|
netns 可以创建一个完全隔离的新网络环境,这个环境包括一个独立的网卡空间,路由表,ARP表,ip地址表,iptables等。总之,与网络有关的组件都是独立的。
! q6 q) h% i% y. D5 H0 _
, I# O4 w4 u- D3 x2 X1 v创建网络空间: # ip netns add ns1
! v, J& L. z& d; u8 s, T查看网络空间: # ip netns list' u: W; }, I0 z* P
删除网络空间: # ip netns del ns1
( J% \" ^: Y5 Y5 {进入网络空间执行命令: # ip netns exec ns1 `command`
4 b" r* Z8 e2 q$ d4 d; `1 m
! v X' f/ R* \7 e; z实例一:/ @7 Z& _: d0 q: d4 B
用netns连接两个隔离环境中的虚拟机,如图: 0 u s; |" M% B5 E( x" n
在虚拟化中有两个虚拟机网络隔离环境需要通信。 系统: centos7.2 x64 安装程序包# yum install bridge-utils libvirt libvirt-client virt-install virt-viewer net-tools -y# brctl addbr br0# brctl addbr br1# ifconfig br0 up# ifconfig br1 up
6 z. m! r1 x5 i7 j/ g取消默认nat网络模式# mv /etc/libvirt/qemu/networks/default.xml /etc/libvirt/qemu/networks/default.xml_bak# systemctl start libvirtd$ n/ v6 Y1 f! C$ H
创建虚拟机并连接至br0# virt-install --name vm1 --ram 512 --vcpus=1 --disk /images/linux/cirros-0.3.5-i386-disk-1.img --network bridge=br0,model=virtio --force --import --nographics --serial=pty --console=pty打开第二个终端创建第二个虚拟机并连接至br1# virt-install --name vm2 --ram 512 --vcpus=1 --disk /images/linux/cirros-0.3.5-i386-disk-2.img --network bridge=br1,model=virtio --force --import --nographics --serial=pty --console=pty# brctl showbridge name bridge id STP enabled interfacesbr0 8000.fe54007e1861 no vnet0br1 8000.fe5400be1885 no vnet1/ m/ X7 |0 w# E" f. @; t* A
到此,虚拟机已经连接上各自的桥设备了。完成如图: ; }! ?: ~; M) V" ~; H" v; [& Z
创建虚拟网络空间:# ip netns add ns1# ip netns listns1& q+ ?) P$ K4 ^1 w6 M$ f% A7 B
接下来创建一张虚拟网卡,虚拟网卡分为前半段和后半段,我们将前半段添加到br0中,并将后半段添加到虚拟网络空间中,这样br0桥设备中主机就能够连接到虚拟网络空间中。 # ip link add net-in type veth peer name net-out# ifconfig net-in up# ifconfig net-out up
. a) p a* Y* E. {3 N2 I将net-in虚拟网卡添加到br0中,将net-out虚拟网卡添加到ns1中 # brctl addif br0 net-in查看是否添加成功# brctl show br0bridge name bridge id STP enabled interfacesbr0 8000.46c7e9d2c0fa no net-in vnet0, @3 d# c+ C/ v* c9 ?( R% U9 ?5 X
将net-out添加到ns1中,并重命名为eth0# ip link set dev net-out name eth0 netns ns1& r9 f" Z* K% C \
查看是否添加成功# ip netns exec ns1 ifconfig -aeth0: flags=4098<BROADCAST,MULTICAST> mtu 1500 ether a2:07:dc:ba:35:a2 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=8<LOOPBACK> mtu 65536 loop txqueuelen 0 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0# ip netns exec ns1 ifconfig lo up: s) Q- i; H1 r* A' _
现在vm1 --> br0 --> ns1 网络做通了,完成如下图: * j6 m% R' u1 K/ T$ {
同理,和上面操作一样。 # ip link add net1-in type veth peer name net1-out# ifconfig net1-in up# ifconfig net1-out up# brctl addif br1 net1-in# brctl show br1bridge name bridge id STP enabled interfacesbr1 8000.1291a963b290 no net1-in vnet1# ip link set dev net1-out name eth1 netns ns1( ~* }6 r2 ~8 h' |2 n
( ?9 [* t1 F9 k% O5 o6 ^, A D3 D) D# ip netns exec ns1 ifconfig -aeth0: flags=4098<BROADCAST,MULTICAST> mtu 1500 ether a2:07:dc:ba:35:a2 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0eth1: flags=4098<BROADCAST,MULTICAST> mtu 1500 ether 02:d4:3c:7d:3b:2e txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 0 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
