net namespace实验
Net namespace实验
在 Linux 中,网络名字空间能够被认为是隔离的拥有单独网络栈(网卡、路由转发表、iptables)的环境。网络名字空间常常用来隔离网络设备和服务,只有拥有一样网络名字空间的设备,才能看到彼此。 network namespace 是实现网络虚拟化的重要功能,它能建立多个隔离的网络空间,它们有独自的网络栈信息。无论是虚拟机仍是容器,运行的时候仿佛本身就在独立的网络中bash
经常使用命令
| comm | 命令 |
|---|---|
| ip netns add net1 | 添加namespace net1 |
| ip netns help | 获取帮助 |
| ip netns del n1 | 删除namespace n1 |
| ip netns ls | 列出当前已有namespace |
与net namespace相关的指令是ip netns后面跟具体指令
使用ip netns exec name子命令后面能够加上任何命令,表示在相应的namespace中执行相关命令,如:网络
root@mininet-vm:/home/mininet# ip netns exec n2 ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
能够执行ip netns exec n2 bash,以后全部指令都在指定namespace中执行而不须要加上ip netns exec nameoop
root@mininet-vm:/home/mininet# ip netns exec n2 ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
root@mininet-vm:/home/mininet# ip netns exec n2 bash
root@mininet-vm:/home/mininet# ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
root@mininet-vm:/home/mininet# exit
exit
root@mininet-vm:/home/mininet# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
.................
使用ip netns exec n2 bash --rcfile <(echo "PS1=\"namespace ns1>\"")能够修改命令行的前缀。测试
root@mininet-vm:/home/mininet# ip netns exec n2 bash --rcfile <(echo "PS1=\"namespace n2>\"") namespace n2>
namespace通讯
使用 veth pair 进行通讯
- 建立一对veth pair
使用命令ip link add type veth建立一对veth pair,其默认名是veth0和veth1,使用ip link可查看连接
root@mininet-vm:/home/mininet# ip link
.....
3: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
root@mininet-vm:/home/mininet # ip link add type veth
root@mininet-vm:/home/mininet # ip link
....
3: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
9: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 12:e8:a5:43:c0:43 brd ff:ff:ff:ff:ff:ff
10: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 9e:f8:c3:b9:af:ec brd ff:ff:ff:ff:ff:ff
- 将veth pair的两端分别放到两个namespace
使用命令ip link set veth0 netns n1和ip link set veth1 netns n2分别将veth0和veth1放到不一样namespace
oot@mininet-vm:/home/mininet# ip link set veth0 netns n1
root@mininet-vm:/home/mininet# ip link set veth1 netns n2
root@mininet-vm:/home/mininet# ip netns exec n1 ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
9: veth0@if10: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 12:e8:a5:43:c0:43 brd ff:ff:ff:ff:ff:ff
root@mininet-vm:/home/mininet# ip netns exec n2 ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
10: veth1@if9: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 9e:f8:c3:b9:af:ec brd ff:ff:ff:ff:ff:ff
- 为veth pair的两端分别配置ip
使用命令ip link set vethX up和ip addr add 10.0.0.10/24 dev vethX为veth pair配置ip,结果以下
# namespace 1
namespace ns1> ip link set veth0 up
namespace ns1> ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
9: veth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 12:e8:a5:43:c0:43 brd ff:ff:ff:ff:ff:ff
namespace ns1> ip addr add 10.0.10.1/24 dev veth0
namespace ns1> ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
9: veth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 12:e8:a5:43:c0:43 brd ff:ff:ff:ff:ff:ff
inet 10.0.10.x1/24 scope global veth0
valid_lft forever preferred_lft forever
# namespace 2
namespace n2>ip link set veth1 up
namespace n2>ip addr add 10.0.10/24 dev veth1
namespace n2>ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
10: veth1@if9: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state LOWERLAYERDOWN group default qlen 1000
link/ether 9e:f8:c3:b9:af:ec brd ff:ff:ff:ff:ff:ff
inet 10.0.10.0/24 scope global veth1
