veth pair: veth | LinuxLab

Why you need them

In Linux, a network card lives in one namespace (see namespaces). To connect a container (its own netns) to anything else, you need a "wire." A veth pair is that wire: two synthetic interfaces physically linked together. Whatever arrives at one end exits the other instantly.

You create a pair with a single command:

bash

sudo ip link add veth0 type veth peer name veth1

After this, two interfaces appear in the default netns. You leave one in the host netns (often bridged) and move the other into the container namespace:

bash

sudo ip netns add container

sudo ip link set veth1 netns container

Now:

veth0 is on the host, visible in ip link
veth1 is inside netns container, visible via ip netns exec container ip link

Bring both up and assign IPs to get a working channel:

bash

sudo ip addr add 10.0.0.1/24 dev veth0

sudo ip link set veth0 up

sudo ip netns exec container ip addr add 10.0.0.2/24 dev veth1

sudo ip netns exec container ip link set veth1 up

A ping to 10.0.0.2 from the host will succeed.

How container platforms use veth pairs

Docker, CRI-O, containerd, and Kubernetes do the same thing for you:

Create a veth pair when the container starts.
Attach one end to a bridge on the host (docker0, cni0).
Move the other end into the pod or container netns.
Assign an IP from the bridge subnet.
Set the default route inside the container to the bridge IP.

When two containers on the same host talk to each other, packets travel through the host bridge: container1 -> veth pair -> bridge -> veth pair -> container2.

When a container sends traffic out, the packet goes through bridge -> host routing -> external interface (with nat masquerade).

Names and counters

Names are usually generated (vethXXXXXX@if13). The number after @if is the ifindex of the other end.

bash

ip -br link | grep ^veth

# vethabc123@if5  UP  fe:80:42:...

Counters on each end are symmetric:

bash

ip -s link show veth0

# shows rx/tx packets/bytes

Alternatives

macvlan gives a container its own MAC on a physical interface, with no bridge. Faster, but it appears on the L2 network as a separate device.
ipvlan is similar to macvlan but with a shared MAC, differentiated by IP.
VXLAN / GENEVE are overlay networks for multi-host scenarios (k8s flannel, calico).

Why you need them

You create a pair with a single command:

bash

sudo ip link add veth0 type veth peer name veth1

After this, two interfaces appear in the default netns. You leave one in the host netns (often bridged) and move the other into the container namespace:

bash

sudo ip netns add container

sudo ip link set veth1 netns container

Now:

veth0 is on the host, visible in ip link
veth1 is inside netns container, visible via ip netns exec container ip link

Bring both up and assign IPs to get a working channel:

bash

sudo ip addr add 10.0.0.1/24 dev veth0

sudo ip link set veth0 up

sudo ip netns exec container ip addr add 10.0.0.2/24 dev veth1

sudo ip netns exec container ip link set veth1 up

A ping to 10.0.0.2 from the host will succeed.

How container platforms use veth pairs

Docker, CRI-O, containerd, and Kubernetes do the same thing for you:

Create a veth pair when the container starts.
Attach one end to a bridge on the host (docker0, cni0).
Move the other end into the pod or container netns.
Assign an IP from the bridge subnet.
Set the default route inside the container to the bridge IP.

When two containers on the same host talk to each other, packets travel through the host bridge: container1 -> veth pair -> bridge -> veth pair -> container2.

When a container sends traffic out, the packet goes through bridge -> host routing -> external interface (with nat masquerade).

Names and counters

Names are usually generated (vethXXXXXX@if13). The number after @if is the ifindex of the other end.

bash

ip -br link | grep ^veth

# vethabc123@if5  UP  fe:80:42:...

Counters on each end are symmetric:

bash

ip -s link show veth0

# shows rx/tx packets/bytes

Alternatives

macvlan gives a container its own MAC on a physical interface, with no bridge. Faster, but it appears on the L2 network as a separate device.
ipvlan is similar to macvlan but with a shared MAC, differentiated by IP.
VXLAN / GENEVE are overlay networks for multi-host scenarios (k8s flannel, calico).

veth pair

Why you need them

How container platforms use veth pairs

Names and counters

Alternatives

§ команды

§ см. также

§ упоминается в уроках

veth pair

Why you need them

How container platforms use veth pairs

Names and counters

Alternatives

§ команды

§ см. также

§ упоминается в уроках