Network Isolation

To isolate networking we can user a combination of network namespaces,virtual interfaces and standard Linux traffic shaping tools.

Each function (the Nth on the system):

  • Executes in its own network namespace faasmnsN
  • This namespace has an associated pair of virtual interfaces faasmN/ faasmpN (one inside handling ingress/egress and one outside handling egress/ingress)
  • Both interfaces have traffic shaping rules set with tc

The traffic shaping is possible because all kinds of traffic are seen as egress on one of the interfaces:

  1. # Egress (i.e. egress on veth_peer and ingress on veth)
  2. user_code -> veth_peer -> | namespace | -> veth -> eth0 -> network
  4. # Ingress (i.e. egress on veth and ingress on veth_peer)
  5. user_code <- veth_peer <- | namespace | <- veth <- eth0 <- network

Testing

Quick check

To run a quick check on the Faasm namespaces you can run:

  1. # Create ten namespaces
  2. sudo ./bin/netns.sh 10
  4. # Check one or two
  5. sudo ./bin/netns_check.sh faasm 1
  6. sudo ./bin/netns_check.sh faasm 5

You can then make sure the limits are set up properly.

Limits test

To run a fuller test on both ingress and egress we need two remote machines, each with iperf3 installed (not iperf). Note that both must have at least one public nameserver listed in /etc/resolv.conf e.g.:

  1. nameserver   8.8.8.8

You then need to set up an iperf3 server on one of the hosts:

  1. # Get the ip
  2. ip addr
  4. # Run the server
  5. iperf3 -s

The test itself can be run with the script in this repo on the other machine:

  1. sudo ./bin/netns_limit_test.sh <server_ip>

Note that for the actual system we use a permissive limit on ingress/egress (>1MiB) so to run the test we need to create an artificially restrictive namespace.