Docker容器网络配置
1、Linux内核实现名称空间的创建
1.1 ip netns命令
可以借助 ip netns命令来完成对 Network Namespace 的各种操作。 ip netns命令来自于iproute安装包,一般系统会默认安装,如果没有的话,请自行安装。
[root@localhost ~]# dnf -y install iproute
注意: ip netns命令修改网络配置时需要 sudo 权限。
可以通过 ip netns命令完成对Network Namespace 的相关操作,可以通过ip netns help查看命令帮助信息:
[root@localhost ~]# ip netns help
Usage: ip netns list
ip netns add NAME
ip netns attach NAME PID
ip netns set NAME NETNSID
ip [-all] netns delete [NAME]
ip netns identify [PID]
ip netns pids NAME
ip [-all] netns exec [NAME] cmd ...
ip netns monitor
ip netns list-id [target-nsid POSITIVE-INT] [nsid POSITIVE-INT]
NETNSID := auto | POSITIVE-INT
默认情况下,Linux系统中是没有任何 Network Namespace的,所以 ip netns list命令不会返回任何信息。
1.2 创建Network Namespace
通过命令创建一个名为ns0的命名空间:
[root@localhost ~]# ip netns list
[root@localhost ~]# ip netns add ns0
[root@localhost ~]# ip netns list
ns0
新创建的 Network Namespace 会出现在/var/run/netns/目录下。如果相同名字的 namespace 已经存在,命令会报Cannot create namespace file “/var/run/netns/ns0”: File exists的错误。
[root@localhost ~]# ls /var/run/netns/
ns0
[root@localhost ~]# ip netns add ns0
Cannot create namespace file "/var/run/netns/ns0": File exists
对于每个 Network Namespace 来说,它会有自己独立的网卡、路由表、ARP 表、iptables 等和网络相关的资源。
扩展:
问:可不可以直接在/var/run/netns/目录下直接创建一个命名空间ns2呢?
[root@localhost ~]# touch /var/run/netns/ns2
[root@localhost ~]# ip netns list
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
ns2
ns0
从上得知是不行的
1.3 操作Network Namespace
ip命令提供了 ip netns exec子命令可以在对应的 Network Namespace 中执行命令。
查看新创建 Network Namespace 的网卡信息
[root@localhost ~]# ip netns exec ns0 ip a
1: lo: mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
可以看到,新创建的Network Namespace中会默认创建一个lo回环网卡,此时网卡处于关闭状态。此时,尝试去 ping 该lo回环网卡,会提示Network is unreachable
[root@localhost ~]# ip netns exec ns0 ping 127.0.0.1
connect: Network is unreachable
通过下面的命令启用lo回环网卡:
[root@localhost ~]# ip netns exec ns0 ip link set lo up
[root@localhost ~]# ip netns exec ns0 ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
[root@localhost ~]# ip netns exec ns0 ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.031 ms
^C
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.051/0.051/0.051/0.000 ms
可以看到,veth pair成功实现了两个不同Network Namespace之间的网络交互。
1.8 veth设备重命名
需要先停用设备才能重命名
[root@localhost ~]# ip netns exec ns0 ip link set dev veth0 name zsl0
RTNETLINK answers: Device or resource busy
停用veth0
[root@localhost ~]# ip netns exec ns0 ip link set veth0 down
将veth0重命名为zsl0
[root@localhost ~]# ip netns exec ns0 ip link set dev veth0 name zsl0
启用zsl0
[root@localhost ~]# ip netns exec ns0 ip link set zsl0 up
查看是否修改成功
[root@localhost ~]# ip netns exec ns0 ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
14: zsl0@if15: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 92:53:e7:1c:f2:8c brd ff:ff:ff:ff:ff:ff link-netns ns1
inet 192.168.100.1/24 scope global zsl0
valid_lft forever preferred_lft forever
inet6 fe80::9053:e7ff:fe1c:f28c/64 scope link
valid_lft forever preferred_lft forever
扩展:
创建veth pair,一个给名称空间a1,一个给本机,并且都配上ip地址,两个能相互通信吗?
