Docker 之容器网络隔离模型

Posted 2021-03-31 IT网事

1、namespace 

docker 的 namespace 使用的是一种虚拟网络设备 veth-pair。veth-pair 就是一对的虚拟设备接口。它都是成对出现的。通过 ipnetns 进行测试。

创建两个namespace，分别为ns1和ns2。默认每一个ns只有一个lo接口。

[root@localhost ~]# ip netns add ns1[root@localhost ~]# ip netns add ns2[root@localhost ~]# ip netns list ns2ns1

创建veth-pair。

[root@localhost ~]# ip link add name veth-eth0 type veth peer name veth-eth1[root@localhost ~]# ip link66: veth-eth1@veth-eth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether a2:a7:8d:79:c3:93 brd ff:ff:ff:ff:ff:ff67: veth-eth0@veth-eth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000    link/ether 8e:34:7a:97:e9:54 brd ff:ff:ff:ff:ff:ff

把veth-eth0放入到名称空间ns1。然后在宿主机就看不见。

[root@localhost ~]# ip link set dev veth-eth0 netns ns1[root@localhost ~]# ip link66: veth-eth1@if67: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000    link/ether a2:a7:8d:79:c3:93 brd ff:ff:ff:ff:ff:ff link-netnsid 3

查看ns1中的网络。

[root@localhost ~]# ip netns exec ns1 ip link1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:0067: veth-eth0@if66: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000    link/ether 8e:34:7a:97:e9:54 brd ff:ff:ff:ff:ff:ff link-netnsid 0

[root@localhost ~]# ip netns exec ns1 ip addr add 100.1.1.2/24 dev veth-eth0[root@localhost ~]# ip netns exec ns1 ip link set dev veth-eth0 up[root@localhost ~]# ip netns exec ns1 ip a67: veth-eth0@if66: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 8e:34:7a:97:e9:54 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 100.1.1.2/24 scope global veth-eth0 valid_lft forever preferred_lft forever

[root@localhost ~]# ip addr add 100.1.1.1/24 dev veth-eth1[root@localhost ~]# ip link set dev veth-eth1 up[root@localhost ~]# ip a66: veth-eth1@if67: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default qlen 1000 link/ether a2:a7:8d:79:c3:93 brd ff:ff:ff:ff:ff:ff link-netnsid 3 inet 100.1.1.1/24 scope global veth-eth1 valid_lft forever preferred_lft forever

[root@localhost ~]# ping 100.1.1.2PING 100.1.1.2 (100.1.1.2) 56(84) bytes of data.64 bytes from 100.1.1.2: icmp_seq=1 ttl=64 time=0.064 ms64 bytes from 100.1.1.2: icmp_seq=2 ttl=64 time=0.079 ms
[root@localhost ~]# ip netns exec ns1 ping 100.1.1.1PING 100.1.1.1 (100.1.1.1) 56(84) bytes of data.64 bytes from 100.1.1.1: icmp_seq=1 ttl=64 time=0.048 ms64 bytes from 100.1.1.1: icmp_seq=2 ttl=64 time=0.076 ms

查看veth-eth0和veth-eth1网卡对应的关系。

[root@localhost ~]# ethtool -S veth-eth1NIC statistics: peer_ifindex: 67[root@localhost ~]# ip a66: veth-eth1@if67: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether a2:a7:8d:79:c3:93 brd ff:ff:ff:ff:ff:ff link-netnsid 3 inet 100.1.1.1/24 scope global veth-eth1 valid_lft forever preferred_lft forever
[root@localhost ~]# ip netns exec ns1 ethtool -S veth-eth0NIC statistics: peer_ifindex: 66[root@localhost ~]# ip netns exec ns1 ip a67: veth-eth0@if66: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 8e:34:7a:97:e9:54 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 100.1.1.2/24 scope global veth-eth0 valid_lft forever preferred_lft forever

2、docker 中的 namespace

创建一个容器，并查看网络。

[root@localhost ~]# docker run -it --name c-1 busybox/ # ip a68: eth0@if69: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue  link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff inet 172.17.0.4/16 brd 172.17.255.255 scope global eth0       valid_lft forever preferred_lft forever

使用ipnetns命令查看容器网络（容器命令dockerexec f62183446756 ipa ）。docker是用进程的PID来做NetworkNamespace的名称的。

[root@localhost ~]# mkdir /var/run/netns[root@localhost netns]# nspid=$(docker inspect -f '{{.State.Pid}}' c-1)[root@localhost netns]# ln -s /proc/$nspid/ns/net /var/run/netns/$nspid[root@localhost netns]# ip netns exec $nspid ip a68: eth0@if69: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default  link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.4/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever

给运行的容器增加一个网卡。

[root@localhost netns]# ip link add eth10 type veth peer name eth11[root@localhost netns]# brctl addif docker0 eth10[root@localhost netns]# ip link set eth10 up[root@localhost netns]# ip link set eth11 netns $nspid[root@localhost netns]# ip netns exec $nspid ip link set eth11 up[root@localhost netns]# ip netns exec $nspid ip addr add 172.17.0.10/24 dev eth11[root@localhost netns]# ip netns exec $nspid ip a68: eth0@if69: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default  link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.4/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever70: eth11@if71: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 36:bb:f9:48:ad:6c brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.10/24 scope global eth11 valid_lft forever preferred_lft forever