为了支持网络协议栈的多个实例,linux在网络栈中引入了网络命令空间。处于不同命名空间的网络栈是完全隔离的,彼此之间无法通信,通过对网络资源的隔离,就能在一个宿主机上虚拟出多个不同的网络环境,Docker就是利用了网络命名空间实现了不同容器之间的网络隔离。
网络命名空间操作
查看网络命名空间
ip netns list
添加一个命名空间
ip netns add <name>
在命名空间执行命令
ip netns exec <name> <command>
演示命名空间
添加test1,test2网络命名空间
ip netns add test1
ip netns add test2
查看test1,test2网卡
[root@gundy ~]# ip netns exec test1 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
[root@gundy ~]# ip netns exec test2 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
只有lo本地回环口,状态是DOWN
通过Veth设备对将二个命名空间联系起来,Veth设备对都是成对出现的,很像一对以太网卡,并且中间有一根直连的网线, 将其中一端成为另一端的peer.
对Veth设备对的操作
创建Veth设备对
[root@gundy ~]# ip link add veth-test1 type veth peer name veth-test2
创建后,可以查看Veth设备对的信息
[root@gundy ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 00:16:3e:0c:20:db brd ff:ff:ff:ff:ff:ff
3: veth-test2@veth-test1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 76:dd:e3:28:a2:46 brd ff:ff:ff:ff:ff:ff
4: veth-test1@veth-test2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 7a:42:dd:ee:76:46 brd ff:ff:ff:ff:ff:ff
将veth-test1添加到namespace test1里
ip link set veth-test1 netns test1
[root@gundy ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 00:16:3e:0c:20:db brd ff:ff:ff:ff:ff:ff
3: veth-test2@if4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 76:dd:e3:28:a2:46 brd ff:ff:ff:ff:ff:ff link-netns test1
// test1里面多了一个veth-test1
[root@gundy ~]# ip netns exec test1 ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4: veth-test1@if3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 7a:42:dd:ee:76:46 brd ff:ff:ff:ff:ff:ff link-netnsid 0
将veth-test2添加到namespace test2里
ip link set veth-test2 netns test2
目前只有mac地址,没有ip地址 状态都是down, 现在给他们分配ip地址
ip netns exec test1 ip addr add 192.168.1.1/24 dev veth-test1 ip netns exec test2 ip addr add 192.168.1.2/24 dev veth-test2
启动他们
ip netns exec test1 ip link set dev veth-test1 up
ip netns exec test2 ip link set dev veth-test2 up
[root@gundy ~]# ip netns exec test1 ip link set dev veth-test1 up
[root@gundy ~]# ip netns exec test2 ip link set dev veth-test2 up
[root@gundy ~]# ip netns exec test1 ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4: veth-test1@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 7a:42:dd:ee:76:46 brd ff:ff:ff:ff:ff:ff link-netns test2
[root@gundy ~]# ip netns exec test2 ip link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: veth-test2@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 76:dd:e3:28:a2:46 brd ff:ff:ff:ff:ff:ff link-netns test1
目前状态都是up的了, 查看ip地址
[root@gundy ~]# ip netns exec test1 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
4: veth-test1@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 7a:42:dd:ee:76:46 brd ff:ff:ff:ff:ff:ff link-netns test2
inet 192.168.1.1/24 scope global veth-test1
valid_lft forever preferred_lft forever
inet6 fe80::7842:ddff:feee:7646/64 scope link
valid_lft forever preferred_lft forever
[root@gundy ~]# ip netns exec test2 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: veth-test2@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 76:dd:e3:28:a2:46 brd ff:ff:ff:ff:ff:ff link-netns test1
inet 192.168.1.2/24 scope global veth-test2
valid_lft forever preferred_lft forever
inet6 fe80::74dd:e3ff:fe28:a246/64 scope link
valid_lft forever preferred_lft forever
这样test1、test2二个网络命名空间就通了,通过ping测试
[root@gundy ~]# ip netns exec test1 ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.041 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.043 ms
64 bytes from 192.168.1.2: icmp_seq=3 ttl=64 time=0.033 ms
64 bytes from 192.168.1.2: icmp_seq=4 ttl=64 time=0.030 ms
--- 192.168.1.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 63ms
rtt min/avg/max/mdev = 0.030/0.036/0.043/0.009 ms
[root@gundy ~]# ip netns exec test2 ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.033 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=0.036 ms
64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=0.046 ms
--- 192.168.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 104ms
rtt min/avg/max/mdev = 0.020/0.034/0.046/0.009 ms
现在的状态如下图所示:
