当前位置:网站首页>Network namespace

Network namespace

2022-07-04 23:02:00 Xuzhong -- Lei

1、 Network namespace

1) Implementation of network namespace

Network namespaces are used to isolate network devices and protocol stacks

Network namespace Net Namespace, abbreviation netns

  Private namespaces have only loopback devices , Other devices do not exist , If you need to create it yourself .

All network devices can only belong to one namespace , Physical devices can only belong to root. Virtual network devices can be associated to the specified namespace , And it can be moved in the namespace .

Network namespace devices are completely isolated , There is no way to communicate with each other , Use veth That solves the problem .

2) Namespace operation

Create a network namespace , The new network namespace can be /var/run/netns See in

ip nets add <name>

To obtain a list of

ip netns list

Run the command in the namespace

ip netns  exec <name> <command>

It can also be done through bash Get into

ip nets exec <name> bash

 

3) Network namespace practice

View device list

ip link

[[email protected] eoi]# ip link
257: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 10
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT                                                                                         group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
258: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 11
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEF                                                                                        AULT group default qlen 1000
    link/ether 00:50:56:ac:93:32 brd ff:ff:ff:ff:ff:ff
259: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 12
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOW                                                                                        N mode DEFAULT group default
    link/ether 02:42:6b:94:d5:2f brd ff:ff:ff:ff:ff:ff
260: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 13
261: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 14
262: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 15
263: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 16
264: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 17
265: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 5
10: [email protected]: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN mode DE                                                                                        FAULT group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
289: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 9
293: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 6
296: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 18
247: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 0
248: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 1
249: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 2
250: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 3
251: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 4
255: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque                                                                                        ue state UP mode DEFAULT group default
    link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 8

How to know whether the equipment can be transferred ?

 3.nsenter

We see docker There are also network namespaces 

[[email protected] eoi]# ls /var/run/docker/netns/
0b5ecfdaa492  18f1b8cfaa02  659c5c777674  804be5980579  98b3913faea3  9eb67f1bee55  ab10aeef7e19  d8d0b8570c0e  e084762b59bf  fa6a272e1131
0eef4c74de64  284813d91988  7c3cfb30e588  8970338954ff  9cf691f34593  a7756b687926  ce1774e8eb48  default       f5c7b109cea2

If we use ip netns be unable to enter

ip netns exec /var/run/docker/netns/7c3cfb30e588 bash



Invalid netns name "/var/run/docker/netns/7c3cfb30e588"
[[email protected] eoi]# ip netns exec 7c3cfb30e588 bash
Cannot open network namespace "7c3cfb30e588": No such file or directory

We'll see nsenter

For many scenarios, we use exec land , sometimes The container file system is isolated from the operating system ,bash No, , We can use nsenter

We use it nginx This pod As an example 

[[email protected] eoi]# kubectl get pod genlog-6cc499c785-5bch7 -oyaml|grep containerID
    cni.projectcalico.org/containerID: ac7dd6b841ba8e6469731ef26081ad68811d736089f42c77856e32d1cfd49c3e
  - containerID: docker://df4778b20642842957d4d06a92e09f381109d55ed8f7f126a031c41ce9c27679

find dockerId Corresponding pid

[[email protected] eoi]# docker inspect --format "{
   {.State.Pid}}" df4778b20642842957d4d06a92e09f381109d55ed8f7f126a031c41ce9c27679
40257

nsenter Get into 

[[email protected] eoi]# nsenter -u -p -n -t 40257
[[email protected] eoi]#  Log out 
[[email protected] eoi]# nsenter -u -p -n -t 40257

nsenter Introduce :

nsenter [options] [program [arguments]]

options:
-t, --target pid: Specifies the target process that is entered into the namespace pid
-m, --mount[=file]: Get into mount Command space . If you specify file, entering file Command space 
-u, --uts[=file]: Get into uts Command space . If you specify file, entering file Command space 
-i, --ipc[=file]: Get into ipc Command space . If you specify file, entering file Command space 
-n, --net[=file]: Get into net Command space . If you specify file, entering file Command space 
-p, --pid[=file]: Get into pid Command space . If you specify file, entering file Command space 
-U, --user[=file]: Get into user Command space . If you specify file, entering file Command space 
-G, --setgid gid: Set the running program's gid
-S, --setuid uid: Set the running program's uid
-r, --root[=directory]: Set root 
-w, --wd[=directory]: Set up the working directory

summary

The network namespace can isolate the network well , Another weapon is nsenter, Debugging tools , As a unix-tool Is in k8s A very useful debugging tool in the scene , I will continue to watch it in the evening linux Of cgroup and namespace

原网站

版权声明
本文为[Xuzhong -- Lei]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/185/202207041945143617.html

边栏推荐

猜你喜欢

随机推荐