Linux内核实现名称空间的创建
创建Network Namespace
可以通过ip netns命令完成对Network Namespace 的相关操作
[root@localhost ~]# ip netns add ns0
[root@localhost ~]# ip netns list
ns0
新创建的 Network Namespace 会出现在/var/run/netns/目录下
[root@localhost ~]# ls /var/run/netns/
ns0
对于每个 Network Namespace 来说,它会有自己独立的网卡、路由表、ARP 表、iptables 等和网络相关的资源。
操作Network Namespace
ip命令提供了ip netns exec子命令可以在对应的 Network Namespace 中执行命令。
查看新创建 Network Namespace 的网卡信息
[root@localhost ~]# ip netns exec ns0 ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
默认为关闭状态,所以ping不通
[root@localhost ~]# ip netns exec ns0 ping 127.0.0.1
connect: 网络不可达
ip netns exec 空间名 ip link set lo up
[root@localhost ~]# ip netns exec ns0 ip link set lo up
[root@localhost ~]# ip netns exec ns0 ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.030 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.048 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.032 ms
转移设备
我们可以在不同的 Network Namespace 之间转移设备(如veth)。由于一个设备只能属于一个 Network Namespace ,所以转移后在这个 Network Namespace 内就看不到这个设备了。
其中,veth设备属于可转移设备,而很多其它设备(如lo、vxlan、ppp、bridge等)是不可以转移的。
veth pair
veth pair 全称是 Virtual Ethernet Pair,是一个成对的端口,所有从这对端口一 端进入的数据包都将从另一端出来,反之也是一样。
引入veth pair是为了在不同的 Network Namespace 直接进行通信,利用它可以直接将两个 Network Namespace 连接起来。
创建veth pair
[root@localhost ~]# ip link add type veth
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:29:6d:75 brd ff:ff:ff:ff:ff:ff
inet 192.168.20.99/24 brd 192.168.20.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::ce17:cb1:75db:563d/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:7e:b4:73:21 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
4: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 9e:91:c6:75:3c:43 brd ff:ff:ff:ff:ff:ff
5: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 72:92:96:20:ab:d9 brd ff:ff:ff:ff:ff:ff
实现Network Namespace间通信
在创建一个命名空间
[root@localhost ~]# ip netns add ns1
[root@localhost ~]# ip netns list
ns1
ns0
//将veth0加入到ns0,将veth1加入到ns1
[root@localhost ~]# ip link set veth0 netns ns0
[root@localhost ~]# ip link set veth1 netns ns1
//启动网卡,并veth pair配置上ip地址
[root@localhost ~]# ip netns exec ns0 ip link set veth0 up
[root@localhost ~]# ip netns exec ns0 ip addr add 10.0.0.1/24 dev veth0
[root@localhost ~]# ip netns exec ns1 ip link set veth1 up
[root@localhost ~]# ip netns exec ns1 ip addr add 10.0.0.2/24 dev veth1
//查看这对veth pair的状态
[root@localhost ~]# ip netns exec ns0 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
4: veth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 9e:91:c6:75:3c:43 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet 10.0.0.1/24 scope global veth0
valid_lft forever preferred_lft forever
inet6 fe80::9c91:c6ff:fe75:3c43/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]# ip netns exec ns1 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
5: veth1@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 72:92:96:20:ab:d9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.0.2/24 scope global veth1
valid_lft forever preferred_lft forever
inet6 fe80::7092:96ff:fe20:abd9/64 scope link
valid_lft forever preferred_lft forever
在ns0上可以ping通对端的IP
[root@localhost ~]# ip netns exec ns0 ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.034 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.041 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.036 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=0.041 ms
64 bytes from 10.0.0.2: icmp_seq=5 ttl=64 time=0.039 ms
veth设备重命名
