查看当前具有的namespace
ip netns list
[root@localhost ~]# ip netns add ns1
[root@localhost ~]# ip netns list
ns1
删除namespace
ip netns delete ns1
[root@localhost ~]# ip netns add ns1
[root@localhost ~]# ip netns list
ns1
[root@localhost ~]# ip netns delete ns1
[root@localhost ~]# ip netns list
[root@localhost ~]#
查看namespace【ns1】的网卡情况
ip netns exec ns1 ip a
[root@localhost ~]# ip netns exec ns1 ip a
1: lo: mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
启动网络状态
ip netns exec ns1 ifup lo
[root@localhost ~]# ip netns exec ns1 ip link show
1: lo: mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
[root@localhost ~]# ip netns exec ns1 ifup lo
[root@localhost ~]# ip netns exec ns1 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
[root@localhost ~]#
关掉网络状态
[root@localhost ~]# ip netns exec ns1 ifdown lo
[root@localhost ~]# ip netns exec ns1 ip a
1: lo: mtu 65536 qdisc noqueue state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
还可以通过 link 来设置状态
[root@localhost ~]# ip netns exec ns1 ip link set lo up
[root@localhost ~]# ip netns exec ns1 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
[root@localhost ~]# ip netns exec ns1 ip link set lo down
[root@localhost ~]# ip netns exec ns1 ip a
1: lo: mtu 65536 qdisc noqueue state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
[root@localhost ~]#
再次添加一个namespace【ns2】
[root@localhost ~]# ip netns add ns2
[root@localhost ~]# ip netns list
ns2
ns1
现在要实现两个namespace的通信
要实现两个network namespace的通信,我们需要实现到的技术是:
veth pair:Virtual Ethernet Pair,是一个成对的端口,可以实现上述功能
创建一对link,也就是接下来要通过veth pair连接的link
ip link add veth-ns1 type veth peer name veth-ns2
然后在宿主机中就会多出一对网卡信息
然后将创建好的 veth-ns1交给namespace1,把veth-ns2交给namespace2
ip link set veth-ns1 netns ns1
ip link set veth-ns2 netns ns2
再查看ns1和ns2中的link情况
[root@localhost ~]# ip netns exec ns1 ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
6: veth-ns1@if5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 7e:bb:ee:13:a2:9a brd ff:ff:ff:ff:ff:ff link-netnsid 1
[root@localhost ~]# ip netns exec ns2 ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
5: veth-ns2@if6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 7e:f8:18:5a:ef:1f brd ff:ff:ff:ff:ff:ff link-netnsid 0
此时veth-ns1和veth-ns2还没有ip地址,显然通信还缺少点条件
ip netns exec ns1 ip addr add 192.168.0.11/24 dev veth-ns1
ip netns exec ns2 ip addr add 192.168.0.12/24 dev veth-ns2
再次查看,发现state是DOWN.所以我们需要启用对应的网卡
[root@localhost ~]# ip netns exec ns1 ip link set veth-ns1 up
[root@localhost ~]# ip netns exec ns2 ip link set veth-ns2 up
然后查看状态
然后就可以相互之间ping通了
ip netns exec ns1 ping 192.168.0.12 ip netns exec ns2 ping 192.168.0.11
3.2 Container的NameSpace
按照上面的描述,实际上每个container,都会有自己的network namespace,并且是独立的,我们可以进入到容器中进行验证
创建两个Tomcat容器
docker run -d --name tomcat01 -p 8081:8080 tomcat
docker run -d --name tomcat02 -p 8082:8080 tomcat
进入到两个容器中,查看ip
docker exec -it tomcat01 ip a
docker exec -it tomcat02 ip a
相互ping是可以ping通的
问题:此时tomcat01和tomcat02属于两个network namespace,是如何能够ping通的? 有些小伙伴可能会想,不就跟上面的namespace实战一样吗?注意这里并没有veth-pair技术
4.1 Docker默认Bridge
首先我们通过ip a可以查看当前宿主机的网络情况
[root@localhost tomcat]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:4d:77:d3 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global noprefixroute dynamic eth0
