Linux network namespace 實踐

操作 namespace

[root@compute1 ~]# ip netns help
Usage: ip netns list	# 查看
       ip netns add NAME	# 增加
       ip netns set NAME NETNSID	# 設置 id
       ip [-all] netns delete [NAME]	# 刪除
       ip netns identify [PID]
       ip netns pids NAME
       ip [-all] netns exec [NAME] cmd ...	# 在 namespace 中執行命令
       ip netns monitor
       ip netns list-id

創建 network namespace

ip netns add test1
# 查看
ip netns list
# 創建的 netns 可以在目錄中看到
ls /var/run/netns/

默認情況下 namespace 主機以及其他的 namespace，可以使用 Linux 提供的 veth-pair 來完成通信。

兩個 namespace 通信

配置

# 創建一對 veth-pair
ip link add type veth
# 查看
ip addr
	6: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
  	    link/ether f6:f3:55:aa:12:8d brd ff:ff:ff:ff:ff:ff
	7: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
	    link/ether f6:cf:c5:bf:35:e1 brd ff:ff:ff:ff:ff:ff
# 創建兩個 netns
ip netns add net-1
ip netns add net-2
# 分別將 veth 的兩端放入兩個 netns 中
ip link set veth0 netns net-1
ip link set veth1 netns net-2
# 打開端口
ip netns exec net-1 ip link set veth0 up
ip netns exec net-2 ip link set veth1 up
# 配置 IP
ip netns exec net-1 ip add add 1.1.1.1/24 dev veth0
ip netns exec net-2 ip add add 1.1.1.2/24 dev veth1
# 驗證
ip netns exec net-1 ping 1.1.1.2
---
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.155 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.042 ms
^C
--- 1.1.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1009ms
rtt min/avg/max/mdev = 0.042/0.098/0.155/0.057 ms
-------------------------------------------------------
ip netns exec net-2 ping 1.1.1.1
---
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.116 ms
^C
--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.116/0.116/0.116/0.000 ms

多個 namespace 通信

多個 namespace 之間的通信使用 bridge 來橋接，否則的話，每兩個 namespace 之間都要添加 veth-pair ，非常麻煩。

配置：

創建 bridge 並開啓

ip link add br0 type bridge
ip link set br0 up

創建 3 對 veth-pair

ip link add type veth
ip link add type veth
ip link add type veth

查看創建的 veth-pair
這裏可以看到一對 veth-pair 用 @ 相連。例如：veth0@veth1，veth1@veth0，說明這兩個網卡是一對。

[root@compute1 ~]# ip addr
	8: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
  	    link/ether f6:f3:55:fa:12:9d brd ff:ff:ff:ff:ff:ff
	9: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
	    link/ether f6:cf:c5:ef:55:ef brd ff:ff:ff:ff:ff:ff
	10: veth2@veth3: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
	    link/ether e6:4f:21:36:b0:8f brd ff:ff:ff:ff:ff:ff
	11: veth3@veth2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
	    link/ether 3a:3d:c0:7a:99:1c brd ff:ff:ff:ff:ff:ff
	12: veth4@veth5: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
	    link/ether c6:e0:0f:93:1c:03 brd ff:ff:ff:ff:ff:ff
	13: veth5@veth4: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
	    link/ether d6:db:ea:f9:21:06 brd ff:ff:ff:ff:ff:ff

創建 3 個 netns

ip netns add net-1
ip netns add net-2
ip netns add net-3
# 查看
ip netns list
net-1
net-2
net-3 

將 3對 veth-pair 的一端加入不同的 netns ，另一端加入 br0 ，並開啓端口

# 一端加入不同的 netns
ip link set veth0 netns net-1
ip link set veth2 netns net-2
ip link set veth4 netns net-3
# 打開端口
ip netns exec net-1 ip link set veth0 up
ip netns exec net-2 ip link set veth2 up
ip netns exec net-3 ip link set veth4 up
# 配置同網段 IP
ip netns exec net-1 ip add add 1.1.1.1/24 dev veth0
ip netns exec net-2 ip add add 1.1.1.2/24 dev veth2
ip netns exec net-3 ip add add 1.1.1.3/24 dev veth4
-----
# 一端加入 br0
ip link set veth1 master br0
ip link set veth3 master br0
ip link set veth5 master br0
# 打開端口
ip link set veth1 up
ip link set veth3 up
ip link set veth5 up

檢查配置結果：

for i in {1..3};do ip netns exec net-$i ip addr;done

1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
8: veth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f6:f3:55:fa:12:9d brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 1.1.1.1/24 scope global veth0
       valid_lft forever preferred_lft forever
    inet6 fe80::f4f3:55ff:fefa:129d/64 scope link 
       valid_lft forever preferred_lft forever
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
10: veth2@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e6:4f:21:36:b0:8f brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 1.1.1.2/24 scope global veth2
       valid_lft forever preferred_lft forever
    inet6 fe80::e44f:21ff:fe36:b08f/64 scope link 
       valid_lft forever preferred_lft forever
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
12: veth4@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether c6:e0:0f:93:1c:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 1.1.1.3/24 scope global veth4
       valid_lft forever preferred_lft forever
    inet6 fe80::c4e0:fff:fe93:1c03/64 scope link 
       valid_lft forever preferred_lft forever

驗證互相通信：

[root@compute1 ~]# ip netns exec  net-1 ping -c 2 1.1.1.2
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.209 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.066 ms

--- 1.1.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.066/0.137/0.209/0.072 ms
[root@compute1 ~]# ip netns exec  net-1 ping -c 2 1.1.1.3
PING 1.1.1.3 (1.1.1.3) 56(84) bytes of data.
64 bytes from 1.1.1.3: icmp_seq=1 ttl=64 time=0.215 ms
64 bytes from 1.1.1.3: icmp_seq=2 ttl=64 time=0.151 ms

--- 1.1.1.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.151/0.183/0.215/0.032 ms
[root@compute1 ~]# ip netns exec  net-2 ping -c 2 1.1.1.1 
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.258 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.074 ms

--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.074/0.166/0.258/0.092 ms
[root@compute1 ~]# ip netns exec  net-2 ping -c 2 1.1.1.3
PING 1.1.1.3 (1.1.1.3) 56(84) bytes of data.
64 bytes from 1.1.1.3: icmp_seq=1 ttl=64 time=0.091 ms
64 bytes from 1.1.1.3: icmp_seq=2 ttl=64 time=0.102 ms

--- 1.1.1.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.091/0.096/0.102/0.011 ms
[root@compute1 ~]# ip netns exec  net-3 ping -c 2 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.064 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.111 ms

--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.064/0.087/0.111/0.025 ms
[root@compute1 ~]# ip netns exec  net-3 ping -c 2 1.1.1.2
PING 1.1.1.2 (1.1.1.2) 56(84) bytes of data.
64 bytes from 1.1.1.2: icmp_seq=1 ttl=64 time=0.143 ms
64 bytes from 1.1.1.2: icmp_seq=2 ttl=64 time=0.066 ms

--- 1.1.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.066/0.104/0.143/0.039 ms
[root@compute1 ~]#