docker网络之macvlan
macvlan接口類型簡單說類似于子接口,但相比子接口來說,macvlan接口擁有自己獨立的mac地址,因此使用macvlan接口可以允許更多的二層操作。macvlan有四種模式:VEPA,bridge,Private和Passthru
macvlan接口會監(jiān)聽并接收鏈路上到達本mac地址的報文,因此macvlan(除bridge外)僅能向外部網絡發(fā)送報文,并接受目的為本機mac的報文。
+---------------+| network stack |+---------------+| | | |+---------+ | | +------------------+| | +------------------+ || +------------------+ | || | | || aa +----------+ | | || eth0 +-----| macvlan0 |---+ | || / +----------+ | |Wire +------+ +---------------+ bb +----------+ | | --------| eth0 |------/ if dst mac is /--------| macvlan1 |------+ |+------+ +---------------+ \ +----------+ |\ cc +----------+ |+-----| macvlan2 |---------++----------+模擬環(huán)境:windows主機上安裝vmware centos虛擬機作為host主機,centos上安裝docker
VEPA模式:在這種模式下,macvlan設備不能直接接收在同一個物理網卡的其他macvlan設備的數據包,但是其他macvlan設備可以將數據包通過物理網卡發(fā)送出去,然后通過hairpin設備返回的給其他macvlan設備,用于管理內部vm直接的流量,并且需要特殊設備支持。
使用如下命令創(chuàng)建一個容器的vepa模式的macvlan,名稱為vepamv,其中192.168.128.0和192.168.128.2分別為docker所在的host主機eth0的網段和網關。
docker network create -d macvlan --subnet=192.168.128.0/24 --gateway=192.168.128.2 -o parent=eth0 -o macvlan_mode=vepa vepamv使用上述網絡運行2個容器
docker run -itd --net=vepamv--ip=192.168.128.222 --name=centos1-2 f322035379ab /bin/bash docker run -itd --net=vepamv --ip=192.168.128.233 --name=centos1-3 f322035379ab /bin/bash查看網絡信息,可以看到驅動類型為macvlan,macvlan模型為vepa,兩個網卡有獨立的mac地址,底層物理網卡為eth0
[root@localhost ~]# docker network inspect evapmv [{"Name": "vepamv","Id": "84af6a040cf1e1063c122ed9b80b421ef2896d31100c87bec9cde7a0e8690833","Created": "2018-09-16T22:16:23.938521926+08:00","Scope": "local","Driver": "macvlan","EnableIPv6": false,"IPAM": {"Driver": "default","Options": {},"Config": [{"Subnet": "192.168.128.0/24","Gateway": "192.168.128.2"}]},"Internal": false,"Attachable": false,"Containers": {"49eb565de8f9ec41ba69285c6ced2971a861a104247dc10c257ce3dd7a74d006": {"Name": "centos1-3","EndpointID": "adc576f3cfa1c5b6649f3d322ba11487e8ef3eadebeed72eb830f55a8a5768f6","MacAddress": "02:42:c0:a8:80:e9","IPv4Address": "192.168.128.233/24","IPv6Address": ""},"5f0fe3a769ca17717afea9f1d444b00a4380289b2744d02d5ade260e7e687868": {"Name": "centos1-2","EndpointID": "caa0766bb243e43986c1ee435b9d2666c615b92c06964c749d5e93ba7ef8849f","MacAddress": "02:42:c0:a8:80:de","IPv4Address": "192.168.128.222/24","IPv6Address": ""}},"Options": {"macvlan_mode": "vepa","parent": "eth0"},"Labels": {}} ]在centos1-2中ping centos1-3發(fā)現無法ping通,因為本地環(huán)境上并沒有開啟hairpin模式的交換機或路由器,報文發(fā)送到鏈路上之后無法返回來。即無法在internal內部進行報文傳輸
[root@0dd61dcf26f3 /]# ping 192.168.128.222 PING 192.168.128.222 (192.168.128.222) 56(84) bytes of data. From 192.168.128.233 icmp_seq=1 Destination Host Unreachable From 192.168.128.233 icmp_seq=2 Destination Host Unreachable但在external network的機器(192.168.128.1)是可以直接訪問該容器的(首先該容器的IP屬于external network)
D:/> ping 192.168.128.222 PING 192.168.128.222 (192.168.128.222) 56(84) bytes of data. 64 bytes from 192.168.128.222: icmp_seq=1 ttl=64 time=0.080 ms 64 bytes from 192.168.128.222: icmp_seq=1 ttl=64 time=0.080 ms抓包如下,可以看到centos1-2的源mac地址與上述的mac地址是一致的。
?
