linux名称空间
网络命名空间(netwrok namespace)是什么?
从逻辑上讲,网络名称空间是网络堆栈的另一个副本,具有自己的路由,防火墙规则和网络设备。
默认情况下,进程从其父级继承其网络名称空间。最初,所有进程都与init进程共享相同的默认网络名称空间。(1号线程)
按照约定,命名的网络名称空间是/ var / run / netns / NAME中可以打开的对象。通过打开/ var / run / netns / NAME产生一个有关这个网络空间的文件描述符。使该文件描述符保持打开状态可以使网络名称空间保持活动状态。文件描述符可与setns(int setns(int fd, int nstype); 将线程与命名空间关联的一个系统调用的函数)一同使用,去更改该网络命名空间对应的任务
对于了解网络名称空间的应用程序, 惯例是 先在/ etc / netns / NAME /中然后在/ etc /中查找全局网络配置文件。例如,如果您 想要 用于隔离VPN的网络名称空间的/etc/resolv.conf的其他版本,则可以将其命名为/etc/netns/myvpn/resolv.conf。
ip netns命令
可以借助ip netns命令来完成对 Network Namespace 的各种操作。ip netns命令来自于iproute安装包,一般系统会默认安装,如果没有的话,请自行安装。
注意:ip netns命令修改网络配置时需要 sudo 权限。
可以通过ip netns命令完成对Network Namespace 的相关操作,可以通过ip netns help查看命令帮助信息:
[root@test ~]# ip netns help Usage: ip netns list #列出网络命名空间。此命令显示的是 “/var/run/netns” 中的所有网络命名空间 ip netns add NAME #添加网络命名空间 ip netns attach NAME PID #如果 /var/run/netns下没有NAME(命名空间的名字),该指令将进程PID的网络名称空间附加到NAME,就像它是使用ip netns创建的一样 ip netns set NAME NETNSID #给网络命名空间分配id ip [-all] netns delete [NAME] #删除网络命名空间 ip netns identify [PID] #查看进程的网络命名空间 ip netns pids NAME #遍历proc并查找所有具有命名网络命名空间作为其主要网络名称空间的进程 ip [-all] netns exec [NAME] cmd ... #在指定的网络命名空间中执行命令 ip netns monitor #监控对网络命名空间的操作 ip netns list-id #查找使用此网络命名空间并将其作为主要网络命名空间的进程。此命令会从 /proc 目录中遍历 NETNSID := auto | POSITIVE-INT
默认情况下,Linux系统中是没有任何 Network Namespace的,所以ip netns list命令不会返回任何信息。
创建Network Namespace
[root@test ~]# ip netns list [root@test ~]# ip netns add test1 [root@test ~]# ip netns list test1
新创建的 Network Namespace 会出现在/var/run/netns/目录下。如果相同名字的 namespace 已经存在,命令会报Cannot create namespace file "/var/run/netns/ns0": File exists的错误。
[root@test ~]# ls /var/run/netns/ test1 [root@test ~]# ip netns add test1 Cannot create namespace file "/var/run/netns/test1": File exists
操作Network Namespace
ip命令提供了ip netns exec
子命令可以在对应的 Network Namespace 中执行命令。
查看新创建 Network Namespace 的网卡信息
[root@test ~]# ip netns exec test1 ip a 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
可以看到,新创建的Network Namespace中会默认创建一个lo回环网卡,此时网卡处于关闭状态。此时,尝试去 ping 该lo回环网卡,会提示Network is unreachable
[root@test ~]# ip netns exec test1 ping 127.0.0.1 connect: Network is unreachable
启动lo回环网卡
[root@test ~]# ip netns exec test1 ip link set lo up [root@test ~]# ip netns exec test1 ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.024 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.022 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.074 ms ^C --- 127.0.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 83ms rtt min/avg/max/mdev = 0.022/0.040/0.074/0.024 ms
转移设备
我们可以在不同的 Network Namespace 之间转移设备(如veth)。由于一个设备只能属于一个 Network Namespace ,所以转移后在这个 Network Namespace 内就看不到这个设备了。
其中,veth设备属于可转移设备,而很多其它设备(如lo、vxlan、ppp、bridge等)是不可以转移的。
veth pair
veth pair 全称是 Virtual Ethernet Pair,是一个成对的端口,所有从这对端口一 端进入的数据包都将从另一端出来,反之也是一样。引入veth pair是为了在不同的 Network Namespace 直接进行通信,利用它可以直接将两个 Network Namespace 连接起来。
创建veth pair
[root@test ~]# ip link add type veth [root@test ~]# ip a 12: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 06:5f:a9:a2:63:d3 brd ff:ff:ff:ff:ff:ff 13: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether ea:ba:79:f1:27:3a brd ff:ff:ff:ff:ff:ff
可以看到,此时系统中新增了一对veth pair,将veth0和veth1两个虚拟网卡连接了起来,此时这对 veth pair 处于”未启用“状态。
实现network namespace间通信
