• 网络命名空间

    1、网络命名空间

    1)网络命名空间的实现

    网络命名空间是为了隔离网络设备和协议栈的

    网络命名空间Net Namespace,简称netns

     私有命名空间只有回环设备,其他设备不存在,如果需要要自己创建。

    所有网络设备都只能属于一个命名空间,物理设备只能属于root。虚拟网络设备则可以被关联到指定的命名空间中,而且可以在命名空间中移动。

    网络命名空间设备是完全隔离的,没有办法互相通信,使用veth就解决了这个问题。

    2)命名空间操作

    创建一个网络命名空间,新建的网络命名空间可以再/var/run/netns 里看到

    ip nets add <name>

    获取列表

    ip netns list

    在命名空间中运行命令

    ip netns  exec <name> <command>

    也可以通过bash 进入

    ip nets exec <name> bash

     

    3)网络命名空间实战

    查看设备列表

    ip link

    1. [root@vm50 eoi]# ip link
    2. 257: cali6aa84dc711d@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    3.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 10
    4. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT                                                                                         group default qlen 1000
    5.     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    6. 258: caliea9d46af5d3@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    7.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 11
    8. 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEF                                                                                        AULT group default qlen 1000
    9.     link/ether 00:50:56:ac:93:32 brd ff:ff:ff:ff:ff:ff
    10. 259: calia0649ef1830@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    11.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 12
    12. 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOW                                                                                        N mode DEFAULT group default
    13.     link/ether 02:42:6b:94:d5:2f brd ff:ff:ff:ff:ff:ff
    14. 260: cali8bac6c0ff3f@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    15.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 13
    16. 261: cali1abad8afd57@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    17.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 14
    18. 262: cali11239f98883@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    19.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 15
    20. 263: cali4fb26ba7199@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    21.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 16
    22. 264: calicc16a6d001e@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    23.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 17
    24. 265: cali07356c57c26@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    25.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 5
    26. 10: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN mode DE                                                                                        FAULT group default qlen 1000
    27.     link/ipip 0.0.0.0 brd 0.0.0.0
    28. 289: cali0432093e227@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    29.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 9
    30. 293: calibc6db57c46b@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    31.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 6
    32. 296: cali9b978cae3c5@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    33.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 18
    34. 247: calid75abf4f5e0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    35.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 0
    36. 248: cali15c7619fccc@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    37.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 1
    38. 249: cali9d3da864524@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    39.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 2
    40. 250: cali84ef8fb5f7d@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    41.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 3
    42. 251: cali05fab0b794e@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    43.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 4
    44. 255: calib8f88917aee@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    45.     link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 8

    如何知道设备是否可以被转移?

     3.nsenter

    我们看到docker也有网络命名空间

    1. [root@vm50 eoi]# ls /var/run/docker/netns/
    2. 0b5ecfdaa492  18f1b8cfaa02  659c5c777674  804be5980579  98b3913faea3  9eb67f1bee55  ab10aeef7e19  d8d0b8570c0e  e084762b59bf  fa6a272e1131
    3. 0eef4c74de64  284813d91988  7c3cfb30e588  8970338954ff  9cf691f34593  a7756b687926  ce1774e8eb48  default       f5c7b109cea2

    如果我们使用ip netns 进不去

    ip netns exec /var/run/docker/netns/7c3cfb30e588 bash

    1.  
    2.  
    3. Invalid netns name "/var/run/docker/netns/7c3cfb30e588"
    1. [root@vm50 eoi]# ip netns exec 7c3cfb30e588 bash
    2. Cannot open network namespace "7c3cfb30e588": No such file or directory

    我们再看nsenter

    对于很多场景我们使用exec登陆,有的时候 容器文件系统和操作系统隔离了,bash没有,我们可以用nsenter

    我们用nginx 这个pod作为例子

    1. [root@vm50 eoi]# kubectl get pod genlog-6cc499c785-5bch7 -oyaml|grep containerID
    2.     cni.projectcalico.org/containerID: ac7dd6b841ba8e6469731ef26081ad68811d736089f42c77856e32d1cfd49c3e
    3.   - containerID: docker://df4778b20642842957d4d06a92e09f381109d55ed8f7f126a031c41ce9c27679

    找出dockerId 对应的pid

    1. [root@vm50 eoi]# docker inspect --format "{{.State.Pid}}" df4778b20642842957d4d06a92e09f381109d55ed8f7f126a031c41ce9c27679
    2. 40257

    nsenter进入

    1. [root@vm50 eoi]# nsenter -u -p -n -t 40257
    2. [root@genlog-6cc499c785-5bch7 eoi]# 登出
    3. [root@vm50 eoi]# nsenter -u -p -n -t 40257

    nsenter介绍:

    1. nsenter [options] [program [arguments]]
    2.  
    3. options:
    4. -t, --target pid:指定被进入命名空间的目标进程的pid
    5. -m, --mount[=file]:进入mount命令空间。如果指定了file,则进入file的命令空间
    6. -u, --uts[=file]:进入uts命令空间。如果指定了file,则进入file的命令空间
    7. -i, --ipc[=file]:进入ipc命令空间。如果指定了file,则进入file的命令空间
    8. -n, --net[=file]:进入net命令空间。如果指定了file,则进入file的命令空间
    9. -p, --pid[=file]:进入pid命令空间。如果指定了file,则进入file的命令空间
    10. -U, --user[=file]:进入user命令空间。如果指定了file,则进入file的命令空间
    11. -G, --setgid gid:设置运行程序的gid
    12. -S, --setuid uid:设置运行程序的uid
    13. -r, --root[=directory]:设置根目录
    14. -w, --wd[=directory]:设置工作目录
    15.

    总结

    网络命名空间可以很好的隔离网络,另外一个利器就是nsenter,调试利器,作为一个unix-tool是在k8s场景上非常有用的调试工具,晚上会继续看linux的cgroup 和namespace

  • 相关阅读:
    c# 输出二进制字符串
    MySQL入门指南6(视图,用户管理,存储引擎,数据类型)
    第一部分 摘要
    各位帅哥美女,微博爬虫用python到底怎么写啊
    微服务架构下的认证鉴权解决方案
    【网页前端】CSS常用布局之定位
    VCS工具学习笔记(8)
    SpringSecurity(七)【密码加密】
    【大数据折腾不息系列】(三) MySQL安装
    大数据工具之Superset
  • 原文地址:https://blog.csdn.net/qq_32783703/article/details/125554675