ip命令可以手动操作网络名称空间
IP命令所属iptoute程序包
[root@localhost ~]# rpm -q iproute
iproute-3.10.0-87.el7.x86_64
[将一个设备移到 一个名称空间](#将一个设备移到 一个名称空间)
添加网络名称空间
ip netns add
[root@localhost ~]# ip netns add r1
[root@localhost ~]# ip netns add r2
[root@localhost ~]# ip netns list
r2
r1
在网络名称空间中执行命令
ip netns exec
[root@localhost ~]# ip netns exec r1 ifconfig -a
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
创建虚拟网卡对
ip link add name veth1.1 type veth peer name veth1.2
add name veth1.1一半网卡叫什么
type veth类型叫啥,veth虚拟以太网网卡
peer name另一半网卡名字叫啥
[root@localhost ~]# ip link add name veth1.1 type veth peer name veth1.2
[root@localhost ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 08:00:27:72:1c:ca brd ff:ff:ff:ff:ff:ff
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT
link/ether 02:42:90:5b:af:47 brd ff:ff:ff:ff:ff:ff
4: veth1.2@veth1.1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether 96:8e:c2:e1:64:45 brd ff:ff:ff:ff:ff:ff
5: veth1.1@veth1.2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether ae:f5:21:c7:db:37 brd ff:ff:ff:ff:ff:ff
将一个设备移到 一个名称空间
[root@localhost ~]# ip link set dev veth1.2 netns r1
[root@localhost ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 08:00:27:72:1c:ca brd ff:ff:ff:ff:ff:ff
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT
link/ether 02:42:90:5b:af:47 brd ff:ff:ff:ff:ff:ff
5: veth1.1@if4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether ae:f5:21:c7:db:37 brd ff:ff:ff:ff:ff:ff link-netnsid 0
[root@localhost ~]# ip netns exec r1 ifconfig -a
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth1.2: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether 96:8e:c2:e1:64:45 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
将r1中的veth1.2改名为eth0
[root@localhost ~]# ip netns exec r1 ip link set dev veth1.2 name eth0
[root@localhost ~]# ip netns exec r1 ifconfig -a
eth0: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether 96:8e:c2:e1:64:45 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
设置IP地址激活两半网卡,并互相通信
[root@localhost ~]# ifconfig veth1.1 10.1.0.1/24 up
[root@localhost ~]# ip netns exec r1 ifconfig eth0 10.1.0.2/24 up
[root@localhost ~]# ping 10.1.0.2
PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data.
64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=0.102 ms
64 bytes from 10.1.0.2: icmp_seq=2 ttl=64 time=1.69 ms
r1和r2两个名称空间可以实现通信
[root@localhost ~]# ip link set dev veth1.1 netns r2
[root@localhost ~]# ip netns exec r2 ifconfig veth1.1 10.1.0.3/24 up
[root@localhost ~]# ip netns exec r2 ping 10.1.0.2
PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data.
64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=0.049 ms
64 bytes from 10.1.0.2: icmp_seq=2 ttl=64 time=0.057 ms
docker容器网络设置
docker容器不设置网络设备使用none网络,实现封闭式容器
docker容器不设置网络设备使用none网络,实现封闭式容器)
[root@localhost ~]# docker run --name t1 -it --network none --rm busybox:latest
/ # ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
给容器设置主机名,其可以实现主机名解析
>[root@localhost ~]# docker run --name t1 -it --network bridge -h web1.keji.com --rm busybox:latest
/ # hostname
web1.keji.com
为容器指定指定dns
[root@localhost ~]# docker run --name t1 -it --network bridge -h web1.keji.com --dns 144.144.144.144 --rm busybox:latest
/ # cat /etc/resolv.conf
nameserver 144.144.144.144
在外面给容器注入host文件解析结果
[root@localhost ~]# docker run --name t1 -it --network bridge -h web1.keji.com --dns 144.144.144.144 --add-host web1.keji.com:1.1.1.1 --rm busybox:latest
/ # cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
1.1.1.1 web1.keji.com
-p选项暴露容器端口
将指定的容器端口映射至主机所有地址的一个动态端口
动态端口范围是30000到32767之间的随机端口
坏处是别人访问时不知道端口是多少,好处是当容器有多个web时,可以映射到多个端口上
[root@localhost ~]# docker run --name myweb --rm -p 80 dockerhaoran/httpd:v0.2
容器已运行,在另外一个终端上打开内部访问
[root@localhost ~]# docker inspect myweb
"IPAddress": "172.17.0.2",
[root@localhost ~]# curl 172.17.0.2
<h1>Busybox httpd server.</h1>
iptables查看生成的规则,被映射到宿主机的32769端口
[root@localhost ~]# iptables -t nat -vnl
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:32769 to:172.17.0.2:80
页面访问http://10.192.45.116:32769/
Busybox httpd server.