" h4 U- B x p& iip地址配置如下:
: t: b; L7 @+ Z2 W' z t7 l- }; O" {' b( c6 B
vm1 - eth0 : 192.168.1.2! K' u1 D$ s5 |# G
ns1 - eth0 : 192.168.1.1
8 ?" l8 ?* M2 j$ X4 i6 o5 k z9 O* i" i( A4 n% j+ ^+ V ~0 {/ A
vm2 - eth0 : 172.168.10.2: i+ j: Q+ }- \: f1 D% e6 i+ K
ns1 - eth0 : 172.168.10.1 记住:当宿主机开启了网络转发功能,虚拟网络空间才会开启,在以上场景中,必须开启网络转发功能。 # sysctl -w net.ipv4.ip_forward=1net.ipv4.ip_forward = 1
1 a# A+ q* N; T1 a* e. Y) I6 [
1 W# l/ a& y7 S% ~) `& Cvm1 - eth0 网络配置如下: # ifconfig lo up # ifconfig eth0 192.168.1.2/24 up# ifconfig eth0 Link encap:Ethernet HWaddr 52:54:00:7E:18:61 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::5054:ff:fe7e:1861/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:2 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:648 (648.0 B) TX bytes:168 (168.0 B)lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
* h3 i! h. f& E* D, R5 ?% vns1 - eth0 网络配置如下: # ip netns exec ns1 ifconfig lo up# ip netns exec ns1 ifconfig eth0 192.168.1.1/24 up# ip netns exec ns1 ifconfig eth0eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 ether a2:07:dc:ba:35:a2 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 m/ V$ c2 O$ J' S( g- {
# ]! d7 |2 D4 T5 }vm2 - eth0 网络配置如下: # ifconfig lo up# ifconfig eth0 172.168.10.2/24 up# ifconfig eth0eth0 Link encap:Ethernet HWaddr 52:54:00:BE:18:85 inet addr:172.168.10.2 Bcast:172.168.255.255 Mask:255.255.0.0 inet6 addr: fe80::5054:ff:febe:1885/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:2 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:648 (648.0 B) TX bytes:168 (168.0 B)
8 P0 c& q, U! U+ l6 h- j) r1 J( @
ns1 - eth1 网络配置如下: # ip netns exec ns1 ifconfig eth1 172.168.10.1/24 up# ip netns exec ns1 ifconfig eth1eth1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 172.168.10.1 netmask 255.255.255.0 broadcast 172.168.10.255 ether 02:d4:3c:7d:3b:2e txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
5 D8 B- s% b+ y# ^ @) l3 ~6 b% c+ [7 C2 Q- V( W! b. N6 x
为虚拟机指定路由: vm1 :# ping 192.168.1.1 -c1PING 192.168.1.1 (192.168.1.1): 56 data bytes64 bytes from 192.168.1.1: seq=0 ttl=64 time=0.811 ms--- 192.168.1.1 ping statistics ---1 packets transmitted, 1 packets received, 0% packet lossround-trip min/avg/max = 0.811/0.811/0.811 ms# ip route add default via 192.168.1.1 M1 |: h0 d" _) {- K1 d! {& ^
注意:如果ping不通,请检查链路上的网卡状态是否是up状态。 vm2 :# ping 172.168.10.1 -c1PING 172.168.10.1 (172.168.10.1): 56 data bytes64 bytes from 172.168.10.1: seq=0 ttl=64 time=2.385 ms--- 172.168.10.1 ping statistics ---1 packets transmitted, 1 packets received, 0% packet lossround-trip min/avg/max = 2.385/2.385/2.385 ms添加默认路由# ip route add default via 172.168.10.1
( ]: g8 m0 e" `' w9 ~
: a4 \9 L1 s6 S接下来,使用ping测试。 vm1 - eth0 : 192.168.1.2 --> ns1 - eth1 : 172.168.10.1# ping 172.168.10.1 -c1PING 172.168.10.1 (172.168.10.1): 56 data bytes64 bytes from 172.168.10.1: seq=0 ttl=64 time=0.426 ms--- 172.168.10.1 ping statistics ---1 packets transmitted, 1 packets received, 0% packet lossround-trip min/avg/max = 0.426/0.426/0.426 ms能够达到ns1 eth1网卡,说明ns1从eth0 - 192.168.10.1 转发到了 172.168.10.1vm1 - eth0 : 192.168.1.2 --> vm2 - eth0 : 172.168.10.2+ m( `0 J: z! A6 I! O+ f
