Docker 第五章 容器网络

ip netns

虚拟化网络都是基于netns实现
ip-netns - process network namespace management  #管理网络名称空间工具

网络命名空间在逻辑上是网络堆栈的另一个副本,具有自己的路由,防火墙规则和网络设备。 默认情况下,进程从其父级继承其网络命名空间。最初,所有进程共享相同的默认网络名称空间 来自init进程。
SYNOPSIS         top        #用法
       ip [ OPTIONS ] netns  { COMMAND | help }

       ip netns [ list ]    #列出所有名称空间
  
       ip netns add NETNSNAME       #创建一个新的名称空间

       ip netns attach NETNSNAME PID       

       ip [-all] netns del [ NETNSNAME ]     #伤处一个名称空间

       ip netns set NETNSNAME NETNSID      

       ip netns identify [ PID ]

       ip netns pids NETNSNAME

       ip [-all] netns exec [ NETNSNAME ] command...      #在网络名称空间执行指定命令
 
       ip netns monitor

       ip netns list-id

 

 ip [-all] netns delete [ NAME ] - delete the name of a network namespace(s)

  

[root@localhost netreport]# ip netns add testspace   #添加一个名称空间
[root@localhost netreport]# ip netns list            #列出
testspace

[root@localhost netreport]# ip netns del testspace    #删除

[root@localhost netreport]# ip netns add testspace

[root@localhost netreport]# ip netns exec testspace ifconfig -a    #执行命令
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost netreport]# 

  

 

ip-link: network device configuration

#ip link 网络设备管理工具,用于配置虚拟网卡
[root@localhost netreport]# ip link help Usage: ip link add [link DEV] [ name ] NAME [ txqueuelen PACKETS ] [ address LLADDR ] [ broadcast LLADDR ] [ mtu MTU ] [index IDX ] [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ] type TYPE [ ARGS ] ip link delete { DEVICE | dev DEVICE | group DEVGROUP } type TYPE [ ARGS ] ip link set { DEVICE | dev DEVICE | group DEVGROUP } [ { up | down } ] [ type TYPE ARGS ] [ arp { on | off } ] [ dynamic { on | off } ] [ multicast { on | off } ] [ allmulticast { on | off } ] [ promisc { on | off } ] [ trailers { on | off } ] [ carrier { on | off } ] [ txqueuelen PACKETS ] [ name NEWNAME ] [ address LLADDR ] [ broadcast LLADDR ] [ mtu MTU ] [ netns { PID | NAME } ] [ link-netnsid ID ] [ alias NAME ] [ vf NUM [ mac LLADDR ] [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ] ] [ rate TXRATE ] [ max_tx_rate TXRATE ] [ min_tx_rate TXRATE ] [ spoofchk { on | off} ] [ query_rss { on | off} ] [ state { auto | enable | disable} ] ] [ trust { on | off} ] ] [ node_guid { eui64 } ] [ port_guid { eui64 } ] [ xdp { off | object FILE [ section NAME ] [ verbose ] | pinned FILE } ] [ master DEVICE ][ vrf NAME ] [ nomaster ] [ addrgenmode { eui64 | none | stable_secret | random } ] [ protodown { on | off } ] ip link show [ DEVICE | group GROUP ] [up] [master DEV] [vrf NAME] [type TYPE] ip link xstats type TYPE [ ARGS ] ip link afstats [ dev DEVICE ] ip link help [ TYPE ] TYPE := { vlan | veth | vcan | dummy | ifb | macvlan | macvtap | bridge | bond | team | ipoib | ip6tnl | ipip | sit | vxlan | gre | gretap | ip6gre | ip6gretap | vti | nlmon | team_slave | bond_slave | ipvlan | geneve | bridge_slave | vrf | macsec } [root@localhost netreport]#   

  

 常用命令

ip link add - 添加虚拟链接
ip link delete - 删除虚拟链接
ip link set - 更改设备属性
ip link show - 显示设备属性
ip link xstats - 显示扩展统计信息
ip link afstats - 显示特定于地址的系列统计信息
ip link help - 显示帮助

显示设备属性

ip link show - display device attributes

  dev NAME:specifies the network device to show. (default) 如果不指定设备,则显示所有设备信息
  up:only display running interfaces. 只显示启动的接口

 

添加虚拟设备

ip link add - add virtual link

link DEVICE:specifies the physical device to act operate on. 指定在哪个物理设备上操作
NAME:specifies the name of the new virtual device. 指定新虚拟设备的名称
TYPE:specifies the type of the new device. 指定新设备的类型
Link types:
  vlan - 802.1q tagged virtual LAN interface
  veth - Virtual ethernet interface 虚拟网络接口(一对)
  vcan - Virtual Local CAN interface
  dummy - Dummy network interface
  ifb - Intermediate Functional Block device
  macvlan - virtual interface base on link layer address (MAC)
  can - Controller Area Network interface
  bridge - Ethernet Bridge device 网桥设备

  

 

删除虚拟设备

ip link delete - delete virtual link

  DEVICE:specifies the virtual  device to act operate on.
  TYPE:specifies the type of the device.
  dev DEVICE:specifies the physical device to act operate on.

