当前位置:网站首页>网络命名空间
网络命名空间
2022-07-04 19:45:00 【序冢--磊】
1、网络命名空间
1)网络命名空间的实现
网络命名空间是为了隔离网络设备和协议栈的
网络命名空间Net Namespace,简称netns
私有命名空间只有回环设备,其他设备不存在,如果需要要自己创建。
所有网络设备都只能属于一个命名空间,物理设备只能属于root。虚拟网络设备则可以被关联到指定的命名空间中,而且可以在命名空间中移动。
网络命名空间设备是完全隔离的,没有办法互相通信,使用veth就解决了这个问题。
2)命名空间操作
创建一个网络命名空间,新建的网络命名空间可以再/var/run/netns 里看到
ip nets add <name>
获取列表
ip netns list
在命名空间中运行命令
ip netns exec <name> <command>
也可以通过bash 进入
ip nets exec <name> bash
3)网络命名空间实战
查看设备列表
ip link
[[email protected] eoi]# ip link
257: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 10
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
258: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 11
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEF AULT group default qlen 1000
link/ether 00:50:56:ac:93:32 brd ff:ff:ff:ff:ff:ff
259: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 12
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOW N mode DEFAULT group default
link/ether 02:42:6b:94:d5:2f brd ff:ff:ff:ff:ff:ff
260: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 13
261: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 14
262: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 15
263: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 16
264: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 17
265: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 5
10: [email protected]: <NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN mode DE FAULT group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
289: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 9
293: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 6
296: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 18
247: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 0
248: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 1
249: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 2
250: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 3
251: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 4
255: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noque ue state UP mode DEFAULT group default
link/ether ee:ee:ee:ee:ee:ee brd ff:ff:ff:ff:ff:ff link-netnsid 8
如何知道设备是否可以被转移?
3.nsenter
我们看到docker也有网络命名空间
[[email protected] eoi]# ls /var/run/docker/netns/
0b5ecfdaa492 18f1b8cfaa02 659c5c777674 804be5980579 98b3913faea3 9eb67f1bee55 ab10aeef7e19 d8d0b8570c0e e084762b59bf fa6a272e1131
0eef4c74de64 284813d91988 7c3cfb30e588 8970338954ff 9cf691f34593 a7756b687926 ce1774e8eb48 default f5c7b109cea2如果我们使用ip netns 进不去
ip netns exec /var/run/docker/netns/7c3cfb30e588 bash
Invalid netns name "/var/run/docker/netns/7c3cfb30e588"[[email protected] eoi]# ip netns exec 7c3cfb30e588 bash
Cannot open network namespace "7c3cfb30e588": No such file or directory我们再看nsenter
对于很多场景我们使用exec登陆,有的时候 容器文件系统和操作系统隔离了,bash没有,我们可以用nsenter
我们用nginx 这个pod作为例子
[[email protected] eoi]# kubectl get pod genlog-6cc499c785-5bch7 -oyaml|grep containerID
cni.projectcalico.org/containerID: ac7dd6b841ba8e6469731ef26081ad68811d736089f42c77856e32d1cfd49c3e
- containerID: docker://df4778b20642842957d4d06a92e09f381109d55ed8f7f126a031c41ce9c27679找出dockerId 对应的pid
[[email protected] eoi]# docker inspect --format "{
{.State.Pid}}" df4778b20642842957d4d06a92e09f381109d55ed8f7f126a031c41ce9c27679
40257nsenter进入
[[email protected] eoi]# nsenter -u -p -n -t 40257
[[email protected] eoi]# 登出
[[email protected] eoi]# nsenter -u -p -n -t 40257
nsenter介绍:
nsenter [options] [program [arguments]]
options:
-t, --target pid:指定被进入命名空间的目标进程的pid
-m, --mount[=file]:进入mount命令空间。如果指定了file,则进入file的命令空间
-u, --uts[=file]:进入uts命令空间。如果指定了file,则进入file的命令空间
-i, --ipc[=file]:进入ipc命令空间。如果指定了file,则进入file的命令空间
-n, --net[=file]:进入net命令空间。如果指定了file,则进入file的命令空间
-p, --pid[=file]:进入pid命令空间。如果指定了file,则进入file的命令空间
-U, --user[=file]:进入user命令空间。如果指定了file,则进入file的命令空间
-G, --setgid gid:设置运行程序的gid
-S, --setuid uid:设置运行程序的uid
-r, --root[=directory]:设置根目录
-w, --wd[=directory]:设置工作目录
总结
网络命名空间可以很好的隔离网络,另外一个利器就是nsenter,调试利器,作为一个unix-tool是在k8s场景上非常有用的调试工具,晚上会继续看linux的cgroup 和namespace
边栏推荐
- Idea configuration standard notes
- 伦敦银走势图分析的新方法
- From automation to digital twins, what can Tupo do?
- 实操自动生成接口自动化测试用例
- 【申博攻略】六.如何联系心仪的博导
- 电脑怎么保存网页到桌面上使用
- Related concepts of federal learning and motivation (1)
- 强化学习-学习笔记2 | 价值学习
- Automatic generation of interface automatic test cases by actual operation
- NetCore3.1 Json web token 中间件
猜你喜欢
Sword finger offer II 80-100 (continuous update)
Related concepts of federal learning and motivation (1)
精选综述 | 用于白内障分级/分类的机器学习技术
Ten years' experience of byte test engineer directly hits the pain point of UI automation test
What if win11u disk refuses access? An effective solution to win11u disk access denial
工厂从自动化到数字孪生,图扑能干什么?
Win11无法将值写入注册表项如何解决?
Leetcode+ 81 - 85 monotone stack topic
黄金k线图中的三角形有几种?
科普达人丨一文看懂阿里云的秘密武器“神龙架构”
随机推荐
电脑页面不能全屏怎么办?Win11页面不能全屏的解决方法
AP8022开关电源小家电ACDC芯片离线式开关电源IC
托管式服务网络:云原生时代的应用体系架构进化
Cdga | six principles that data governance has to adhere to
Redis分布式锁的实现
【观察】联想:3X(1+N)智慧办公解决方案,释放办公生产力“乘数效应”
看腾讯大老如何做接口自动化测试
Jekins initialization password not found or not found
分析伦敦银走势图的技巧
ICML 2022 | meta proposes a robust multi-objective Bayesian optimization method to effectively deal with input noise
易周金融 | Q1保险行业活跃人数8688.67万人 19家支付机构牌照被注销
word中使用自动插入题注功能
BFC interview Brief
acwing 3302. Expression evaluation
ICML 2022 | Meta提出鲁棒的多目标贝叶斯优化方法,有效应对输入噪声
From automation to digital twins, what can Tupo do?
How to solve the problem that win11 cannot write the value to the registry key?
Aiming at the "amnesia" of deep learning, scientists proposed that based on similarity weighted interleaved learning, they can board PNAS
LeetCode 7. 整数反转
go语言笔记(2)go一些简单运用