! ?8 z0 M( T/ `# R' E# D8 W( ^6 ~6 i
这样,就完成了在宿主机中,两个虚拟主机隔离模式的通信。
, R, a0 s8 w# M/ n3 [0 r7 y* M
+ {6 E7 a* X% h$ h4 e& y实例二:
6 P$ x! r, o6 o
, I# |( \7 N( F 说明:宿主机中两组隔离模型,其中只有一组可以访问公网
接下来,在模式一的基础上进行修改:( B: |5 ~* o* B5 ]; E# n% A
( c, [3 \5 Y8 @0 Z& G+ z f/ s
# ip netns del ns1- r0 ^* y2 k/ `
" ^- z1 E0 B( M g0 w( Y2 v$ D
删除虚拟网络空间模式,所有和虚拟网络空间有关的虚拟网卡都会被删除。 现在的模式如下: & Q8 D& `+ E- m8 [% `( S7 `6 A
vm1: 192.168.1.2/24
5 d/ X6 ~* P1 z7 Q4 J1 g0 }' ^4 Evm2: 192.168.1.2/240 g/ u* H. \2 [2 L
ns1: 192.168.1.1/24' v: [- O g W0 v2 L
0 G: f# R. ^. H& J H
这里故意把vm1和vm2的ip设置为一样,方便我们进行测试。 添加虚拟网络空间# ip netns add ns1# ip link add net-in type veth peer name net-out# ifconfig net-in up# ifconfig net-out up
* ^( m4 p3 W( M/ ~' _1 C添加net-in到br0,添加net-out到虚拟网络空间ns1# brctl addif br0 net-in# ip link set dev net-out name eth0 netns ns1为ns1启动网卡并配置ip地址# ip netns exec ns1 ifconfig lo up# ip netns exec ns1 ifconfig eth0 192.168.1.1 netmask 255.255.255.0 up d0 L. H. t7 Z
为vm1配置网关为192.168.1.1 x* U1 E6 l1 s) T& f% G \& q3 {
$ C2 m- s. t ]4 y5 G. D创建桥设备,并将物理网卡添加到桥设备中,这里建议直接修改物理网卡配置文件 cp -a ifcfg-eno16777736 ifcfg-br-out# vim ifcfg-eno16777736 TYPE=EthernetBOOTPROTO=noneDEFROUTE=yesPEERDNS=yesPEERROUTES=yesIPV4_FAILURE_FATAL=noIPV6INIT=noNAME=eno16777736UUID=100e462e-c0d0-4271-9b5a-1c8e47ff0d03DEVICE=eno16777736ONBOOT=yesBRIDGE=br-out# vim ifcfg-br-out TYPE=BridgeBOOTPROTO=noneDEFROUTE=yesPEERDNS=yesPEERROUTES=yesIPV4_FAILURE_FATAL=noIPV6INIT=noNAME=br-outDEVICE=br-outONBOOT=yesIPADDR=10.0.0.11NETMASK=255.255.255.0GATEWAY=10.0.0.1DNS1=10.0.0.1DNS2=114.114.114.114重启下网络# systemctl restart network物理网卡添加成功# brctl show br-outbridge name bridge id STP enabled interfacesbr-out 8000.000c2923e15d no eno16777736! I) x! ]7 H3 {# V# l6 W7 W: [
* {, t0 r. c2 h6 U, O1 e8 `; n7 h5 p
现在创建一对网卡,连接ns1和br-out 9 @0 ?1 r3 k) @, _( L
# ip link add net1-in type veth peer name net1-out# ifconfig net1-in up# ifconfig net1-out up# ip link set dev net1-in name eth1 netns ns1# brctl addif br-out net1-out# brctl show br-outbridge name bridge id STP enabled interfacesbr-out 8000.000c2923e15d no eno16777736 net1-out( b0 t% _' ^. h! _
; u% l6 b4 X2 W ~5 ^# ^+ h, b* ~7 H我真实局域网的ip为10.0.0.0/24
4 y7 k" X9 N0 x* a9 g6 D7 b* }$ U0 o3 B+ W/ ]. z$ T
因此添加到ns1中的eth1要配置到同网段 # ip netns exec ns1 ifconfig eth1 10.0.0.12 netmask 255.255.255.0 up7 L) Y- S6 }: g1 \- w- G
9 Z6 Z; r6 \% _! G* P: X
能够到达网关了。' F# Q7 f' m8 G
+ @8 j: {7 w% p H8 h7 P, b7 t
已实现如下: : n7 ]8 |6 a0 U( ^# Z3 B5 O
在ns1中添加源地址转换 # ip netns exec ns1 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j SNAT --to-source 10.0.0.12# ip netns exec ns1 ip route default via 10.0.0.1
( X# l! g, @5 d% l+ O4 s再次通过vm1 ping 公网ip . X0 I" v/ o* W4 \: X. M1 ?
, c3 J5 ~9 V3 I# N/ G0 w% Q: n
这样就实现了宿主机内部分网络中的主机可以访问公网,部分主机没有访问公网权限。 , d" c. h5 t3 ?1 r ~0 P5 e
总之,网络逻辑很重要。
. I5 F0 @% j$ _3 {) {6 s ? |
发表于 2019-6-21 15:02:52