实战|Linux网络虚拟化namespace

新钛云服 2020-02-12

228

1. namespace常用命令练习

#查看namespace命令帮助
[root@localhost ~]# ip netns help
Usage: ip netns list
       ip netns add NAME
       ip netns set NAME NETNSID
       ip [-all] netns delete [NAME]
       ip netns identify [PID]
       ip netns pids NAME
       ip [-all] netns exec [NAME] cmd ...
       ip netns monitor
       ip netns list-id
#添加net1 namespace
[root@localhost ~]# ip netns add net1
#列出所有的namespace，下面两个命令效果相同
[root@localhost ~]# ip netns list
net1
[root@localhost ~]# ip netns ls
net1
#删除namespace
[root@localhost ~]# ip netns delete net1

#查看net1 namespace中的ip信息
[root@localhost ~]# ip netns add net1
[root@localhost ~]# ip netns exec net1 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
#进入net1 namespace，进入之后可以直接查看IP信息，退出请输入exit
[root@localhost ~]# ip netns exec net1 bash
[root@localhost ~]# ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
[root@localhost ~]# exit
exit
#为了避免进入namespace后混淆当前bash所在哪个namespace，可以给进入的namespace取名,通过echo 将“PS1=namespace net1> ”赋值给--rcfile，效果如下
[root@localhost ~]#ip netns exec net1  bash  --rcfile  <(echo "PS1=\"namespace net1> \"")
namespace net1> ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
namespace net1> exit
exit

2. 直接连通两个namespace

#创建两个namespace vnet1 vnet2,并查看各自的ip 信息
[root@localhost ~]# ip netns add vnet1
[root@localhost ~]# ip netns add vnet2
[root@localhost ~]# ip netns ls
vnet2
vnet1
[root@localhost ~]# ip netns exec vnet1 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
[root@localhost ~]# ip netns exec vnet2 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

#创建用于连接两个namespace网络的连接线,ip link add type 后面可以跟bridge，veth，vlan，vxlan等等很多类型，详见帮助文档 ：man ip link add type
[root@localhost ~]# ip link add type veth
#创建完成后，使用ip link ，可以看到veth0@veth1和veth1@veth0两个网口，从名字上就能看出，这是一对，类似一个网线的两头
[root@localhost ~]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:50:56:94:36:38 brd ff:ff:ff:ff:ff:ff
3: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether d6:eb:7b:fb:19:b4 brd ff:ff:ff:ff:ff:ff
4: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 9e:98:c0:85:27:b0 brd ff:ff:ff:ff:ff:ff
#使用ifconfig -a查看的话，可以看到 veth0和veth1
[root@localhost ~]# ifconfig
veth0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 22:47:9e:6e:e9:4f  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth1: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether f2:db:9c:f2:89:0c  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
#将两个网卡分别连接到vnet1 和 vnet2 两个namespace中,此时宿主机上ifconfig已经看不到这两个网卡了
[root@localhost ~]# ip link set veth0 netns vnet1
[root@localhost ~]# ip link set veth1 netns vnet2
#vnet1的namespace中可以看到一个网卡veth0
[root@localhost ~]# ip netns exec vnet1 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: veth0@if4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether d6:eb:7b:fb:19:b4 brd ff:ff:ff:ff:ff:ff link-netnsid 1
#vnet1的namespace中可以看到一个网卡veth1
[root@localhost ~]# ip netns exec  vnet2 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4: veth1@if3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 9e:98:c0:85:27:b0 brd ff:ff:ff:ff:ff:ff link-netnsid 0

#给vnet1的namespace中 veth0配置ip地址并up网卡
[root@localhost ~]# ip netns exec vnet1 ip link set veth0 up
[root@localhost ~]# ip netns exec vnet1 ip addr add 1.1.1.1/24 dev veth0
[root@localhost ~]# ip netns exec vnet1 ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: veth0@if4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default qlen 1000
    link/ether d6:eb:7b:fb:19:b4 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet 1.1.1.1/24 scope global veth0
       valid_lft forever preferred_lft forever
#给vnet2的namespace中 veth1配置ip地址并up网卡
[root@localhost ~]# ip netns exec vnet2 ip addr add 1.1.1.2/24 dev veth1
[root@localhost ~]# ip netns exec vnet2 ip link set up veth1

#从vnet2的namespace中ping，vnet1 namespace中的ip 1.1.1.1 能Ping通，本实验完成
[root@localhost ~]# ip netns exec vnet2 ping -c 2 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.054 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.021 ms

