Net namespace實驗 在 Linux 中,網路名字空間可以被認為是隔離的擁有單獨網路棧(網卡、路由轉發表、iptables)的環境。網路名字空間經常用來隔離網路設備和服務,只有擁有同樣網路名字空間的設備,才能看到彼此。 network namespace 是實現網路虛擬化的重要功能,它能創 ...
Net namespace實驗
在 Linux 中,網路名字空間可以被認為是隔離的擁有單獨網路棧(網卡、路由轉發表、iptables)的環境。網路名字空間經常用來隔離網路設備和服務,只有擁有同樣網路名字空間的設備,才能看到彼此。 network namespace 是實現網路虛擬化的重要功能,它能創建多個隔離的網路空間,它們有獨自的網路棧信息。不管是虛擬機還是容器,運行的時候仿佛自己就在獨立的網路中
常用命令
| comm | 命令 |
|---|---|
| ip netns add net1 | 添加namespace net1 |
| ip netns help | 獲取幫助 |
| ip netns del n1 | 刪除namespace n1 |
| ip netns ls | 列出當前已有namespace |
與net namespace相關的指令是ip netns後面跟具體指令
使用ip netns exec name子命令後面可以加上任何命令,表示在相應的namespace中執行相關命令,如:
root@mininet-vm:/home/mininet# ip netns exec n2 ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00可以執行ip netns exec n2 bash,之後所有指令都在指定namespace中執行而不需要加上ip netns exec name
root@mininet-vm:/home/mininet# ip netns exec n2 ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
root@mininet-vm:/home/mininet# ip netns exec n2 bash
root@mininet-vm:/home/mininet# ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
root@mininet-vm:/home/mininet# exit
exit
root@mininet-vm:/home/mininet# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
.................使用ip netns exec n2 bash --rcfile <(echo "PS1=\"namespace ns1>\"")可以修改命令行的首碼。
root@mininet-vm:/home/mininet# ip netns exec n2 bash --rcfile <(echo "PS1=\"namespace n2>\"")
namespace n2>namespace通信
使用 veth pair 進行通信
- 創建一對veth pair
使用命令ip link add type veth創建一對veth pair,其預設名是veth0和veth1,使用ip link可查看鏈接
root@mininet-vm:/home/mininet# ip link
.....
3: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
root@mininet-vm:/home/mininet # ip link add type veth
root@mininet-vm:/home/mininet # ip link
....
3: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
9: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 12:e8:a5:43:c0:43 brd ff:ff:ff:ff:ff:ff
10: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 9e:f8:c3:b9:af:ec brd ff:ff:ff:ff:ff:ff- 將veth pair的兩端分別放到兩個namespace
使用命令ip link set veth0 netns n1和ip link set veth1 netns n2分別將veth0和veth1放到不同namespace
oot@mininet-vm:/home/mininet# ip link set veth0 netns n1
root@mininet-vm:/home/mininet# ip link set veth1 netns n2
root@mininet-vm:/home/mininet# ip netns exec n1 ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
9: veth0@if10: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 12:e8:a5:43:c0:43 brd ff:ff:ff:ff:ff:ff
root@mininet-vm:/home/mininet# ip netns exec n2 ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
10: veth1@if9: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 9e:f8:c3:b9:af:ec brd ff:ff:ff:ff:ff:ff- 為veth pair的兩端分別配置ip
使用命令ip link set vethX up和ip addr add 10.0.0.10/24 dev vethX為veth pair配置ip,結果如下
# namespace 1
namespace ns1> ip link set veth0 up
namespace ns1> ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
9: veth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 12:e8:a5:43:c0:43 brd ff:ff:ff:ff:ff:ff
namespace ns1> ip addr add 10.0.10.1/24 dev veth0
namespace ns1> ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
9: veth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 12:e8:a5:43:c0:43 brd ff:ff:ff:ff:ff:ff
inet 10.0.10.x1/24 scope global veth0
valid_lft forever preferred_lft forever
# namespace 2
namespace n2>ip link set veth1 up
namespace n2>ip addr add 10.0.10/24 dev veth1
namespace n2>ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
10: veth1@if9: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state LOWERLAYERDOWN group default qlen 1000
link/ether 9e:f8:c3:b9:af:ec brd ff:ff:ff:ff:ff:ff
inet 10.0.10.0/24 scope global veth1
valid_lft forever preferred_lft forever- 測試兩個namespace之間的網路聯通狀態
分別在n1和n2中嘗試ping
namespace ns1> ping 10.0.10.0 -c 1
PING 10.0.10.0 (10.0.10.0) 56(84) bytes of data.
