ip netns
虚拟化网络都是基于netns实现
ip-netns - process network namespace management #管理网络名称空间工具
网络命名空间在逻辑上是网络堆栈的另一个副本,具有自己的路由,防火墙规则和网络设备。 默认情况下,进程从其父级继承其网络命名空间。最初,所有进程共享相同的默认网络名称空间 来自init进程。
SYNOPSIS top #用法
ip [ OPTIONS ] netns { COMMAND | help }
ip netns [ list ] #列出所有名称空间
ip netns add NETNSNAME #创建一个新的名称空间
ip netns attach NETNSNAME PID
ip [-all] netns del [ NETNSNAME ] #伤处一个名称空间
ip netns set NETNSNAME NETNSID
ip netns identify [ PID ]
ip netns pids NETNSNAME
ip [-all] netns exec [ NETNSNAME ] command... #在网络名称空间执行指定命令
ip netns monitor
ip netns list-id
ip [-all] netns delete [ NAME ] - delete the name of a network namespace(s)
[root@localhost netreport]# ip netns add testspace #添加一个名称空间
[root@localhost netreport]# ip netns list #列出
testspace
[root@localhost netreport]# ip netns del testspace #删除
[root@localhost netreport]# ip netns add testspace
[root@localhost netreport]# ip netns exec testspace ifconfig -a #执行命令
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost netreport]#
ip-link: network device configuration
#ip link 网络设备管理工具,用于配置虚拟网卡
[root@localhost netreport]# ip link help Usage: ip link add [link DEV] [ name ] NAME [ txqueuelen PACKETS ] [ address LLADDR ] [ broadcast LLADDR ] [ mtu MTU ] [index IDX ] [ numtxqueues QUEUE_COUNT ] [ numrxqueues QUEUE_COUNT ] type TYPE [ ARGS ] ip link delete { DEVICE | dev DEVICE | group DEVGROUP } type TYPE [ ARGS ] ip link set { DEVICE | dev DEVICE | group DEVGROUP } [ { up | down } ] [ type TYPE ARGS ] [ arp { on | off } ] [ dynamic { on | off } ] [ multicast { on | off } ] [ allmulticast { on | off } ] [ promisc { on | off } ] [ trailers { on | off } ] [ carrier { on | off } ] [ txqueuelen PACKETS ] [ name NEWNAME ] [ address LLADDR ] [ broadcast LLADDR ] [ mtu MTU ] [ netns { PID | NAME } ] [ link-netnsid ID ] [ alias NAME ] [ vf NUM [ mac LLADDR ] [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ] ] [ rate TXRATE ] [ max_tx_rate TXRATE ] [ min_tx_rate TXRATE ] [ spoofchk { on | off} ] [ query_rss { on | off} ] [ state { auto | enable | disable} ] ] [ trust { on | off} ] ] [ node_guid { eui64 } ] [ port_guid { eui64 } ] [ xdp { off | object FILE [ section NAME ] [ verbose ] | pinned FILE } ] [ master DEVICE ][ vrf NAME ] [ nomaster ] [ addrgenmode { eui64 | none | stable_secret | random } ] [ protodown { on | off } ] ip link show [ DEVICE | group GROUP ] [up] [master DEV] [vrf NAME] [type TYPE] ip link xstats type TYPE [ ARGS ] ip link afstats [ dev DEVICE ] ip link help [ TYPE ] TYPE := { vlan | veth | vcan | dummy | ifb | macvlan | macvtap | bridge | bond | team | ipoib | ip6tnl | ipip | sit | vxlan | gre | gretap | ip6gre | ip6gretap | vti | nlmon | team_slave | bond_slave | ipvlan | geneve | bridge_slave | vrf | macsec } [root@localhost netreport]#
常用命令
ip link add - 添加虚拟链接 ip link delete - 删除虚拟链接 ip link set - 更改设备属性 ip link show - 显示设备属性 ip link xstats - 显示扩展统计信息 ip link afstats - 显示特定于地址的系列统计信息 ip link help - 显示帮助
显示设备属性
ip link show - display device attributes dev NAME:specifies the network device to show. (default) 如果不指定设备,则显示所有设备信息 up:only display running interfaces. 只显示启动的接口
添加虚拟设备
ip link add - add virtual link link DEVICE:specifies the physical device to act operate on. 指定在哪个物理设备上操作 NAME:specifies the name of the new virtual device. 指定新虚拟设备的名称 TYPE:specifies the type of the new device. 指定新设备的类型 Link types: vlan - 802.1q tagged virtual LAN interface veth - Virtual ethernet interface 虚拟网络接口(一对) vcan - Virtual Local CAN interface dummy - Dummy network interface ifb - Intermediate Functional Block device macvlan - virtual interface base on link layer address (MAC) can - Controller Area Network interface bridge - Ethernet Bridge device 网桥设备
删除虚拟设备
ip link delete - delete virtual link DEVICE:specifies the virtual device to act operate on. TYPE:specifies the type of the device. dev DEVICE:specifies the physical device to act operate on.