valid_lft forever preferred_lft forever
- 测试两个namespace之间的网络联通状态
分别在n1和n2中尝试ping
namespace ns1> ping 10.0.10.0 -c 1 PING 10.0.10.0 (10.0.10.0) 56(84) bytes of data. 64 bytes from 10.0.10.0: icmp_seq=1 ttl=64 time=0.035 ms namespace n2>ping 10.0.10.1 -c 1 PING 10.0.10.1 (10.0.10.1) 56(84) bytes of data. 64 bytes from 10.0.10.1: icmp_seq=1 ttl=64 time=0.040 ms
其拓扑结构以下
veth pair能够用于两个namespace之间的通讯,但不适合用在多个namespace之间的通行spa利用bridge通讯
- 在以上实验基础上,从新建立两个namespace:n三、n4
root@mininet-vm:/home/mininet# ip netns add n3 root@mininet-vm:/home/mininet# ip netns add n4 root@mininet-vm:/home/mininet# ip netns ls n4 n3 n1 n2
- 建立bridge
root@mininet-vm:/home/mininet# ip link add br0 type bridge
root@mininet-vm:/home/mininet# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:1e:27:79 brd ff:ff:ff:ff:ff:ff
inet 192.168.117.128/24 brd 192.168.117.255 scope global eth0
valid_lft forever preferred_lft forever
3: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
link/ether 72:f5:e5:5d:4d:ed brd ff:ff:ff:ff:ff:ff
11: br0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
link/ether 76:d8:06:1a:b9:84 brd ff:ff:ff:ff:ff:ff
- 利用veth pair将bridge与n三、n四、n1连通
建立3对veth pair
root@mininet-vm:/home/mininet# ip link add type veth
root@mininet-vm:/home/mininet# ip link add type veth
root@mininet-vm:/home/mininet# ip link add type veth
root@mininet-vm:/home/mininet# ip a
...
11: br0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
link/ether 76:d8:06:1a:b9:84 brd ff:ff:ff:ff:ff:ff
12: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether ea:98:b6:3c:46:60 brd ff:ff:ff:ff:ff:ff
13: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether f2:f6:d8:6b:31:1f brd ff:ff:ff:ff:ff:ff
14: veth2@veth3: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 4a:7d:af:18:67:14 brd ff:ff:ff:ff:ff:ff
15: veth3@veth2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether ca:b6:e4:eb:b7:15 brd ff:ff:ff:ff:ff:ff
16: veth4@veth5: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether f2:b3:5f:0e:3d:09 brd ff:ff:ff:ff:ff:ff
17: veth5@veth4: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 76:0c:87:b1:16:80 brd ff:ff:ff:ff:ff:ff
将br0和n1,n3,n4链接
这时候若是把veth0加入n1的话会报错,由于n1里面已经有了一个veth0,能够换成其余名称的veth。
将veth pair放如br0的指令为ip link set dev veth3 master br0命令行
测试n1-n4之间的连通状态
发现不一样namespace之间没法ping通 。
这个问题折腾了好久,后来多配置了几回有能够了。应该是以前漏掉了几个步骤,完整的步骤应该包括如下几步:3d# 启动网桥(网桥只须要启动一次就行) ip link set br0 up # 建立vethpair ip link add br-1 type veth peer name 1-br #将vethpair分配给网桥和namespace ip link set br-1 master br0 ip link set 1-br netns n1 #启动veth ip link set br-1 up ip netns exec n1 ip link set 1-br up # 为namespace中的veth设置ip ip netns exec n1 ip addr add 10.0.10.2/24 dev 1-br
从新测试,发现三个namespace能够相互ping通。code
上述网桥对应的veth的ip其实能够省略blog
其拓扑结构以下
### namespace内部与namespace外部通讯
默认状况下,namespace网络是隔离的,namespace内没法ping通namespace外的网络,能够经过veth pair打通网络状态。
当veth pair一端在namespace内部,一端在namespace外部时,namespace能够ping通位于外部的veth pair但没法ping同其余网络。ip参考资料
https://cizixs.com/2017/02/10/network-virtualization-network-namespace/
相关文章
- 1. NET Namespace(1)
- 2. NET Namespace(2)
- 3. c++ namespace和linux namespace
- 4. Namespace
- 5. namespace与mount namespace
- 6. 实验十九——————NET配置
- 7. vue2.0+.net core 实现极验验证
- 8. Linux Namespace系列(06):network namespace (CLONE_NEWNET)
- 9. docker namespace
- 10. 《自己动手写docker》之namespace部门实验
- 更多相关文章...
- • XML 验证 - XML 教程
- • DTD 验证 - DTD 教程
- • ☆基于Java Instrument的Agent实现
- • Docker容器实战(一) - 封神Server端技术
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