valid_lft 66199sec preferred_lft 66199sec
inet6 fe80::5054:ff:fe4d:77d3/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:6e:31:45 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.10/24 brd 192.168.56.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe6e:3145/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:52:d4:0a:9f brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:52ff:fed4:a9f/64 scope link
valid_lft forever preferred_lft forever
24: veth78a90d0@if23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 7e:6b:8c:bf:7e:30 brd ff:ff:ff:ff:ff:ff link-netnsid 2
inet6 fe80::7c6b:8cff:febf:7e30/64 scope link
valid_lft forever preferred_lft forever
26: vetha2bfbf4@if25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether ce:2f:ed:e5:61:32 brd ff:ff:ff:ff:ff:ff link-netnsid 3
inet6 fe80::cc2f:edff:fee5:6132/64 scope link
valid_lft forever preferred_lft forever
然后查看 tomcat01中的网络: docker exec -it tomcat01 ip a可以发现
[root@localhost tomcat]# docker exec -it tomcat01 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
23: eth0@if24: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
我们发现在宿主机中是可以ping通Tomcat01的网络的。
[root@localhost tomcat]# ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.038 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.038 ms
^C
— 172.17.0.2 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.038/0.038/0.038/0.000 ms
既然可以ping通,而且centos和tomcat01又属于两个不同的NetWork NameSpace,他们是怎么连接的?看图
其实在tomcat01中有一个eth0和centos的docker0中有一个veth是成对的,类似于之前实战中的veth-ns1和veth-ns2,要确认也很简单
yum install bridge-utils
brctl show
执行
[root@localhost tomcat]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.024252d40a9f no veth78a90d0
vetha2bfbf4
对比 ip a 情况
那么画图说明:
这种网络连接方法我们称之为Bridge,其实也可以通过命令查看docker中的网络模式:docker network ls , bridge也是docker中默认的网络模式
[root@localhost tomcat]# docker network ls
NETWORK ID NAME DRIVER SCOPE
92242fc0f805 bridge bridge local
96b999d7fcc2 host host local
17b86f9caa33 none null local
不妨检查一下bridge:docker network inspect bridge
“Containers”: {
“4b3500fed6b99c00b3ed1ae46bd6bc33040c77efdab343175363f32fbcf42e63”: {
“Name”: “tomcat01”,
“EndpointID”: “40fc0925fcb59c9bb002779580107ab9601640188bf157fa57b1c2de9478053a”,
“MacAddress”: “02:42:ac:11:00:02”,
“IPv4Address”: “172.17.0.2/16”,
“IPv6Address”: “”
},
“92d2ff3e9be523099ac4b45058c5bf4652a77a27b7053a9115ea565ab43f9ab0”: {
“Name”: “tomcat02”,
“EndpointID”: “1d6c3bd73e3727dd368edf3cc74d2f01b5c458223f844d6188486cb26ea255bc”,
“MacAddress”: “02:42:ac:11:00:03”,
“IPv4Address”: “172.17.0.3/16”,
“IPv6Address”: “”
}
}
在tomcat01容器中是可以访问互联网的,顺便把这张图画一下咯,NAT是通过iptables实现的
4.2 自定义NetWork
创建一个network,类型为 Bridge
docker network create tomcat-net
或者
docker network create tomcat-net --subnet=172.18.0.0/24 tomcat-net
查看已有的NetWork: docker network ls
[root@localhost ~]# docker network create tomcat-net
43915cba1f9204751b48896d7d28b83b4b6cf35f06fac6ff158ced5fb9ddb5b3
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
b5c9cfbc0410 bridge bridge local
96b999d7fcc2 host host local
17b86f9caa33 none null local
43915cba1f92 tomcat-net bridge local
查看tomcat-net详情信息:docker network inspect tomcat-net
[root@localhost ~]# docker network inspect tomcat-net
[
{
“Name”: “tomcat-net”,
“Id”: “43915cba1f9204751b48896d7d28b83b4b6cf35f06fac6ff158ced5fb9ddb5b3”,