设置设备属性
ip link set - change device attributes
dev DEVICE:specifies network device to operate on.
up and down:change the state of the device to UP or DOWN. 启动或关闭网卡
multicast on or multicast off:change the MULTICAST flag on the device. 启用或禁用组播
name NAME:change the name of the device. 修改网卡名称。需要先donw掉网卡,不然会提示busy。
This operation is not recommended if the device is running or has some addresses already configured.
alias NAME:give the device a symbolic name for easy reference. 为网卡设置别名
mtu NUMBER:change the MTU of the device. 设置MTU大小,默认为1500
netns NETNSNAME:move the device to the network namespace associated with name NETNSNAME. 将接口移动到指定的网络名称空间
veth - Virtual ethernet interface #虚拟以太网卡
#veth设备是成对出现的,一端连接的是内核协议栈,一端彼此相连。一个设备收到协议栈的数据,会将数据发送另一个设备上去。大概结构如下:
+----------------------------------------------------------------+
| |
| +------------------------------------------------+ |
| | Newwork Protocol Stack | |
| +------------------------------------------------+ |
| ↑ ↑ ↑ |
|..............|...............|...............|.................|
| ↓ ↓ ↓ |
| +----------+ +-----------+ +-----------+ |
| | eth0 | | veth0 | | veth1 | |
| +----------+ +-----------+ +-----------+ |
|192.168.100.100 ↑ ↑ ↑ |
| | +---------------+ |
| | 10.1.1.1/24 10.1.1.2/24 |
+--------------|-------------------------------------------------+
↓
Physical Network
示例 创建一对虚拟网卡,新建的网卡默认都是关闭的,名称空间里的回环网卡lo默认也是关闭的。
[root@localhost netreport]# ip link add name veth1 type veth peer name veth2
[root@localhost netreport]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 00:0c:29:8b:7c:a1 brd ff:ff:ff:ff:ff:ff
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 02:42:3d:8c:f3:de brd ff:ff:ff:ff:ff:ff
7: vetha2d7cb7@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether 3a:54:20:3d:ff:16 brd ff:ff:ff:ff:ff:ff link-netnsid 0
8: veth2@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 8a:ed:62:73:ec:f6 brd ff:ff:ff:ff:ff:ff
9: veth1@veth2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether da:6c:01:ef:3b:6a brd ff:ff:ff:ff:ff:ff
[root@localhost netreport]#
#一块网卡只能属于一个名称空间, 将veth2 网卡配置为testspace 名称空间
[root@localhost netreport]# ip link set dev veth2 netns testspace [root@localhost netreport]# ip link show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 00:0c:29:8b:7c:a1 brd ff:ff:ff:ff:ff:ff 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default link/ether 02:42:3d:8c:f3:de brd ff:ff:ff:ff:ff:ff 7: vetha2d7cb7@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default link/ether 3a:54:20:3d:ff:16 brd ff:ff:ff:ff:ff:ff link-netnsid 0 9: veth1@if8: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether da:6c:01:ef:3b:6a brd ff:ff:ff:ff:ff:ff link-netnsid 1 [root@localhost netreport]#
让两块在不同名称空间网卡通信