  

设置设备属性

ip link set - change device attributes

  dev DEVICE:specifies network device to operate on.
  up and down:change the state of the device to UP or DOWN. 启动或关闭网卡
  multicast on or multicast off:change the MULTICAST flag on the device. 启用或禁用组播
  name NAME:change the name of the device. 修改网卡名称。需要先donw掉网卡,不然会提示busy。
    This operation is not recommended if the device is running or has some addresses already configured.
  alias NAME:give the device a symbolic name for easy reference. 为网卡设置别名
  mtu NUMBER:change the MTU of the device. 设置MTU大小,默认为1500
  netns NETNSNAME:move the device to the network namespace associated with name NETNSNAME. 将接口移动到指定的网络名称空间

  

veth - Virtual ethernet interface #虚拟以太网卡

#veth设备是成对出现的,一端连接的是内核协议栈,一端彼此相连。一个设备收到协议栈的数据,会将数据发送另一个设备上去。大概结构如下:

  

+----------------------------------------------------------------+
|                                                                |
|       +------------------------------------------------+       |
|       |             Newwork Protocol Stack             |       |
|       +------------------------------------------------+       |
|              ↑               ↑               ↑                 |
|..............|...............|...............|.................|
|              ↓               ↓               ↓                 |
|        +----------+    +-----------+   +-----------+           |
|        |   eth0   |    |   veth0   |   |   veth1   |           |
|        +----------+    +-----------+   +-----------+           |
|192.168.100.100  ↑               ↑               ↑                 |
|              |               +---------------+                 |
|              |          10.1.1.1/24       10.1.1.2/24               |
+--------------|-------------------------------------------------+
               ↓
         Physical Network

  

示例

创建一对虚拟网卡,新建的网卡默认都是关闭的,名称空间里的回环网卡lo默认也是关闭的。
[root@localhost netreport]# ip link add name veth1 type veth peer name veth2
[root@localhost netreport]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 00:0c:29:8b:7c:a1 brd ff:ff:ff:ff:ff:ff
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 02:42:3d:8c:f3:de brd ff:ff:ff:ff:ff:ff
7: vetha2d7cb7@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default 
    link/ether 3a:54:20:3d:ff:16 brd ff:ff:ff:ff:ff:ff link-netnsid 0
8: veth2@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 8a:ed:62:73:ec:f6 brd ff:ff:ff:ff:ff:ff
9: veth1@veth2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether da:6c:01:ef:3b:6a brd ff:ff:ff:ff:ff:ff
[root@localhost netreport]# 

 

#一块网卡只能属于一个名称空间, 将veth2 网卡配置为testspace 名称空间
[root@localhost netreport]# ip link set dev veth2 netns testspace [root@localhost netreport]# ip link show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 00:0c:29:8b:7c:a1 brd ff:ff:ff:ff:ff:ff 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default link/ether 02:42:3d:8c:f3:de brd ff:ff:ff:ff:ff:ff 7: vetha2d7cb7@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default link/ether 3a:54:20:3d:ff:16 brd ff:ff:ff:ff:ff:ff link-netnsid 0 9: veth1@if8: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether da:6c:01:ef:3b:6a brd ff:ff:ff:ff:ff:ff link-netnsid 1 [root@localhost netreport]#

 

 让两块在不同名称空间网卡通信

[root@localhost netreport]# ip netns list
testspace (id: 1)
[root@localhost netreport]# ip netns exec testspace ip link set dev veth2 name veth0    #可以修改dev name
[root@localhost netreport]# ip netns exec testspace ifconfig        
[root@localhost netreport]# ip netns exec testspace ifconfig -a                #显示网卡
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 8a:ed:62:73:ec:f6  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost netreport]# ip netns exec testspace ifconfig veth0 10.1.1.2/24
[root@localhost netreport]# ip netns exec testspace ifconfig veth0 10.1.1.2/24 up     #配置名称空间网卡地址,并启动
[root@localhost netreport]# ip netns exec testspace ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 10.1.1.2  netmask 255.255.255.0  broadcast 10.1.1.255
        ether 8a:ed:62:73:ec:f6  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost netreport]# 
[root@localhost netreport]# ifconfig veth1 10.1.1.1/24
[root@localhost netreport]# ifconfig veth1 10.1.1.1/24 up                #配置本地虚拟网卡地址并启动
[root@localhost netreport]# ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=0.079 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=0.089 ms
64 bytes from 10.1.1.2: icmp_seq=3 ttl=64 time=0.067 ms
^C
--- 10.1.1.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.067/0.078/0.089/0.011 ms
[root@localhost netreport]# 

  

 

 

  

 

  

 

上一篇:linux 网络虚拟化: network namespace 简介


下一篇:docker 之网络配置