刚才我们已经创建了一个名为test1的 Network Namespace,下面再创建一个信息Network Namespace,命名为test2
[root@test ~]# ip netns add test2 [root@test ~]# ip netns list test2 test1
将veth0加入到test1,将veth1加入到test2
[root@test ~]# ip link set veth0 netns test1 [root@test ~]# ip link set veth1 netns test2 [root@test ~]# ip netns exec test1 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 12: veth0@if13: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 06:5f:a9:a2:63:d3 brd ff:ff:ff:ff:ff:ff link-netns test2 [root@test ~]# ip netns exec test2 ip a 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 13: veth1@if12: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether ea:ba:79:f1:27:3a brd ff:ff:ff:ff:ff:ff link-netns test1
分别为这对veth pair配置上ip地址,并启用它们
[root@test ~]# ip netns exec test1 ip link set veth0 up [root@test ~]# ip netns exec test1 ip addr add 192.168.1.1/24 dev veth0 [root@test ~]# ip netns exec test2 ip link set veth1 up [root@test ~]# ip netns exec test2 ip addr add 192.168.1.50/24 dev veth1 [root@test ~]# ip netns exec test1 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 12: veth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 06:5f:a9:a2:63:d3 brd ff:ff:ff:ff:ff:ff link-netns test2 inet 192.168.1.1/24 scope global veth0 valid_lft forever preferred_lft forever inet6 fe80::45f:a9ff:fea2:63d3/64 scope link valid_lft forever preferred_lft forever [root@test ~]# ip netns exec test2 ip a 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 13: veth1@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether ea:ba:79:f1:27:3a brd ff:ff:ff:ff:ff:ff link-netns test1 inet 192.168.1.50/24 scope global veth1 valid_lft forever preferred_lft forever inet6 fe80::e8ba:79ff:fef1:273a/64 scope link valid_lft forever preferred_lft forever
成功启用了这个veth pair,并为每个veth设备分配了对应的ip地址。尝试在test1中访问test2的IP地址
[root@test ~]# ip netns exec test1 ping 192.168.1.50 PING 192.168.1.50 (192.168.1.50) 56(84) bytes of data. 64 bytes from 192.168.1.50: icmp_seq=1 ttl=64 time=0.047 ms 64 bytes from 192.168.1.50: icmp_seq=2 ttl=64 time=0.035 ms
可以看到,veth pair成功实现了两个不同Network Namespace之间的网络交互。
veth设备重命名
关闭网卡后再重命名,不然会报"Device or resource busy"
[root@test ~]# ip netns exec test1 ip link set veth0 down [root@test ~]# ip netns exec test1 ip link set dev veth0 name eth0 [root@test ~]# ip netns exec test1 ip link set eth0 up [root@test ~]# ip netns exec test1 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 06:5f:a9:a2:63:d3 brd ff:ff:ff:ff:ff:ff link-netns test2 inet 192.168.1.1/24 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::45f:a9ff:fea2:63d3/64 scope link valid_lft forever preferred_lft forever
容器的常用操作
查看容器主机名
[root@test ~]# docker run --rm -it --name AA busybox / # hostname a0b0b711204a
在容器启动时注入主机名
[root@test ~]# docker run --rm -it --name AA --hostname xxxxxxx busybox / # cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.17.0.2 xxxxxxx # 注入主机名时会自动创建主机名到IP的映射关系 / # cat /etc/resolv.conf # Generated by NetworkManager search localdomain nameserver 192.168.248.2 # DNS也会自动配置为宿主机的DNS / # ping baidu.com PING baidu.com (39.156.69.79): 56 data bytes 64 bytes from 39.156.69.79: seq=0 ttl=127 time=26.648 ms 64 bytes from 39.156.69.79: seq=1 ttl=127 time=31.192 ms
手动指定容器要使用的DNS