[root@localhost netreport]# ip netns list testspace (id: 1) [root@localhost netreport]# ip netns exec testspace ip link set dev veth2 name veth0 #可以修改dev name [root@localhost netreport]# ip netns exec testspace ifconfig [root@localhost netreport]# ip netns exec testspace ifconfig -a #显示网卡 lo: flags=8<LOOPBACK> mtu 65536 loop txqueuelen 1000 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 veth0: flags=4098<BROADCAST,MULTICAST> mtu 1500 ether 8a:ed:62:73:ec:f6 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@localhost netreport]# ip netns exec testspace ifconfig veth0 10.1.1.2/24 [root@localhost netreport]# ip netns exec testspace ifconfig veth0 10.1.1.2/24 up #配置名称空间网卡地址,并启动 [root@localhost netreport]# ip netns exec testspace ifconfig -a lo: flags=8<LOOPBACK> mtu 65536 loop txqueuelen 1000 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 veth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 10.1.1.2 netmask 255.255.255.0 broadcast 10.1.1.255 ether 8a:ed:62:73:ec:f6 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@localhost netreport]# [root@localhost netreport]# ifconfig veth1 10.1.1.1/24 [root@localhost netreport]# ifconfig veth1 10.1.1.1/24 up #配置本地虚拟网卡地址并启动 [root@localhost netreport]# ping 10.1.1.2 PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data. 64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=0.079 ms 64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=0.089 ms 64 bytes from 10.1.1.2: icmp_seq=3 ttl=64 time=0.067 ms ^C --- 10.1.1.2 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1999ms rtt min/avg/max/mdev = 0.067/0.078/0.089/0.011 ms [root@localhost netreport]#
外部访问容器
容器中可以运行一些网络应用,要让外部也可以访问这些应用,可以通过 -P 或 -p 参数来指定端口映射。 当使用 -P 标记时,Docker 会随机映射一个 49000~49900 的端口到内部容器开放的网络端口。
[root@localhost ~]# docker run -dit -P nginx #-P 生成随机端口映射
ce812985c0066f2ed13f31b39e1ddd91324b3b4562e92a4ec1f7542d6e995afc
[root@localhost ~]# docker container ls -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ce812985c006 nginx "nginx -g 'daemon of…" 3 seconds ago Up 3 seconds 0.0.0.0:32768->80/tcp gifted_williamson
1303d8ae1869 dockerpracticecn/docker_practice "nginx -g 'daemon of…" 22 hours ago Up 22 hours 0.0.0.0:8080->80/tcp eager_vaughan
[root@localhost ~]#
[root@localhost ~]# docker run -dit -p 8000:80 nginx #宿主机所有地址的8000 端口,指定端口
02dda7bad87e9801e638786a46c5685f8f8b91f41b0052198a5ad0daaeed1686
[root@localhost ~]# docker container ls -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
02dda7bad87e nginx "nginx -g 'daemon of…" 3 seconds ago Up 1 second 0.0.0.0:8000->80/tcp tender_hugle
ce812985c006 nginx "nginx -g 'daemon of…" About a minute ago Up About a minute 0.0.0.0:32768->80/tcp gifted_williamson
1303d8ae1869 dockerpracticecn/docker_practice "nginx -g 'daemon of…" 22 hours ago Up 22 hours 0.0.0.0:8080->80/tcp eager_vaughan
[root@localhost ~]#
[root@localhost ~]# docker run -dit -p 192.168.100.100:9000:80 nginx #限定地址端口
f22564d9af806afe99fda755c885fb3ecc414fcb4ae1847234981c882eb98ede
[root@localhost ~]# docker container ls -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f22564d9af80 nginx "nginx -g 'daemon of…" 3 seconds ago Up 2 seconds 192.168.100.100:9000->80/tcp wonderful_jepsen
02dda7bad87e nginx "nginx -g 'daemon of…" About a minute ago Up About a minute 0.0.0.0:8000->80/tcp tender_hugle
ce812985c006 nginx "nginx -g 'daemon of…" 2 minutes ago Up 2 minutes 0.0.0.0:32768->80/tcp gifted_williamson
