macvlan接口類型簡(jiǎn)單說類似于子接口，但相比子接口來說，macvlan接口擁有自己獨(dú)立的mac地址，因此使用macvlan接口可以允許更多的二層操作。macvlan有四種模式：VEPA，bridge，Private和Passthru

macvlan接口會(huì)監(jiān)聽并接收鏈路上到達(dá)本mac地址的報(bào)文，因此macvlan（除bridge外）僅能向外部網(wǎng)絡(luò)發(fā)送報(bào)文，并接受目的為本機(jī)mac的報(bào)文。

+---------------+| network stack |+---------------+| | | |+---------+ | | +------------------+| | +------------------+ || +------------------+ | || | | || aa +----------+ | | || eth0 +-----| macvlan0 |---+ | || / +----------+ | |Wire +------+ +---------------+ bb +----------+ | | --------| eth0 |------/ if dst mac is /--------| macvlan1 |------+ |+------+ +---------------+ \ +----------+ |\ cc +----------+ |+-----| macvlan2 |---------++----------+

模擬環(huán)境：windows主機(jī)上安裝vmware centos虛擬機(jī)作為host主機(jī)，centos上安裝docker

VEPA模式：在這種模式下，macvlan設(shè)備不能直接接收在同一個(gè)物理網(wǎng)卡的其他macvlan設(shè)備的數(shù)據(jù)包，但是其他macvlan設(shè)備可以將數(shù)據(jù)包通過物理網(wǎng)卡發(fā)送出去，然后通過hairpin設(shè)備返回的給其他macvlan設(shè)備，用于管理內(nèi)部vm直接的流量，并且需要特殊設(shè)備支持。

使用如下命令創(chuàng)建一個(gè)容器的vepa模式的macvlan，名稱為vepamv,其中192.168.128.0和192.168.128.2分別為docker所在的host主機(jī)eth0的網(wǎng)段和網(wǎng)關(guān)。

docker network create -d macvlan --subnet=192.168.128.0/24 --gateway=192.168.128.2 -o parent=eth0 -o macvlan_mode=vepa vepamv

使用上述網(wǎng)絡(luò)運(yùn)行2個(gè)容器

docker run -itd --net=vepamv--ip=192.168.128.222 --name=centos1-2 f322035379ab /bin/bash docker run -itd --net=vepamv --ip=192.168.128.233 --name=centos1-3 f322035379ab /bin/bash

查看網(wǎng)絡(luò)信息，可以看到驅(qū)動(dòng)類型為macvlan，macvlan模型為vepa，兩個(gè)網(wǎng)卡有獨(dú)立的mac地址，底層物理網(wǎng)卡為eth0

[root@localhost ~]# docker network inspect evapmv [{"Name": "vepamv","Id": "84af6a040cf1e1063c122ed9b80b421ef2896d31100c87bec9cde7a0e8690833","Created": "2018-09-16T22:16:23.938521926+08:00","Scope": "local","Driver": "macvlan","EnableIPv6": false,"IPAM": {"Driver": "default","Options": {},"Config": [{"Subnet": "192.168.128.0/24","Gateway": "192.168.128.2"}]},"Internal": false,"Attachable": false,"Containers": {"49eb565de8f9ec41ba69285c6ced2971a861a104247dc10c257ce3dd7a74d006": {"Name": "centos1-3","EndpointID": "adc576f3cfa1c5b6649f3d322ba11487e8ef3eadebeed72eb830f55a8a5768f6","MacAddress": "02:42:c0:a8:80:e9","IPv4Address": "192.168.128.233/24","IPv6Address": ""},"5f0fe3a769ca17717afea9f1d444b00a4380289b2744d02d5ade260e7e687868": {"Name": "centos1-2","EndpointID": "caa0766bb243e43986c1ee435b9d2666c615b92c06964c749d5e93ba7ef8849f","MacAddress": "02:42:c0:a8:80:de","IPv4Address": "192.168.128.222/24","IPv6Address": ""}},"Options": {"macvlan_mode": "vepa","parent": "eth0"},"Labels": {}} ]

在centos1-2中ping centos1-3發(fā)現(xiàn)無法ping通，因?yàn)楸镜丨h(huán)境上并沒有開啟hairpin模式的交換機(jī)或路由器，報(bào)文發(fā)送到鏈路上之后無法返回來。即無法在internal內(nèi)部進(jìn)行報(bào)文傳輸

[root@0dd61dcf26f3 /]# ping 192.168.128.222 PING 192.168.128.222 (192.168.128.222) 56(84) bytes of data. From 192.168.128.233 icmp_seq=1 Destination Host Unreachable From 192.168.128.233 icmp_seq=2 Destination Host Unreachable

但在external network的機(jī)器（192.168.128.1）是可以直接訪問該容器的（首先該容器的IP屬于external network）

D:/> ping 192.168.128.222 PING 192.168.128.222 (192.168.128.222) 56(84) bytes of data. 64 bytes from 192.168.128.222: icmp_seq=1 ttl=64 time=0.080 ms 64 bytes from 192.168.128.222: icmp_seq=1 ttl=64 time=0.080 ms

抓包如下，可以看到centos1-2的源mac地址與上述的mac地址是一致的。

?

使用IPOP構(gòu)包模擬hairpin的交換機(jī)，模擬從192.168.128.233 發(fā)送arp請(qǐng)求192.168.128.222，報(bào)文如下：

使用抓包工具可以看到192.168.128.222回復(fù)了來自192.168.128.223的arp請(qǐng)求

?

private模式：該模式類似于VEPA，但在VEPA基礎(chǔ)上添加了新的特性，即如果兩個(gè)macvlan在同一個(gè)網(wǎng)卡上，這兩個(gè)macvlan接口無法通信，即使使用啟用hairpin的交換機(jī)或路由器。仍然使用上述條件構(gòu)造從192.168.128.222到192.168.128.233的arp請(qǐng)求報(bào)文，可以看到192.168.128.222并沒有回復(fù)192.168.128.233的arp請(qǐng)求。但是從windows機(jī)器直接ping 192.168.128.222是可以ping通的。private模式下隔離了來自同網(wǎng)卡的macvlan的廣播報(bào)文。

?

passthru模式：該模式僅允許一塊網(wǎng)卡上面部署一個(gè)macvlan接口，其他使用macvlan的容器將啟動(dòng)失敗，但只要不使用macvlan，該容器還是可以正常啟動(dòng)。如果需要在單個(gè)物理網(wǎng)卡上啟動(dòng)多個(gè)macvlan_mode=passthru的容器，可以使用子接口方式，參見 https://blog.csdn.net/daye5465/article/details/77412619。

[root@localhost home]# docker run -itd --net=passmv f322 /bin/bash 17b0f2c446671f716bcf136e9c9d8c781ec84901c87e1d4ae0a20aa98e5fb710 /usr/bin/docker-current: Error response from daemon: failed to create the macvlan port: invalid argument. [root@localhost home]# docker run -itd f322 /bin/bash 6aac5b6a284b1d5c2294936d7943007947a602fc7cdcc133c32b5e861ed17865

　

bridge 模式（docker默認(rèn)模式）：在這種模式下，寄生在同一個(gè)物理設(shè)備的macvlan設(shè)備可以直接通訊，不需要外接的hairpin設(shè)備幫助，使用如下的命令創(chuàng)建一個(gè)bridge的macvlan網(wǎng)絡(luò)

docker network create -d macvlan --subnet=192.168.226.0/24 --gateway=192.168.226.2 -o parent=eth0 -o macvlan_mode=bridge bridmv

使用bridge可以保證在不使用hairpin設(shè)備的前提下實(shí)現(xiàn)inter-network和external-network的連通，查看docker的bridge信息如下

[root@localhost netns]# docker network inspect bridmv [{"Name": "bridmv","Id": "b2920c8721701d47ac891aa8528d95f60e6a71a1a7485d0e2f21bae30f8604bf","Created": "2018-09-18T09:16:34.549499448+08:00","Scope": "local","Driver": "macvlan","EnableIPv6": false,"IPAM": {"Driver": "default","Options": {},"Config": [{"Subnet": "192.168.226.0/24","Gateway": "192.168.226.2"}]},"Internal": false,"Attachable": false,"Containers": {"031e1de7ed2cf13c25083e98d9cee131ea00a466fd169a0531c70818a25c7a7f": {"Name": "centos2","EndpointID": "b95efe7ddb8d2c4ce9228c06f019601c18daedbf7fc79462939efba128e84936","MacAddress": "02:42:c0:a8:80:e9","IPv4Address": "192.168.128.233/24","IPv6Address": ""},"8e23e7011f7cbc0962ba975974ae313dd4dab10a4114775b689ba70ae88dac72": {"Name": "centos1","EndpointID": "d2fb36b842f89128e3a862fc70624d4946b703bf0bb921fd11839d7f775fa8e0","MacAddress": "02:42:c0:a8:80:de","IPv4Address": "192.168.128.222/24","IPv6Address": ""}},"Options": {"macvlan_mode": "bridge","parent": "eth0"},"Labels": {}} ]

