本期重点 认识
veth - Virtual Ethernet Device
The veth devices are virtual Ethernet devices. They can act as tunnels between network namespaces to create a bridge to a physical network device in another namespace, but can also be used as standalone network devices.
像隧道一样连接 不同的 netns 。隧道中不会对数据包进行修改
自内核3.8以后 linux 定义了6大命名空间
UTS 主机和域名
IPC 信号量、消息队列和共享内容
PID 进程编号
network 网络设备、网络栈、端口等
mount 挂载点(文件系统)
user 用户和用户组
clone() setns() unshare() 三个 系统函数定义了 命名空间三个基础操作
veth 与其中 network ns 紧密相关
实操
创建一对veth 进行绑定 其中一组放入 netns song中 操作如下
ip link add veth0 type veth peer name veth1 ip link list ip link set dev veth0 up ip link set dev veth1 up ifconfig veth0 192.168.122.101/24 ip netns add song ip link set veth1 netns song
ip netns exec song ifconfig veth1 192.168.122.102/24
创建桥连网卡 br0
ip link add name br0 type bridge | brctl addbr br0
ip link set br0 up
把veth0 网卡连接到br0
方法一
ip link set dev veth0 master br0
方法二
brctl addif br0 veth0
[root@kuberspary ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:3c:51:f0 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.10/24 brd 192.168.122.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe3c:51f0/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:58:6f:81:e5 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
8: veth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default qlen 1000
link/ether 3e:78:e0:5b:4a:85 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.122.101/24 brd 192.168.122.10255 scope global veth0
valid_lft forever preferred_lft forever
inet6 fe80::3c78:e0ff:fe5b:4a85/64 scope link
valid_lft forever preferred_lft forever
9: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 3e:78:e0:5b:4a:85 brd ff:ff:ff:ff:ff:ff
inet6 fe80::8039:68ff:fee4:fb6a/64 scope link
valid_lft forever preferred_lft forever
[root@kuberspary ~]# ip netns exec song ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
7: veth1@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether f2:05:c3:82:ae:5e brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.122.102/24 brd 192.168.122.10255 scope global veth1
valid_lft forever preferred_lft forever
inet6 fe80::f005:c3ff:fe82:ae5e/64 scope link
valid_lft forever preferred_lft forever
这时 发现 ping 不通 veth1, 通过抓包我们看一下原因
[root@kuberspary ~]# tcpdump -n -i veth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:00:01.566262 ARP, Request who-has 192.168.122.102 tell 192.168.122.101, length 28
19:00:01.566345 ARP, Reply 192.168.122.102 is-at f2:05:c3:82:ae:5e, length 28
19:00:02.568159 ARP, Request who-has 192.168.122.102 tell 192.168.122.101, length 28
19:00:02.568213 ARP, Reply 192.168.122.102 is-at f2:05:c3:82:ae:5e, length 28
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@kuberspary ~]# tcpdump -n -i br0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:00:06.572026 ARP, Reply 192.168.122.102 is-at f2:05:c3:82:ae:5e, length 28
19:00:08.572488 ARP, Reply 192.168.122.102 is-at f2:05:c3:82:ae:5e, length 28
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[root@kuberspary ~]# ip netns exec song tcpdump -n -i veth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth1, link-type EN10MB (Ethernet), capture size 262144 bytes
19:00:29.590284 ARP, Request who-has 192.168.122.102 tell 192.168.122.101, length 28
19:00:29.590356 ARP, Reply 192.168.122.102 is-at f2:05:c3:82:ae:5e, length 28
19:00:30.592064 ARP, Request who-has 192.168.122.102 tell 192.168.122.101, length 28
19:00:30.592096 ARP, Reply 192.168.122.102 is-at f2:05:c3:82:ae:5e, length 28^C
通过分析以下报文可以看出,包的去和回的流程都没有问题,问题就出在veth0收到应答包后没有给协议栈,而是给了br0,于是协议栈得不到veth1的MAC地址,导致通信失败。
进行第二步操作 把 veth0 的ip 分配给br0
ip addr del 192.168.122.101/24 dev veth0
ip addr add 192.168.122.101/24 dev br0
这个阶段 br0 无法ping 通网关
进行第三步操作 把 eth0 分配给br0
最后一步把eth0 的IP 分配给br0
逻辑示意图是 br0 连接协议栈和物理网络 veth0 和 eth0 挂载到 br0 上进行通信