[root@test ~]# docker run --rm -it --name AA --hostname TestCon --dns 114.114.114.114 busybox / # cat etc/resolv.conf search localdomain nameserver 114.114.114.114 / # nslookup -type=a www.baidu.com Server: 114.114.114.114 Address: 114.114.114.114:53 Non-authoritative answer: www.baidu.com canonical name = www.a.shifen.com Name: www.a.shifen.com Address: 182.61.200.6 Name: www.a.shifen.com Address: 182.61.200.7
手动往/etc/hosts文件中注入主机名到IP地址的映射
[root@test ~]# docker run --rm -it --name AA --hostname TestCon --dns 114.114.114.114 --add-host test:192.168.248.129 busybox / # cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.248.129 test 172.17.0.2 TestCon
开放容器端口
执行docker run的时候有个-p选项,可以将容器中的应用端口映射到宿主机中,从而实现让外部主机可以通过访问宿主机的某端口来访问容器内应用的目的。
-p选项能够使用多次,其所能够暴露的端口必须是容器确实在监听的端口。
-p选项的使用格式:
- -p <containerPort>
- 将指定的容器端口映射至主机所有地址的一个动态端口
- -p <hostPort>:<containerPort>
- 将容器端口<containerPort>映射至指定的主机端口<hostPort>
- -p <ip>::<containerPort>
- 将指定的容器端口<containerPort>映射至主机指定<ip>的动态端口
- -p <ip>:<hostPort>:<containerPort>
- 将指定的容器端口<containerPort>映射至主机指定<ip>的端口<hostPort>
动态端口指的是随机端口,具体的映射结果可使用docker port命令查看。
将指定的容器端口映射至主机所有地址的一个动态端口
[root@test ~]# docker run --name httpd --rm -p 80 httpd AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message [Tue Mar 02 09:58:40.784711 2021] [mpm_event:notice] [pid 1:tid 139744951366784] AH00489: Apache/2.4.46 (Unix) configured -- resuming normal operations [Tue Mar 02 09:58:40.789422 2021] [core:notice] [pid 1:tid 139744951366784] AH00094: Command line: 'httpd -D FOREGROUND' #以上命令执行后会一直占用着前端,我们新开一个终端连接来看一下容器的80端口被映射到了宿主机的什么端口上 [root@test ~]# docker port httpd 80/tcp -> 0.0.0.0:49153
由此可见,容器的80端口被暴露到了宿主机的49153端口上,此时我们在宿主机上访问一下这个端口看是否能访问到容器内的站点
[root@test ~]# curl 192.168.248.129:49153 <html><body><h1>It works!</h1></body></html>
将容器端口映射至指定的主机端口
[root@test ~]# docker run --name httpd --rm -p 80:80 httpd AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message [Tue Mar 02 10:17:28.331207 2021] [mpm_event:notice] [pid 1:tid 139826511512704] AH00489: Apache/2.4.46 (Unix) configured -- resuming normal operations [Tue Mar 02 10:17:28.332378 2021] [core:notice] [pid 1:tid 139826511512704] AH00094: Command line: 'httpd -D FOREGRO #在另一个终端查看端口映射情况 [root@test ~]# docker port httpd 80/tcp -> 0.0.0.0:80
将指定的容器端口映射至主机指定<ip>一个动态端口
[root@test ~]# docker run --name httpd --rm -p 192.168.248.129::80 httpd AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message [Tue Mar 02 10:13:15.485863 2021] [mpm_event:notice] [pid 1:tid 139987232113792] AH00489: Apache/2.4.46 (Unix) configured -- resuming normal operations [Tue Mar 02 10:13:15.486062 2021] [core:notice] [pid 1:tid 139987232113792] AH00094: Command line: 'httpd -D FOREGROUND' #在另一个终端上查看端口映射情况 [root@test ~]# docker port httpd 80/tcp -> 192.168.248.129:49154
将指定的容器端口映射至主机指定<ip>的端口
[root@test ~]# docker run --name httpd --rm -p 192.168.248.129:80:80 httpd AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message [Tue Mar 02 10:28:19.175686 2021] [mpm_event:notice] [pid 1:tid 140146706252928] AH00489: Apache/2.4.46 (Unix) configured -- resuming normal operations [Tue Mar 02 10:28:19.175918 2021] [core:notice] [pid 1:tid 140146706252928] AH00094: Command line: 'httpd -D FOREGRO #在另一个终端上查看端口映射情况 [root@test ~]# docker port httpd 80/tcp -> 192.168.248.129:80
