net namespace實驗

Net namespace實驗

在 Linux 中，網絡名字空間能夠被認爲是隔離的擁有單獨網絡棧（網卡、路由轉發表、iptables）的環境。網絡名字空間常常用來隔離網絡設備和服務，只有擁有一樣網絡名字空間的設備，才能看到彼此。 network namespace 是實現網絡虛擬化的重要功能，它能建立多個隔離的網絡空間，它們有獨自的網絡棧信息。無論是虛擬機仍是容器，運行的時候彷彿本身就在獨立的網絡中

經常使用命令

comm	命令
ip netns add net1	添加namespace net1
ip netns help	獲取幫助
ip netns del n1	刪除namespace n1
ip netns ls	列出當前已有namespace

與net namespace相關的指令是ip netns後面跟具體指令
使用ip netns exec name子命令後面能夠加上任何命令，表示在相應的namespace中執行相關命令，如：

root@mininet-vm:/home/mininet# ip netns exec n2 ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

能夠執行ip netns exec n2 bash，以後全部指令都在指定namespace中執行而不須要加上ip netns exec name

root@mininet-vm:/home/mininet# ip netns exec n2 ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
root@mininet-vm:/home/mininet# ip netns exec n2 bash
root@mininet-vm:/home/mininet# ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
root@mininet-vm:/home/mininet# exit
exit
root@mininet-vm:/home/mininet# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
.................

使用ip netns exec n2 bash --rcfile <(echo "PS1=\"namespace ns1>\"")能夠修改命令行的前綴。

root@mininet-vm:/home/mininet# ip netns exec n2 bash --rcfile <(echo "PS1=\"namespace n2>\"")
namespace n2>

　namespace通訊

使用 veth pair 進行通訊

1. 建立一對veth pair
   使用命令ip link add type veth建立一對veth pair，其默認名是veth0和veth1，使用ip link可查看連接

root@mininet-vm:/home/mininet# ip link
.....
3: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN 
root@mininet-vm:/home/mininet # ip link add type veth
root@mininet-vm:/home/mininet # ip link
....
3: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN 
9: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 12:e8:a5:43:c0:43 brd ff:ff:ff:ff:ff:ff
10: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 9e:f8:c3:b9:af:ec brd ff:ff:ff:ff:ff:ff

1. 將veth pair的兩端分別放到兩個namespace
   使用命令ip link set veth0 netns n1和ip link set veth1 netns n2分別將veth0和veth1放到不一樣namespace

oot@mininet-vm:/home/mininet# ip link set veth0 netns n1
root@mininet-vm:/home/mininet# ip link set veth1 netns n2
root@mininet-vm:/home/mininet# ip netns exec n1 ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
9: veth0@if10: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 12:e8:a5:43:c0:43 brd ff:ff:ff:ff:ff:ff
root@mininet-vm:/home/mininet# ip netns exec n2 ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
10: veth1@if9: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 9e:f8:c3:b9:af:ec brd ff:ff:ff:ff:ff:ff

1. 爲veth pair的兩端分別配置ip
   使用命令ip link set vethX up和ip addr add 10.0.0.10/24 dev vethX爲veth pair配置ip，結果以下

# namespace 1
namespace ns1> ip link set veth0 up
namespace ns1> ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
9: veth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 12:e8:a5:43:c0:43 brd ff:ff:ff:ff:ff:ff
namespace ns1> ip addr add 10.0.10.1/24 dev veth0
namespace ns1> ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
9: veth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 12:e8:a5:43:c0:43 brd ff:ff:ff:ff:ff:ff
    inet 10.0.10.x1/24 scope global veth0
       valid_lft forever preferred_lft forever

# namespace 2
namespace n2>ip link set veth1 up
namespace n2>ip addr add 10.0.10/24 dev veth1
namespace n2>ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
10: veth1@if9: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state LOWERLAYERDOWN group default qlen 1000
link/ether 9e:f8:c3:b9:af:ec brd ff:ff:ff:ff:ff:ff
    inet 10.0.10.0/24 scope global veth1
       valid_lft forever preferred_lft forever