将容器端口映射至指定的主机端口
[root@localhost ~]# docker port myweb
80/tcp -> 0.0.0.0:32769
容器的80端口映射到宿主机所有可用地址的32769端口上
[root@localhost ~]# docker kill myweb
myweb
[root@localhost ~]# docker run --name myweb --rm -p 10.192.45.116::80 dockerhaoran/httpd:v0.2
10.192.45.116::两个冒号表宿主机端口,为空表示随机端口
[root@localhost ~]# docker port myweb
80/tcp -> 10.192.45.116:32768
指定容器映射的端口和IP地址
[root@localhost ~]# docker run --name myweb --rm -p 10.192.45.116:8080:80 dockerhaoran/httpd:v0.2
80端口映射到宿主机10.192.45.116的8080端口
[root@localhost ~]# docker port myweb
80/tcp -> 10.192.45.116:8080
[root@localhost ~]# docker run --name myweb --rm -p 80:80 dockerhaoran/httpd:v0.2
80:80宿主地址不给表示地址随机
[root@localhost ~]# docker port myweb
80/tcp -> 0.0.0.0:80
共享指定容器网络(联盟式容器)
[root@localhost ~]# docker run --name b1 -it --rm busybox:latest
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
24: eth0@if25: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@localhost ~]# docker run --name b2 -it --network container:b1 --rm busybox:latest
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
24: eth0@if25: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
在b2上开启httpd服务
/ # echo "hello world" > /tmp/index.html
/ # httpd -h /tmp/
/ # netstat -tul
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 :::80 :::* LISTEN
在b1上使用lo访问
/ # wget -O - -q 127.0.0.1
hello world
共享宿主机网络空间
[root@localhost ~]# docker run --name b1 -it --network host --rm busybox:latest
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 08:00:27:72:1c:ca brd ff:ff:ff:ff:ff:ff
inet 10.192.45.116/21 brd 10.192.47.255 scope global dynamic enp0s3
valid_lft 3413sec preferred_lft 3413sec
inet6 fe80::a00:27ff:fe72:1cca/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether 02:42:90:5b:af:47 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:90ff:fe5b:af47/64 scope link
valid_lft forever preferred_lft forever
启动一个httpd服务
/ # echo "hello worlk" > /tmp/index.html
/ # httpd -h /tmp/
/ # netstat -tunl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 :::80 :::* LISTEN
表示监听在宿主机的80端口上
hello world
自定义docker0桥的网络属性信息
需要修改配置文件/etc/docker/daemon.json文件
{
"bip": "10.0.0.1/16",
“default-gateway”:"10.20.1.1",
“dns”:["10.20.1.2","10.20.1.3"]
}
bip指docker0桥的IP地址,最主要的,只要指定好,别的值除了dns会自动计算得知
default-gateway指默认网关
dns指dns服务器地址,最多3个
[root@localhost ~]# systemctl stop docker
[root@localhost ~]# vi /etc/docker/daemon.json
{
"registry-mirrors": ["https://qijo5n63.mirror.aliyuncs.com"],
"bip": "10.0.0.1/16"
}
[root@localhost ~]# systemctl start docker
[root@localhost ~]# ip a
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:90:5b:af:47 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/16 brd 10.0.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:90ff:fe5b:af47/64 scope link
valid_lft forever preferred_lft forever
docker守护进程的c/s,其默认仅监听Unix Socket格式的地址,/var/run/docker.sock;如果使用TCP套接字,
/etc/docker/daemon.json:
"hosts": ["tcp://10.0.0.0:2375","unix:///var/run/docker.sock"]
也可向docker直接传递“-H|--host”选项;
[root@localhost ~]# systemctl stop docker
[root@localhost ~]# vi /etc/docker/daemon.json
{
"registry-mirrors": ["https://qijo5n63.mirror.aliyuncs.com"],
"bip": "10.0.0.1/16",
"host": ["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"]
}
[root@localhost ~]# systemctl start docker
创建别的桥
[root@localhost ~]# docker network create -d bridge --subnet "172.26.0.0/16" --gateway "172.26.0.1" mybr0
c7cc44b020fd5fe2fe7435b7e19826f8d43576b7a9f86607034e44781ba1ca4a
docker network create创建桥
-d bridge指定桥的类型,bridge类型
--subnet "172.26.0.0/16"指定ipv4子网
--gateway "172.26.0.1"指定网关
[root@localhost ~]# ip a
26: br-c7cc44b020fd: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:60:51:fa:c0 brd ff:ff:ff:ff:ff:ff
inet 172.26.0.1/16 brd 172.26.255.255 scope global br-c7cc44b020fd
valid_lft forever preferred_lft forever
网络名叫mybr0,但是接口名不是mybr0,
[root@localhost ~]# ifconfig br-c7cc44b020fd down
[root@localhost ~]# ip link set dev br-c7cc44b020fd name docker1
先关闭这个接口,在该设备名