自定义docker0桥的网络属性信息
https://docs.docker.com/network/bridge 官方文档相关配置
自定义docker0桥的网络属性信息需要修改/etc/docker/daemon.json
配置文件
{ "bip": "192.168.1.5/24", "fixed-cidr": "192.168.1.5/25", "fixed-cidr-v6": "2001:db8::/64", "mtu": 1500, "default-gateway": "10.20.1.1", "default-gateway-v6": "2001:db8:abcd::89", "dns": ["10.20.1.2","10.20.1.3"] }
核心选项为bip,即bridge ip之意,用于指定docker0桥自身的IP地址;其它选项可通过此地址计算得出。
[root@test ~]# cat /etc/docker/daemon.json { "bip": "192.168.1.1/24", "registry-mirrors": ["https://xxxxxx.mirror.aliyuncs.com"] } #运行busybox查看生成的ip [root@test ~]# docker run --rm -it busybox / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 44: eth0@if45: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:c0:a8:01:02 brd ff:ff:ff:ff:ff:ff inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0 valid_lft forever preferred_lft forever
docker创建自定义桥
[root@test ~]# docker network ls NETWORK ID NAME DRIVER SCOPE ded2b342728c bridge bridge local 06b54127b18c host host local 026eba79edc0 none null local [root@test ~]# docker network create -d bridge --subnet "192.168.3.0/24" --gateway "192.168.3.1" bridge0 30b2f659fc7205b41bcd1154d67c43532a4f4ede5c936016ee33414e876fa10b [root@test ~]# docker network ls NETWORK ID NAME DRIVER SCOPE ded2b342728c bridge bridge local 30b2f659fc72 bridge0 bridge local 06b54127b18c host host local 026eba79edc0 none null local
使用新创建的自定义桥来创建容器,再创建一个容器,使用默认的bridge桥,此时从c1与c2如何实现通信。
使用自定义网桥创建容器c1
[root@test ~]# docker run --rm -it --name c1 --network bridge0 busybox / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:c0:a8:03:02 brd ff:ff:ff:ff:ff:ff inet 192.168.3.2/24 brd 192.168.3.255 scope global eth0 valid_lft forever preferred_lft forever
使用默认网桥创建容器c2
[root@test ~]# docker run --rm -it --name c2 busybox / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:c0:a8:01:02 brd ff:ff:ff:ff:ff:ff inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0 valid_lft forever preferred_lft forever
实现c1与c2之间通信
#将双方网桥加入到容器中 [root@test ~]# docker network connect bridge0 c2 [root@test ~]# docker network connect bridge c1 [root@test ~]# docker exec c1 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:c0:a8:03:02 brd ff:ff:ff:ff:ff:ff inet 192.168.3.2/24 brd 192.168.3.255 scope global eth0 valid_lft forever preferred_lft forever 16: eth1@if17: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:c0:a8:01:03 brd ff:ff:ff:ff:ff:ff inet 192.168.1.3/24 brd 192.168.1.255 scope global eth1 valid_lft forever preferred_lft forever [root@test ~]# docker exec c2 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:c0:a8:01:02 brd ff:ff:ff:ff:ff:ff inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0 valid_lft forever preferred_lft forever 14: eth1@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:c0:a8:03:03 brd ff:ff:ff:ff:ff:ff inet 192.168.3.3/24 brd 192.168.3.255 scope global eth1 valid_lft forever preferred_lft foreve [root@test ~]# docker exec c1 ping 192.168.3.2 PING 192.168.3.2 (192.168.3.2): 56 data bytes 64 bytes from 192.168.3.2: seq=0 ttl=64 time=0.113 ms [root@test ~]# docker exec c2 ping 192.168.1.2 PING 192.168.1.2 (192.168.1.2): 56 data bytes 64 bytes from 192.168.1.2: seq=0 ttl=64 time=0.047 ms 64 bytes from 192.168.1.2: seq=1 ttl=64 time=0.130 ms