[root@localhost ~]# ip netns exec ns0 ip link set veth0 down //关闭网卡
[root@localhost ~]# ip netns exec ns0 ip link set dev veth0 name eth0 //修改名字
[root@localhost ~]# ip netns exec ns0 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST> mtu 1500 qdisc noqueue state DOWN qlen 1000
link/ether 9e:91:c6:75:3c:43 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet 10.0.0.1/24 scope global eth0
valid_lft forever preferred_lft forever
容器的常用操作
查看容器的主机名
[root@localhost ~]# docker run -it --rm busybox
/ # hostname
9e74b7655274
在容器启动时注入主机名
[root@localhost ~]# docker run -it --rm --hostname zzl busybox
/ # hostname
zzl
手动指定容器要使用的DNS
[root@localhost ~]# docker run -it --rm --hostname zzl --dns 114.114.114.114 busybox
/ # cat /etc/resolv.conf
nameserver 114.114.114.114
/ # nslookup -type=a www.baidu.com
Server: 114.114.114.114
Address: 114.114.114.114:53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com
Name: www.a.shifen.com
Address: 182.61.200.7
Name: www.a.shifen.com
Address: 182.61.200.6
手动往/etc/hosts文件中注入主机名到IP地址的映射
[root@localhost ~]# docker run -it --rm --hostname zzl --add-host www.a.com:1.1.1.1 busybox
/ # cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
1.1.1.1 www.a.com
172.17.0.2 zzl
开放容器端口
| 格式 | 用途 | 例子 |
|---|---|---|
| -p containerPort | 将指定的容器端口映射到宿主机(不常用) | -p 80 nginx |
| -p ip:hostPort:containerPort | 映射指定地址的指定端口到虚拟机的指定端口(不常用) | -p 192.168.30.244:80:80 |
| -p ip::containerPort | 映射指定地址的任意端口到虚拟机的指定端口(不常用) | -p 192.168.30.244::80 |
| -p hostPort:containerPort | 映射本机的指定端口到虚拟机的指定端口(常用) | -p 80:80 |
将指定的容器端口映射到宿主机
[root@localhost ~]# docker run -d -p 80 nginx
cfd77d3c0caf4bb72f216a455ac1e5e61f191852e3fab9cbfa025801654be457
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 128 :::32768 :::*
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cfd77d3c0caf nginx "/docker-entrypoint.…" 30 seconds ago Up 29 seconds 0.0.0.0:32768->80/tcp dazzling_albattani
[root@localhost ~]# docker port cfd77d3c0caf
80/tcp -> 0.0.0.0:32768
映射指定地址的指定端口到虚拟机的指定端口
[root@localhost ~]# docker run -it --rm -p 192.168.299:80:80 nginx
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 192.168.20.99:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 128 :::32768 :::*
映射指定地址的任意端口到虚拟机的指定端口
[root@localhost ~]# docker run -it --rm -p 192.168.299::80 nginx
[root@localhost ~]# docker port 6ba6fa68b7e3
80/tcp -> 192.168.20.99:32770
映射本机的指定端口到虚拟机的指定端口
[root@localhost ~]# docker run -it --rm -p 80:80 nginx
[root@localhost ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 128 :::32768 :::*
自定义docker0桥的网络属性信息
自定义docker0桥的网络属性信息需要修改/etc/docker/daemon.json配置文件
{
"bip": "192.168.1.5/24",
"fixed-cidr": "192.168.1.5/25",
"fixed-cidr-v6": "2001:db8::/64",
"mtu": 1500,
"default-gateway": "10.20.1.1",
"default-gateway-v6": "2001:db8:abcd::89",
"dns": ["10.20.1.2","10.20.1.3"]
}
docker创建自定义桥
创建一个额外的自定义桥
[root@localhost ~]# docker network create -d bridge --subnet "192.168.2.0/24" --gateway=192.168.2.1 br0
ed264ae719ab8e04ae16e4d4a44a3c8ab915b5ad90d5a8854cf0251942f2716e
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
ed264ae719ab br0 bridge local
3a4fd032b50a bridge bridge local
785bf824f9e4 host host local
c8cceb8c9363 none null
使用新创建的自定义桥来创建容器:
[root@localhost ~]# docker run -it --network br0 busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:C0:A8:02:02
inet addr:192.168.2.2 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:946 (946.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
1012
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