3. 使用 Bridge 连接不同的 namespace


#安装网桥命令工具
[root@localhost ~]# yum install -y bridge-utils
#创建网桥br0，并将br0 up起来
[root@localhost ~]# ip link add br0  type bridge
[root@localhost ~]# ip link set dev br0 up
#查看网桥信息
[root@localhost ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.000000000000       no
#创建一个网线，创建完成后会看到两个虚拟网卡veth0,veth1
[root@localhost ~]# ip link add type veth
[root@localhost ~]# ip link show
...
8: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether c6:b8:e7:c1:0d:e1 brd ff:ff:ff:ff:ff:ff
9: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 1a:a4:86:72:d4:8f brd ff:ff:ff:ff:ff:ff
...
#创建新的namespace vnet11
[root@localhost ~]# ip netns add vnet11
#将网线的一头veth0加到vnet11
[root@localhost ~]# ip link set veth0 netns vnet11
[root@localhost ~]# ip netns exec vnet11 ifconfig -a        
...
veth0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether c6:b8:e7:c1:0d:e1  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
...
#将网卡veth0 up起来，并配置ip 2.1.1.1
[root@localhost ~]# ip netns exec vnet11 ip link set veth0 up
[root@localhost ~]# ip netns exec vnet11 ip addr add 2.1.1.1/24 dev veth0
[root@localhost ~]# ip netns exec vnet11 ifconfig -a
...
veth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 2.1.1.1  netmask 255.255.255.0  broadcast 0.0.0.0
        ether c6:b8:e7:c1:0d:e1  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
...
#将网线的另一头veth1，加入网桥br0,并up接口
[root@localhost ~]# ip link set dev veth1 master br0
[root@localhost ~]# ip link set veth1 up
#查看br0网桥的信息
[root@localhost ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.1aa48672d48f       no              veth1
#使用相同的方式创建namespace vnet12，vnet13，再创建两根网线，分别一头接namespace一头接网桥br0，并分别配置ip 2.1.1.2和2.1.1.3；配置完成测试相互之间的连通性
#新建namespace vnet12
[root@localhost ~]# ip net add vnet12
[root@localhost ~]# ip link add type veth
#新创建的网线一头是veth0,一头是veth2
[root@localhost ~]# ip a
...
10: veth0@veth2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether ba:a7:03:e5:fa:70 brd ff:ff:ff:ff:ff:ff
11: veth2@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 92:ff:4d:98:ec:2a brd ff:ff:ff:ff:ff:ff
...
[root@localhost ~]# ip link set dev veth0 netns vnet12
[root@localhost ~]# ip netns exec vnet12 ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
veth0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether ba:a7:03:e5:fa:70  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
#在namespace vnet12中的网卡名是veth0，up接口，并配置ip2.1.1.2
[root@localhost ~]# ip netns exec vnet12 ip link set veth0 up
[root@localhost ~]# ip netns exec vnet12 ip addr add 2.1.1.2/24 dev veth0
#将网线的另一头veth2加入br0
[root@localhost ~]# ip link set dev veth2  master br0
[root@localhost ~]# ip link set dev veth2 up
#查看网桥信息
[root@localhost ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.1aa48672d48f       no              veth1
                                                        veth2
#创建namespace vnet13
[root@localhost ~]# ip netns add vnet13
#创建一根网线,一头是veth0,一头是veth3
[root@localhost ~]# ip link add type veth
[root@localhost ~]# ip a
...
12: veth0@veth3: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether ce:5c:0c:dd:ad:eb brd ff:ff:ff:ff:ff:ff
13: veth3@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 26:03:63:39:6f:fd brd ff:ff:ff:ff:ff:ff
...
#将veth0加入vnet13 namespace，up接口，配置ip 2.1.1.3
[root@localhost ~]# ip link set dev veth0 netns vnet13
[root@localhost ~]# ip netns exec vnet13 ip link set veth0 up
[root@localhost ~]# ip netns exec vnet13 ip addr add 2.1.1.3/24 dev veth0
#将网线的另一头veth3加入br0
[root@localhost ~]# ip link set dev veth3 master br0
[root@localhost ~]# ip link set dev veth3 up
#查看网桥信息
[root@localhost ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.1aa48672d48f       no              veth1
                                                        veth2
                                                        veth3
#查看namespace vnet11,vnet12,vnet13中的ip地址
[root@localhost ~]# ip netns exec vnet11 ifconfig
veth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 2.1.1.1  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::c4b8:e7ff:fec1:de1  prefixlen 64  scopeid 0x20<link>
        ether c6:b8:e7:c1:0d:e1  txqueuelen 1000  (Ethernet)
        RX packets 28  bytes 2248 (2.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12  bytes 936 (936.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
[root@localhost ~]# ip netns exec vnet12 ifconfig
veth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 2.1.1.2  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::b8a7:3ff:fee5:fa70  prefixlen 64  scopeid 0x20<link>
        ether ba:a7:03:e5:fa:70  txqueuelen 1000  (Ethernet)
        RX packets 20  bytes 1592 (1.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12  bytes 936 (936.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
[root@localhost ~]# ip netns exec vnet13 ifconfig
veth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 2.1.1.3  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::cc5c:cff:fedd:adeb  prefixlen 64  scopeid 0x20<link>
        ether ce:5c:0c:dd:ad:eb  txqueuelen 1000  (Ethernet)
        RX packets 8  bytes 656 (656.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 656 (656.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
#从namespace vnet11 ping namespace vnet12，vnet13中的ip验证连通性，能ping通，实验成功
[root@localhost ~]# ip netns exec vnet11 ping -c 2 2.1.1.2
PING 2.1.1.2 (2.1.1.2) 56(84) bytes of data.
64 bytes from 2.1.1.2: icmp_seq=1 ttl=64 time=0.045 ms
64 bytes from 2.1.1.2: icmp_seq=2 ttl=64 time=0.049 ms
--- 2.1.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.045/0.047/0.049/0.002 ms
[root@localhost ~]# ip netns exec vnet11 ping -c 2 2.1.1.3
PING 2.1.1.3 (2.1.1.3) 56(84) bytes of data.
64 bytes from 2.1.1.3: icmp_seq=1 ttl=64 time=0.076 ms
64 bytes from 2.1.1.3: icmp_seq=2 ttl=64 time=0.022 ms
--- 2.1.1.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.022/0.049/0.076/0.027 ms

linux

文章转载自新钛云服，如果涉嫌侵权，请发送邮件至：contact@modb.pro进行举报，并提供相关证据，一经查实，墨天轮将立刻删除相关内容。

实战|Linux网络虚拟化namespace

1. namespace常用命令练习

2. 直接连通两个namespace

3. 使用 Bridge 连接不同的 namespace

评论