

S_lion's Studio

S_lion's Studio

自己动手实现network namespace



自己动手实现network namespace

docker

字数统计: 2.2k阅读时长: 12 min

 2021/07/13   Share

• 
• 
• 
• 
• 

之前的文章提到了6种Linux的namespace隔离技术，其中network namespace为命名空间内的所有进程提供了全新隔离的网络协议栈。这包括网络接口，路由表和iptables规则。通过使用网络命名空间就可以实现网络虚拟环境，实现彼此之间的网络隔离，其实通过ip命令就可以模拟出网络命名空间。

安装软件

首先需要安装iprouter软件：

[root@slions_pc1 ~]# rpm -q iproute
iproute-4.11.0-14.el7.x86_64

我本地已经安装了，查看IP命令：

[root@slions_pc1 ~]# ip help
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
       ip [ -force ] -batch filename
where  OBJECT := { link | address | addrlabel | route | rule | neigh | ntable |
                   tunnel | tuntap | maddress | mroute | mrule | monitor | xfrm |
                   netns | l2tp | fou | macsec | tcp_metrics | token | netconf | ila |
                   vrf }
       OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
                    -h[uman-readable] | -iec |
                    -f[amily] { inet | inet6 | ipx | dnet | mpls | bridge | link } |
                    -4 | -6 | -I | -D | -B | -0 |
                    -l[oops] { maximum-addr-flush-attempts } | -br[ief] |
                    -o[neline] | -t[imestamp] | -ts[hort] | -b[atch] [filename] |
                    -rc[vbuf] [size] | -n[etns] name | -a[ll] | -c[olor]}

创建netns

查看本地是否存在netns

[root@slions_pc1 ~]# ip netns list
[root@slions_pc1 ~]#

创建两个netns，分别叫slions_ns1,slions_ns2

[root@slions_pc1 ~]# ip netns add slions_ns1
[root@slions_pc1 ~]# ip netns add slions_ns2
[root@slions_pc1 ~]# ip netns list
slions_ns1
slions_ns2

查看下这个命名空间下的网卡信息,可以看到都只有lo环回网卡

[root@slions_pc1 ~]# ip netns exec slions_ns1 ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
[root@slions_pc1 ~]# ip netns exec slions_ns2 ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

创建veth网卡设备对

需要创建一对儿veth虚拟网卡

[root@slions_pc1 ~]# ip link add veth0 type veth peer name veth1
[root@slions_pc1 ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 00:0c:29:97:8c:d0 brd ff:ff:ff:ff:ff:ff
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
    link/ether 02:42:8a:8f:d7:d5 brd ff:ff:ff:ff:ff:ff
8: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether ae:f9:75:fa:93:4d brd ff:ff:ff:ff:ff:ff
9: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether d2:24:de:9b:b5:d9 brd ff:ff:ff:ff:ff:ff

可以看到，此时本地多了8和9两块没有被激活的网卡，并且从网卡名上可以看出对应关系

移动veth网卡到netns

把其中一个网卡移动到命名空间slions_ns1中

[root@slions_pc1 ~]# ip link set veth1 netns slions_ns1

在slions_ns1中验证网卡信息

[root@slions_pc1 ~]# ip netns exec slions_ns1 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
8: veth1@if9: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether ae:f9:75:fa:93:4d brd ff:ff:ff:ff:ff:ff link-netnsid 0

再来看下宿主机的网卡信息，发现之前的8号没了，仔细观察会发现slions_ns中新的网卡正是之前的8号网卡，从序号也可以看出来，并且网卡名中的@ifx就是veth设备对端的网卡序号

[root@slions_pc1 ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 00:0c:29:97:8c:d0 brd ff:ff:ff:ff:ff:ff
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
    link/ether 02:42:8a:8f:d7:d5 brd ff:ff:ff:ff:ff:ff
9: veth0@if8: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether d2:24:de:9b:b5:d9 brd ff:ff:ff:ff:ff:ff link-netnsid 0

