 'ip netns' command. See the
manual page ip-netns(8) for details.
Make sure that the file descriptors representing the network namespace
are located under `/var/run/netns`.
For example, you can create a network namespace and assign one of the
networking interfaces to the new namespace:
```
$ ip netns add netns1
$ ip link set eth7 netns netns1
```
## Listing namespaces in the configuration file
HAProxy uses namespaces explicitly listed in its configuration file.
If you are not using namespace information received through the proxy
protocol, this usually means that you must specify namespaces for
listeners and servers in the configuration file with the 'namespace'
keyword.
However, if you're using the namespace information received through
the proxy protocol to determine the namespace of servers (see
'namespace * below'), you have to explicitly list all allowed
namespaces in the namespace_list section of your configuration file:
```
namespace_list
namespace netns1
namespace netns2
```
## Namespace information flow
The haproxy process always runs in the namespace it was started on.
This is the default namespace.
The bind addresses of listeners can have their namespace specified in
the configuration file. Unless specified, sockets associated with
listener bind addresses are created in the default namespace. For
example, this creates a listener in the netns2 namespace:
```
frontend f_example
bind 192.168.1.1:80 namespace netns2
default_backend http
```
Each client connection is associated with its source namespace. By
default, this is the namespace of the bind socket it arrived on, but
can be overridden by information received through the proxy protocol.
Proxy protocol v2 supports transferring namespace information, so if
it is enabled for the listener, it can override the associated
namespace of the connection.
Servers can have their namespaces specified in the configuration file
with the 'namespace' keyword:
```
backend b_example
server s1 192.168.1.100:80 namespace netns2
```
If no namespace is set for a server, it is assumed that it is in the
default namespace. When specified, outbound sockets to the server are
created in the network namespace configured. To create the outbound
(server) connection in the namespace associated with the client, use
the '*' namespace. This is especially useful when using the
destination address and namespace received from the proxy protocol.
```
frontend f_example
bind 192.168.1.1:9990 accept-proxy
default_backend b_example
backend b_example
mode tcp
source 0.0.0.0 usesrc clientip
server snodes * namespace *
```
If HAProxy is configured to send proxy protocol v2 headers to the
server, the outgoing header will always contain the namespace
associated with the client connection, not the namespace configured
for the server.