1. 測試兩個namespace之間的網絡聯通狀態
   分別在n1和n2中嘗試ping

namespace ns1> ping 10.0.10.0 -c 1
PING 10.0.10.0 (10.0.10.0) 56(84) bytes of data.
64 bytes from 10.0.10.0: icmp_seq=1 ttl=64 time=0.035 ms
namespace n2>ping 10.0.10.1 -c 1
PING 10.0.10.1 (10.0.10.1) 56(84) bytes of data.
64 bytes from 10.0.10.1: icmp_seq=1 ttl=64 time=0.040 ms

1. 其拓撲結構以下
   
   veth pair能夠用於兩個namespace之間的通訊，但不適合用在多個namespace之間的通行

   利用bridge通訊

2. 在以上實驗基礎上，從新建立兩個namespace：n三、n4

root@mininet-vm:/home/mininet# ip netns add n3
root@mininet-vm:/home/mininet# ip netns add n4
root@mininet-vm:/home/mininet# ip netns ls
n4
n3
n1
n2

1. 建立bridge

root@mininet-vm:/home/mininet# ip link add br0 type bridge
root@mininet-vm:/home/mininet# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:1e:27:79 brd ff:ff:ff:ff:ff:ff
    inet 192.168.117.128/24 brd 192.168.117.255 scope global eth0
       valid_lft forever preferred_lft forever
3: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 72:f5:e5:5d:4d:ed brd ff:ff:ff:ff:ff:ff
11: br0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 76:d8:06:1a:b9:84 brd ff:ff:ff:ff:ff:ff

1. 利用veth pair將bridge與n三、n四、n1連通
   建立3對veth pair

root@mininet-vm:/home/mininet# ip link add type veth
root@mininet-vm:/home/mininet# ip link add type veth
root@mininet-vm:/home/mininet# ip link add type veth
root@mininet-vm:/home/mininet# ip a
...
11: br0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 76:d8:06:1a:b9:84 brd ff:ff:ff:ff:ff:ff
12: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether ea:98:b6:3c:46:60 brd ff:ff:ff:ff:ff:ff
13: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether f2:f6:d8:6b:31:1f brd ff:ff:ff:ff:ff:ff
14: veth2@veth3: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 4a:7d:af:18:67:14 brd ff:ff:ff:ff:ff:ff
15: veth3@veth2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether ca:b6:e4:eb:b7:15 brd ff:ff:ff:ff:ff:ff
16: veth4@veth5: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether f2:b3:5f:0e:3d:09 brd ff:ff:ff:ff:ff:ff
17: veth5@veth4: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 76:0c:87:b1:16:80 brd ff:ff:ff:ff:ff:ff

將br0和n1，n3，n4鏈接
這時候若是把veth0加入n1的話會報錯，由於n1裏面已經有了一個veth0，能夠換成其餘名稱的veth。
將veth pair放如br0的指令爲ip link set dev veth3 master br0

1. 測試n1-n4之間的連通狀態
   發現不一樣namespace之間沒法ping通 。
   這個問題折騰了好久，後來多配置了幾回有能夠了。應該是以前漏掉了幾個步驟，完整的步驟應該包括如下幾步：

   # 啓動網橋（網橋只須要啓動一次就行）
   ip link set br0 up
   # 建立vethpair
   ip link add br-1 type veth peer name 1-br
   #將vethpair分配給網橋和namespace
   ip link set br-1 master br0
   ip link set 1-br netns n1
   #啓動veth
   ip link set br-1 up
   ip netns exec n1 ip link set 1-br up
   # 爲namespace中的veth設置ip
     ip netns exec n1 ip addr add 10.0.10.2/24 dev 1-br

   從新測試，發現三個namespace能夠相互ping通。

上述網橋對應的veth的ip其實能夠省略

1. 其拓撲結構以下
   
   ### namespace內部與namespace外部通訊
   默認狀況下，namespace網絡是隔離的，namespace內沒法ping通namespace外的網絡，能夠經過veth pair打通網絡狀態。
   當veth pair一端在namespace內部，一端在namespace外部時，namespace能夠ping通位於外部的veth pair但沒法ping同其餘網絡。

   參考資料

   https://cizixs.com/2017/02/10/network-virtualization-network-namespace/