我们还可以给slions_ns1中的veth1改名

[root@slions_pc1 ~]# ip netns exec slions_ns1 ip link set dev veth1 name eth0
[root@slions_pc1 ~]# ip netns exec slions_ns1 ifconfig -a
eth0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether ae:f9:75:fa:93:4d  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

激活veth网卡

给宿主机veth网卡设置ip地址为10.0.0.1，激活网卡

[root@slions_pc1 ~]# ip addr add 10.0.0.1/24 dev veth0
[root@slions_pc1 ~]# ip link set veth0 up
[root@slions_pc1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:97:8c:d0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.10/24 brd 192.168.100.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::8199:4454:db1e:911c/64 scope link tentative noprefixroute dadfailed
       valid_lft forever preferred_lft forever
    inet6 fe80::22c9:e9bb:e5a1:9403/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:8a:8f:d7:d5 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:8aff:fe8f:d7d5/64 scope link
       valid_lft forever preferred_lft forever
9: veth0@if8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default qlen 1000
    link/ether d2:24:de:9b:b5:d9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.0.0.1/24 scope global veth0
       valid_lft forever preferred_lft forever

给slions_ns1命名空间的veth网卡设置ip地址为10.0.0.2，激活网卡

[root@slions_pc1 ~]# ip netns exec slions_ns1 ifconfig eth0 10.0.0.2/24 up
[root@slions_pc1 ~]# ip netns exec slions_ns1 ifconfig -a
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.2  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::acf9:75ff:fefa:934d  prefixlen 64  scopeid 0x20<link>
        ether ae:f9:75:fa:93:4d  txqueuelen 1000  (Ethernet)
        RX packets 8  bytes 656 (656.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 656 (656.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

在宿主机ping slions_ns1的网卡地址

[root@slions_pc1 ~]# ping 10.0.0.2 -c 3
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.013 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.023 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.024 ms

--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.013/0.020/0.024/0.005 ms

可以ping通，此时证明宿主机和slions_ns1网络命名空间已经通过veth网卡实现了网络联通

测试两个netns联通性

最开始还创建了一个slions_ns2的网络命名空间，我们把宿主机的那块veth0网卡加到其里面去进行测试

[root@slions_pc1 ~]# ip link set dev veth0 netns slions_ns2
[root@slions_pc1 ~]# ip netns exec slions_ns2 ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether d2:24:de:9b:b5:d9  txqueuelen 1000  (Ethernet)
        RX packets 24  bytes 2000 (1.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 24  bytes 2000 (1.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

发现网卡没被激活，手动再设置下

[root@slions_pc1 ~]# ip netns exec slions_ns2 ifconfig veth0 10.0.0.3/24 up
[root@slions_pc1 ~]# ip netns exec slions_ns2 ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.3  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::d024:deff:fe9b:b5d9  prefixlen 64  scopeid 0x20<link>
        ether d2:24:de:9b:b5:d9  txqueuelen 1000  (Ethernet)
        RX packets 24  bytes 2000 (1.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 30  bytes 2516 (2.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

这时从slions_ns2中测试能否ping通slions_ns1

[root@slions_pc1 ~]# ip netns exec slions_ns2 ping 10.0.0.2 -c 3
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.014 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.023 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.023 ms

--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.014/0.020/0.023/0.004 ms

和料想的一样可以ping通。

• Next Post
  手工安装heketi管理glusterfs
• Previous Post
  cadvisor+node_exporter+prometheus+grafana实现docker与主机监控

Powered by Hexotheme Archer

PV: :)

CATALOG

1. 1. 安装软件
2. 2. 创建netns
3. 3. 创建veth网卡设备对
4. 4. 移动veth网卡到netns
5. 5. 激活veth网卡
6. 6. 测试两个netns联通性