查看/var/run/docker/netns，有2個(gè)ns，這兩個(gè)就是192.168.128.222和192.168.128.233的容器網(wǎng)絡(luò)空間

[root@localhost netns]# ll /var/run/docker/netns/ total 0 -r--r--r--. 1 root root 0 Sep 18 09:18 59b305d0d01e -r--r--r--. 1 root root 0 Sep 18 09:18 a41362fa7ed2

macvlan的bridge無法使用brctl show獲得相關(guān)信息。查看容器網(wǎng)卡信息如下，可以看到Ip地址是與兩個(gè)容器對(duì)應(yīng)的，在容器的eth后面有一個(gè)@if2，表示有一個(gè)接口與該接口對(duì)應(yīng)，根據(jù)macvlan的原理，該接口為macvlan所在的host主機(jī)的eth0接口

[root@localhost netns]# ip netns exec 59b305d0d01e ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever 18: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether 02:42:c0:a8:80:e9 brd ff:ff:ff:ff:ff:ff link-netnsid 0inet 192.168.226.233/24 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::42:c0ff:fea8:e2e9/64 scope link valid_lft forever preferred_lft forever [root@localhost netns]# ip netns exec a41362fa7ed2 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever 19: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether 02:42:c0:a8:80:de brd ff:ff:ff:ff:ff:ff link-netnsid 0inet 192.168.226.222/24 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::42:c0ff:fea8:e2de/64 scope link valid_lft forever preferred_lft forever

在host主機(jī)上查看，網(wǎng)卡序號(hào)為2的正是macvlan接口所在的網(wǎng)卡eth0，即使用host的eth0作為了bridge(--parent指定)

[root@localhost netns]# ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000link/ether 00:0c:29:f1:38:bf brd ff:ff:ff:ff:ff:ff 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000link/ether 52:54:00:51:d1:17 brd ff:ff:ff:ff:ff:ff 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT group default qlen 1000link/ether 52:54:00:51:d1:17 brd ff:ff:ff:ff:ff:ff 5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default link/ether 02:42:71:8b:5a:6e brd ff:ff:ff:ff:ff:ff

相比與docker 的bridge，macvlan類型的bridge下，只要多個(gè)容器在同一個(gè)子網(wǎng)IP范圍內(nèi)就可以通信，而無需在同一個(gè)bridge下，也即macvlan模擬真實(shí)物理網(wǎng)卡的功能。macvlan同bridge一樣，都是linux原生支持的，可以手動(dòng)實(shí)現(xiàn)自己的macvlan通信，具體配置操作參見：linux 網(wǎng)絡(luò)虛擬化：macvlan

?

總結(jié)：通過以上示例可以看出，macvlan類型的接口可以當(dāng)作正常的host接口使用，如果要組建跨網(wǎng)絡(luò)訪問，則需要路由器或交換機(jī)的支持，如hairpin，以及路由等。

參考：

https://blog.csdn.net/daye5465/article/details/77412619

https://blog.csdn.net/dog250/article/details/45788279

https://backreference.org/2014/03/20/some-notes-on-macvlanmacvtap/

https://superuser.com/questions/1205346/macvtap-interface-created-on-top-of-macvlan-interface-of-a-docker-container-cann

https://docs.docker.com/network/macvlan/#8021q-trunk-bridge-mode

https://docs.docker.com/v17.09/engine/userguide/networking/get-started-macvlan/#macvlan-bridge-mode-example-usage

https://hicu.be/bridge-vs-macvlan

轉(zhuǎn)載于:https://www.cnblogs.com/charlieroro/p/9656769.html

總結(jié)

以上是生活随笔為你收集整理的docker网络之macvlan的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。