1303d8ae1869 dockerpracticecn/docker_practice "nginx -g 'daemon of…" 22 hours ago Up 22 hours 0.0.0.0:8080->80/tcp eager_vaughan
[root@localhost ~]#
[root@localhost ~]# docker port f225 #查看容器映射端口
80/tcp -> 192.168.100.100:9000
[root@localhost ~]#
共享宿主机网络名称空间
[root@localhost ~]# docker run --name b4 -it --network host --rm busybox #网络模型host
/ #
/ # ifocnfig
sh: ifocnfig: not found
/ # ifconfig
br-89e62c51620f Link encap:Ethernet HWaddr 02:42:CF:83:F2:C1
inet addr:172.18.0.1 Bcast:172.18.255.255 Mask:255.255.0.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
docker0 Link encap:Ethernet HWaddr 02:42:3D:8C:F3:DE
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
inet6 addr: fe80::42:3dff:fe8c:f3de/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:303 errors:0 dropped:0 overruns:0 frame:0
TX packets:251 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:728619 (711.5 KiB) TX bytes:28556 (27.8 KiB)
ens33 Link encap:Ethernet HWaddr 00:0C:29:8B:7C:A1
inet addr:192.168.100.100 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::d634:8c5a:a11c:8da8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9777 errors:0 dropped:0 overruns:0 frame:0
TX packets:9749 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:955036 (932.6 KiB) TX bytes:1692136 (1.6 MiB)
容器互联
[root@localhost ~]# docker network create -d bridge my-net #新建一个网络名称空间 7563ccc4b9ce8ab73fa9ea49a7cc0ed900e5bd9cc8e65393baaee0764c61bee8 [root@localhost ~]# docker network ls NETWORK ID NAME DRIVER SCOPE d4846dd9d420 bridge bridge local 89e62c51620f help bridge local 16d30c89207b host host local 7563ccc4b9ce my-net bridge local c8c1dd52cd81 none null local
[root@localhost ~]# ifconfig
br-7563ccc4b9ce: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 #新创建的网桥
inet 172.19.0.1 netmask 255.255.0.0 broadcast 172.19.255.255
inet6 fe80::42:edff:fec6:5157 prefixlen 64 scopeid 0x20<link>
ether 02:42:ed:c6:51:57 txqueuelen 0 (Ethernet)
RX packets 4 bytes 280 (280.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 12 bytes 936 (936.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br-89e62c51620f: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
ether 02:42:cf:83:f2:c1 txqueuelen 0 (Ethernet)
RX packets 4 bytes 280 (280.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20 bytes 1592 (1.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:3dff:fe8c:f3de prefixlen 64 scopeid 0x20<link>
ether 02:42:3d:8c:f3:de txqueuelen 0 (Ethernet)
RX packets 303 bytes 728619 (711.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 251 bytes 28556 (27.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
运行一个容器并连接到新建的 my-net 网络
[root@localhost ~]# docker run -it --rm --name busybox1 --network my-net busybox sh #启动一个容器 并加入指定网络 / #
[root@localhost ~]# docker run -it --rm --name busybox2 --network my-net busybox sh #测试统一名称空间的容器通信 / # ping busybox1 PING busybox1 (172.19.0.2): 56 data bytes 64 bytes from 172.19.0.2: seq=0 ttl=64 time=0.116 ms 64 bytes from 172.19.0.2: seq=1 ttl=64 time=0.091 ms ^C --- busybox1 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.091/0.103/0.116 ms / #