“Created”: “2021-10-11T12:10:19.543766962Z”,
“Scope”: “local”,
“Driver”: “bridge”,
“EnableIPv6”: false,
“IPAM”: {
“Driver”: “default”,
“Options”: {},
“Config”: [
{
“Subnet”: “172.18.0.0/16”,
“Gateway”: “172.18.0.1”
}
]
},
“Internal”: false,
“Attachable”: false,
“Ingress”: false,
“ConfigFrom”: {
“Network”: “”
},
“ConfigOnly”: false,
“Containers”: {},
“Options”: {},
“Labels”: {}
}
]
删除network:docker network rm tomcat-net
创建tomcat容器,并指定使用tomcat-net
[root@localhost ~]# docker run -d --name custom-net-tomcat --network tomcat-net tomcat-ip:1.0
264b3901f8f12fd7f4cc69810be6a24de48f82402b1e5b0df364bd1ee72d8f0e
查看custom-net-tomcat的网络信息:截取了关键信息
12: br-43915cba1f92: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:71:a6:67:c7 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-43915cba1f92
valid_lft forever preferred_lft forever
inet6 fe80::42:71ff:fea6:67c7/64 scope link
valid_lft forever preferred_lft forever
14: veth282a555@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-43915cba1f92 state UP group default
link/ether 3a:3d:83:15:3f:ed brd ff:ff:ff:ff:ff:ff link-netnsid 3
inet6 fe80::383d:83ff:fe15:3fed/64 scope link
valid_lft forever preferred_lft forever
查看网卡接口信息
[root@localhost ~]# brctl show
bridge name bridge id STP enabled interfaces
br-43915cba1f92 8000.024271a667c7 no veth282a555
docker0 8000.02423964f095 no veth4526c0c
vethaa2f6f4
vethc6ad4c2
此时在custom-net-tomcat容器中ping一些tomcat01发现是ping不通的
[root@localhost ~]# docker exec -it custom-net-tomcat ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
^C
— 172.17.0.2 ping statistics —
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
此时如果tomcat01容器能够连接上tomcat-net上应该就可以了
docker network connect tomcat-net tomcat01
[root@localhost ~]# docker exec -it tomcat01 ping custom-net-tomcat
PING custom-net-tomcat (172.18.0.2) 56(84) bytes of data.
64 bytes from custom-net-tomcat.tomcat-net (172.18.0.2): icmp_seq=1 ttl=64 time=0.138 ms
^C
— custom-net-tomcat ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.138/0.138/0.138/0.000 ms
[root@localhost ~]# docker exec -it custom-net-tomcat ping tomcat01
PING tomcat01 (172.18.0.3) 56(84) bytes of data.
64 bytes from tomcat01.tomcat-net (172.18.0.3): icmp_seq=1 ttl=64 time=0.031 ms
5.1 Host
Host模式下,容器将共享主机的网络堆栈,并且主机的所有接口都可供容器使用.容器的主机名将与主机系统上的主机名匹配
创建一个容器,并指定网络为host
docker run -d --name my-tomcat-host --network host tomcat-ip:1.0
查看ip地址
最后
针对最近很多人都在面试,我这边也整理了相当多的面试专题资料,也有其他大厂的面经。希望可以帮助到大家。
下面的面试题答案都整理成文档笔记。也还整理了一些面试资料&最新2021收集的一些大厂的面试真题(都整理成文档,小部分截图)
最新整理电子书
— custom-net-tomcat ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.138/0.138/0.138/0.000 ms
[root@localhost ~]# docker exec -it custom-net-tomcat ping tomcat01
PING tomcat01 (172.18.0.3) 56(84) bytes of data.
64 bytes from tomcat01.tomcat-net (172.18.0.3): icmp_seq=1 ttl=64 time=0.031 ms
5.1 Host
Host模式下,容器将共享主机的网络堆栈,并且主机的所有接口都可供容器使用.容器的主机名将与主机系统上的主机名匹配
创建一个容器,并指定网络为host
docker run -d --name my-tomcat-host --network host tomcat-ip:1.0
查看ip地址
最后
针对最近很多人都在面试,我这边也整理了相当多的面试专题资料,也有其他大厂的面经。希望可以帮助到大家。
下面的面试题答案都整理成文档笔记。也还整理了一些面试资料&最新2021收集的一些大厂的面试真题(都整理成文档,小部分截图)
[外链图片转存中…(img-Pm3aTiq6-1714560016050)]
最新整理电子书
[外链图片转存中…(img-FdOdFKAL-1714560016051)]
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