• Archive
• Tag
• Cate

Total : 85

2024

• 04/07关于改变

2023

• 02/02docker cgroups driver设置为systemd报错

2022

• 10/30安装openshift记实
• 06/22harbor2.4.2尝鲜
• 06/14关于k8s卷权限的一些测试
• 04/16k8s证书机制
• 04/11检测tcp连通性与端口延迟
• 04/11linux网络模型必知必会
• 04/10shell备忘录
• 04/01修改kubeadm源码中的证书过期时间
• 03/22k8s网络模型与cni插件
• 03/22docker跨主机通信
• 03/21docker网络
• 03/20ARP
• 03/20iptables
• 03/20ip选路
• 03/20ping和traceroute
• 03/20RARP
• 03/20查看端口被占用的四种方式
• 03/20改变系统默认dns解析顺序
• 03/20排查是否存在ip地址占用现象

2021

• 12/27k8s部署EFK
• 12/18日志系统之Filebeat
• 12/16k8s替换容器运行时为containerd
• 12/15CRI之containerd
• 12/07K8S Runtime CRI OCI contained dockershim（转载）
• 12/02（十一）Jinja2模板
• 12/02（十）ansible异常处理
• 12/01（九）ansible流程控制
• 12/01（八）ansible变量
• 12/01（七）收集节点信息facts
• 11/29（六）限制执行任务主机
• 11/23harbor对接F5的鉴权失败问题
• 11/17保留特殊字符
• 10/31普通用户安装mysql
• 10/03k8s-controller-manager原理
• 10/03k8s-etcd理解
• 10/03kube-proxy原理
• 10/03k8s-scheduler原理
• 09/26k8s-apiserver原理
• 09/23修改kubeadm证书过期时间
• 09/19我是一个线程（转载）
• 09/10git原理及常用命令
• 09/02如何优雅的编写dockerfile
• 09/02镜像构建之dockerfile
• 08/30expect使用
• 08/29（五）ansible常用模块
• 08/28（四）剧本文件playbook
• 08/24（三）主机清单inventory
• 08/23实现科学上网
• 08/22hexo特殊符号的转义问题
• 08/22（二）ansible初体验
• 08/22（一）ansible入门
• 08/14走近分布式一致性协议（下篇）
• 08/14走近分布式一致性协议（上篇）
• 08/08heketi启动失败问题排查
• 08/08gluster排故纪实
• 08/07修改centos7主机名
• 08/07linux误删文件恢复思路
• 08/06逻辑卷管理LVM
• 08/05Virtualbox虚机使用介绍
• 08/03df与du结果不一致问题
• 08/02磁盘分区工具
• 08/02ceph mimic对接k8s 1.17.0(ceph-csi)
• 08/01创建开机自启程序（下篇）
• 08/01创建开机自启程序（上篇）
• 08/01alias与rm的最佳实践
• 07/31linux用户与组管理（下篇）
• 07/30linux用户与组管理（上篇）
• 07/19harbor集群系统负载升高原因分析
• 07/18glusterfs可用性测试
• 07/16glusterfs回收站功能
• 07/15k8s-v1.11使用glusterfs
• 07/15linux添加新硬盘无法识别解决方法
• 07/14手工安装heketi管理glusterfs
• 07/13自己动手实现network namespace
• 07/12cadvisor+node_exporter+prometheus+grafana实现docker与主机监控
• 07/12理解存储驱动overlay2
• 07/11Centos镜像那么小能用么？
• 07/11浅谈docker框架
• 07/10docker Cgroup
• 07/09大话docker
• 07/09安装docker
• 07/09docker namespace
• 07/08Hello World

docker 虚拟机相关 prometheus glusterfs kubernetes storage harbor heketi linux ceph Distributed protocol ansible hexo shadowsocks git kubernetes核心组件 kubernetes Mysql logging Network shell openshift 观点与感悟



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true

存储类 linux系统 虚拟机 k8s存储 镜像仓库 监控 docker hello-world 分布式一致性协议 ansible回炉 hexo使用 科学上网 git 好文推荐 kubernetes笔记 kubernetes Mysql 云原生 Network shell 观点与感悟

