虚拟化网络都是基于netns实现,不管是昨日的openstack,还是今日的docker。
ip netns
ip-netns - process network namespace management
A network namespace is logically another copy of the network stack, with it's own routes, firewall rules, and network devices.
网络名称空间是网络栈的一个逻辑副本,有自己的路由、防火墙规则、和网络设备。
By convention a named network namespace is an object at /var/run/netns/NAME that can be opened. The file descriptor resulting from opening /var/run/netns/NAME refers to the specified network namespace. Holding that file descriptor open keeps the network namespace alive.
通常网络名称空间是一个位于/var/run/netns/NAME的可打开对象,保持这个文件可打开可以保持网络名称空间存活。
The convention for network namespace aware applications is to look for global network configuration files first in /etc/netns/NAME/ then in /etc/.
For example, if you want a different version of /etc/resolv.conf for a network namespace used to isolate your vpn you would name it /etc/netns/myvpn/resolv.conf.
用法
ip [ OPTIONS ] netns { COMMAND | help }
ip netns list - show all of the named network namespaces 列出所有名称空间
ip netns add NETNSNAME - create a new named network namespace 创建一个新的名称空间
ip netns delete NETNSNAME - delete the name of a network namespace 删除一个名称空间
ip netns exec NETNSNAME cmd ... - Run cmd in the named network namespace 在网络名称空间中执行系统命令
ip [-all] netns exec [ NAME ] cmd ... - Run cmd in the named network namespace.
If -all option was specified then cmd will be executed synchronously on the each named network namespace.
ip link
用到netns,就不得不说到ip-link
ip-link - network device configuration
用法
ip [ OPTIONS ] link { COMMAND | help }
显示设备属性
ip link show - display device attributes
dev NAME:specifies the network device to show. (default) 如果不指定设备,则显示所有设备信息
up:only display running interfaces. 只显示启动的接口
添加虚拟设备
ip link add - add virtual link
link DEVICE:specifies the physical device to act operate on. 指定在哪个物理设备上操作
NAME:specifies the name of the new virtual device. 指定新虚拟设备的名称
TYPE:specifies the type of the new device. 指定新设备的类型
Link types:
vlan - 802.1q tagged virtual LAN interface
veth - Virtual ethernet interface 虚拟网络接口(一对)
vcan - Virtual Local CAN interface
dummy - Dummy network interface
ifb - Intermediate Functional Block device
macvlan - virtual interface base on link layer address (MAC)
can - Controller Area Network interface
bridge - Ethernet Bridge device 网桥设备
删除虚拟设备
ip link delete - delete virtual link
DEVICE:specifies the virtual device to act operate on.
TYPE:specifies the type of the device.
dev DEVICE:specifies the physical device to act operate on.
设置设备属性
ip link set - change device attributes
dev DEVICE:specifies network device to operate on.
up and down:change the state of the device to UP or DOWN. 启动或关闭网卡
multicast on or multicast off:change the MULTICAST flag on the device. 启用或禁用组播
name NAME:change the name of the device. 修改网卡名称。需要先donw掉网卡,不然会提示busy。
This operation is not recommended if the device is running or has some addresses already configured.
alias NAME:give the device a symbolic name for easy reference. 为网卡设置别名
mtu NUMBER:change the MTU of the device. 设置MTU大小,默认为1500
netns NETNSNAME:move the device to the network namespace associated with name NETNSNAME. 将接口移动到指定的网络名称空间
这里单独说一下veth设备
veth设备是成对出现的,一端连接的是内核协议栈,一端彼此相连。一个设备收到协议栈的数据,会将数据发送另一个设备上去。
大概结构如下:
+----------------------------------------------------------------+
| |
| +------------------------------------------------+ |
| | Newwork Protocol Stack | |
| +------------------------------------------------+ |
| ↑ ↑ ↑ |
|..............|...............|...............|.................|
| ↓ ↓ ↓ |
| +----------+ +-----------+ +-----------+ |
| | eth0 | | veth0 | | veth1 | |
| +----------+ +-----------+ +-----------+ |
|192.168.1.11 ↑ ↑ ↑ |
| | +---------------+ |
| | 192.168.2.11 192.168.2.1 |
+--------------|-------------------------------------------------+
↓
Physical Network
示例
创建一对虚拟网卡,新建的网卡默认都是关闭的,名称空间里的回环网卡lo默认也是关闭的。
# ip link add kk type veth peer name vkk
# ifconfig -a
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.251.53.190 netmask 255.255.248.0 broadcast 10.251.55.255
ether 00:16:3e:00:3c:24 txqueuelen 1000 (Ethernet)
RX packets 516917 bytes 522231637 (498.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 410017 bytes 29372384 (28.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
kk: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether 32:24:c6:46:81:ac txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 0 (Local Loopback)
RX packets 37561 bytes 3506524 (3.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 37561 bytes 3506524 (3.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vkk: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether 92:92:2c:df:be:bd txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
创建一个名称空间
# ip netns add test
# ip netns list
将虚拟网卡vkk移动到名称空间,这时vkk就查看不到了
# ip link set vkk netns test
# ifconfig -a
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.251.53.190 netmask 255.255.248.0 broadcast 10.251.55.255
ether 00:16:3e:00:3c:24 txqueuelen 1000 (Ethernet)
RX packets 516917 bytes 522231637 (498.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 410017 bytes 29372384 (28.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
kk: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether 32:24:c6:46:81:ac txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 0 (Local Loopback)
RX packets 37561 bytes 3506524 (3.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 37561 bytes 3506524 (3.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
进入名称空间,发现刚才的虚拟网卡已经在名称空间里面了。
# ip netns exec test bash
# ifconfig -a
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vkk: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether 92:92:2c:df:be:bd txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
另外,要使名称空间能和本地和外部通信,需要使用网桥,这里不细说了。