64 bytes from 10.0.10.0: icmp_seq=1 ttl=64 time=0.035 ms
namespace n2>ping 10.0.10.1 -c 1
PING 10.0.10.1 (10.0.10.1) 56(84) bytes of data.
64 bytes from 10.0.10.1: icmp_seq=1 ttl=64 time=0.040 ms其拓撲結構如下
veth pair可以用於兩個namespace之間的通信,但不適合用在多個namespace之間的通行利用bridge通信
- 在以上實驗基礎上,重新創建兩個namespace:n3、n4
root@mininet-vm:/home/mininet# ip netns add n3
root@mininet-vm:/home/mininet# ip netns add n4
root@mininet-vm:/home/mininet# ip netns ls
n4
n3
n1
n2- 創建bridge
root@mininet-vm:/home/mininet# ip link add br0 type bridge
root@mininet-vm:/home/mininet# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:1e:27:79 brd ff:ff:ff:ff:ff:ff
inet 192.168.117.128/24 brd 192.168.117.255 scope global eth0
valid_lft forever preferred_lft forever
3: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
link/ether 72:f5:e5:5d:4d:ed brd ff:ff:ff:ff:ff:ff
11: br0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
link/ether 76:d8:06:1a:b9:84 brd ff:ff:ff:ff:ff:ff- 利用veth pair將bridge與n3、n4、n1連通
創建3對veth pair
root@mininet-vm:/home/mininet# ip link add type veth
root@mininet-vm:/home/mininet# ip link add type veth
root@mininet-vm:/home/mininet# ip link add type veth
root@mininet-vm:/home/mininet# ip a
...
11: br0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
link/ether 76:d8:06:1a:b9:84 brd ff:ff:ff:ff:ff:ff
12: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether ea:98:b6:3c:46:60 brd ff:ff:ff:ff:ff:ff
13: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether f2:f6:d8:6b:31:1f brd ff:ff:ff:ff:ff:ff
14: veth2@veth3: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 4a:7d:af:18:67:14 brd ff:ff:ff:ff:ff:ff
15: veth3@veth2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether ca:b6:e4:eb:b7:15 brd ff:ff:ff:ff:ff:ff
16: veth4@veth5: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether f2:b3:5f:0e:3d:09 brd ff:ff:ff:ff:ff:ff
17: veth5@veth4: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 76:0c:87:b1:16:80 brd ff:ff:ff:ff:ff:ff將br0和n1,n3,n4連接
這時候如果把veth0加入n1的話會報錯,因為n1裡面已經有了一個veth0,可以換成其他名稱的veth。
將veth pair放如br0的指令為ip link set dev veth3 master br0
測試n1-n4之間的連通狀態
發現不同namespace之間無法ping通 。
這個問題折騰了很久,後來多配置了幾次有可以了。應該是之前漏掉了幾個步驟,完整的步驟應該包括以下幾步:# 啟動網橋(網橋只需要啟動一次就行) ip link set br0 up # 創建vethpair ip link add br-1 type veth peer name 1-br #將vethpair分配給網橋和namespace ip link set br-1 master br0 ip link set 1-br netns n1 #啟動veth ip link set br-1 up ip netns exec n1 ip link set 1-br up # 為namespace中的veth設置ip ip netns exec n1 ip addr add 10.0.10.2/24 dev 1-br重新測試,發現三個namespace可以相互ping通。
上述網橋對應的veth的ip其實可以省略
其拓撲結構如下
### namespace內部與namespace外部通信
預設情況下,namespace網路是隔離的,namespace內無法ping通namespace外的網路,可以通過veth pair打通網路狀態。
當veth pair一端在namespace內部,一端在namespace外部時,namespace可以ping通位於外部的veth pair但無法ping同其他網路。參考資料
https://cizixs.com/2017/02/10/network-virtualization-network-namespace/