创建名称空间a1
[root@localhost ~]# ip netns add a1
[root@localhost ~]# ip netns list
a1
创建veth pair
[root@localhost ~]# ip link add type veth
将veth1给a1
[root@localhost ~]# ip link set veth1 netns a1
启用主机和a1的虚拟网卡
[root@localhost ~]# ip link set veth0 up
[root@localhost ~]# ip netns exec a1 ip link set lo up
[root@localhost ~]# ip netns exec a1 ip link set veth1 up
给主机的veth0配上ip地址
[root@localhost ~]# ip addr add 192.168.200.1/24 dev veth0
[root@localhost ~]# ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:bb:22:82 brd ff:ff:ff:ff:ff:ff
inet 192.168.111.135/24 brd 192.168.111.255 scope global dynamic noprefixroute ens160
valid_lft 1524sec preferred_lft 1524sec
inet6 fe80::3d5c:b9d6:55f:48e9/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ac:46:f8:53 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
4: veth0@if5: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 2e:f3:88:07:d4:97 brd ff:ff:ff:ff:ff:ff link-netns a1
inet 192.168.200.1/24 scope global veth0
valid_lft forever preferred_lft forever
inet6 fe80::2cf3:88ff:fe07:d497/64 scope link
valid_lft forever preferred_lft forever
给a1的veth1配上ip地址
[root@localhost ~]# ip netns exec a1 ip addr add 192.168.200.2/24 dev veth1
[root@localhost ~]# ip netns exec a1 ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
5: veth1@if4: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 4a:87:cf:df:f6:46 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.200.2/24 scope global veth1
valid_lft forever preferred_lft forever
inet6 fe80::4887:cfff:fedf:f646/64 scope link
valid_lft forever preferred_lft forever
用主机ping名称空间a1的veth1测试
[root@localhost ~]# ping 192.168.200.2
PING 192.168.200.2 (192.168.200.2) 56(84) bytes of data.
64 bytes from 192.168.200.2: icmp_seq=1 ttl=64 time=0.098 ms
64 bytes from 192.168.200.2: icmp_seq=2 ttl=64 time=0.095 ms
^C
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.028/0.070/0.113 ms
3.3 手动指定容器要使用的DNS
`shell
[root@localhost ~]# docker run -it –rm –hostname zsl –dns 8.8.8.8 busybox
/ # cat /etc/resolv.conf
search localdomain
nameserver 8.8.8.8
/ # cat /etc/hostname
zsl
/ # ping www.baidu.com
PING www.baidu.com (36.152.44.95): 56 data bytes
64 bytes from 36.152.44.95: seq=0 ttl=127 time=20.362 ms
64 bytes from 36.152.44.95: seq=1 ttl=127 time=35.127 ms
^C
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.043/0.043/0.043 ms
/ # ping zsl2
PING zsl2 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.149 ms
64 bytes from 172.17.0.2: seq=1 ttl=64 time=0.162 ms
^C
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.102/0.114/0.127 ms
给c2加bridge
[root@localhost ~]# docker network connect bridge c2
容器c2:
/ # ip a
1: lo: mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
11: eth0@if12: mtu 1500 qdisc noqueue
link/ether 02:42:c0:a8:01:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
17: eth1@if18: mtu 1500 qdisc noqueue
link/ether 02:42:c0:a8:64:03 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.3/24 brd 192.168.100.255 scope global eth1
valid_lft forever preferred_lft forever
ping c1测试
/ # ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2): 56 data bytes
64 bytes from 192.168.100.2: seq=0 ttl=64 time=0.226 ms
64 bytes from 192.168.100.2: seq=1 ttl=64 time=0.088 ms
^C
Original: https://www.cnblogs.com/Alone-8712/p/16570699.html
Author: Alone-林
Title: Docker容器网络配置
原创文章受到原创版权保护。转载请注明出处:https://www.johngo689.com/578534/
转载文章受原作者版权保护。转载请注明原作者出处!