使用IPOP構包模擬hairpin的交換機,模擬從192.168.128.233 發(fā)送arp請求192.168.128.222,報文如下:
使用抓包工具可以看到192.168.128.222回復了來自192.168.128.223的arp請求
?
private模式:該模式類似于VEPA,但在VEPA基礎上添加了新的特性,即如果兩個macvlan在同一個網卡上,這兩個macvlan接口無法通信,即使使用啟用hairpin的交換機或路由器。仍然使用上述條件構造從192.168.128.222到192.168.128.233的arp請求報文,可以看到192.168.128.222并沒有回復192.168.128.233的arp請求。但是從windows機器直接ping 192.168.128.222是可以ping通的。private模式下隔離了來自同網卡的macvlan的廣播報文。
?
passthru模式:該模式僅允許一塊網卡上面部署一個macvlan接口,其他使用macvlan的容器將啟動失敗,但只要不使用macvlan,該容器還是可以正常啟動。如果需要在單個物理網卡上啟動多個macvlan_mode=passthru的容器,可以使用子接口方式,參見 https://blog.csdn.net/daye5465/article/details/77412619。
[root@localhost home]# docker run -itd --net=passmv f322 /bin/bash 17b0f2c446671f716bcf136e9c9d8c781ec84901c87e1d4ae0a20aa98e5fb710 /usr/bin/docker-current: Error response from daemon: failed to create the macvlan port: invalid argument. [root@localhost home]# docker run -itd f322 /bin/bash 6aac5b6a284b1d5c2294936d7943007947a602fc7cdcc133c32b5e861ed17865
bridge 模式(docker默認模式):在這種模式下,寄生在同一個物理設備的macvlan設備可以直接通訊,不需要外接的hairpin設備幫助,使用如下的命令創(chuàng)建一個bridge的macvlan網絡
docker network create -d macvlan --subnet=192.168.226.0/24 --gateway=192.168.226.2 -o parent=eth0 -o macvlan_mode=bridge bridmv使用bridge可以保證在不使用hairpin設備的前提下實現inter-network和external-network的連通,查看docker的bridge信息如下
[root@localhost netns]# docker network inspect bridmv [{"Name": "bridmv","Id": "b2920c8721701d47ac891aa8528d95f60e6a71a1a7485d0e2f21bae30f8604bf","Created": "2018-09-18T09:16:34.549499448+08:00","Scope": "local","Driver": "macvlan","EnableIPv6": false,"IPAM": {"Driver": "default","Options": {},"Config": [{"Subnet": "192.168.226.0/24","Gateway": "192.168.226.2"}]},"Internal": false,"Attachable": false,"Containers": {"031e1de7ed2cf13c25083e98d9cee131ea00a466fd169a0531c70818a25c7a7f": {"Name": "centos2","EndpointID": "b95efe7ddb8d2c4ce9228c06f019601c18daedbf7fc79462939efba128e84936","MacAddress": "02:42:c0:a8:80:e9","IPv4Address": "192.168.128.233/24","IPv6Address": ""},"8e23e7011f7cbc0962ba975974ae313dd4dab10a4114775b689ba70ae88dac72": {"Name": "centos1","EndpointID": "d2fb36b842f89128e3a862fc70624d4946b703bf0bb921fd11839d7f775fa8e0","MacAddress": "02:42:c0:a8:80:de","IPv4Address": "192.168.128.222/24","IPv6Address": ""}},"Options": {"macvlan_mode": "bridge","parent": "eth0"},"Labels": {}} ]查看/var/run/docker/netns,有2個ns,這兩個就是192.168.128.222和192.168.128.233的容器網絡空間
[root@localhost netns]# ll /var/run/docker/netns/ total 0 -r--r--r--. 1 root root 0 Sep 18 09:18 59b305d0d01e -r--r--r--. 1 root root 0 Sep 18 09:18 a41362fa7ed2macvlan的bridge無法使用brctl show獲得相關信息。查看容器網卡信息如下,可以看到Ip地址是與兩個容器對應的,在容器的eth后面有一個@if2,表示有一個接口與該接口對應,根據macvlan的原理,該接口為macvlan所在的host主機的eth0接口
[root@localhost netns]# ip netns exec 59b305d0d01e ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever 18: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether 02:42:c0:a8:80:e9 brd ff:ff:ff:ff:ff:ff link-netnsid 0inet 192.168.226.233/24 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::42:c0ff:fea8:e2e9/64 scope link valid_lft forever preferred_lft forever [root@localhost netns]# ip netns exec a41362fa7ed2 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever 19: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether 02:42:c0:a8:80:de brd ff:ff:ff:ff:ff:ff link-netnsid 0inet 192.168.226.222/24 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::42:c0ff:fea8:e2de/64 scope link valid_lft forever preferred_lft forever在host主機上查看,網卡序號為2的正是macvlan接口所在的網卡eth0,即使用host的eth0作為了bridge(--parent指定)
[root@localhost netns]# ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000link/ether 00:0c:29:f1:38:bf brd ff:ff:ff:ff:ff:ff 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000link/ether 52:54:00:51:d1:17 brd ff:ff:ff:ff:ff:ff 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT group default qlen 1000link/ether 52:54:00:51:d1:17 brd ff:ff:ff:ff:ff:ff 5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default link/ether 02:42:71:8b:5a:6e brd ff:ff:ff:ff:ff:ff相比與docker 的bridge,macvlan類型的bridge下,只要多個容器在同一個子網IP范圍內就可以通信,而無需在同一個bridge下,也即macvlan模擬真實物理網卡的功能。macvlan同bridge一樣,都是linux原生支持的,可以手動實現自己的macvlan通信,具體配置操作參見:linux 網絡虛擬化:macvlan
?
總結:通過以上示例可以看出,macvlan類型的接口可以當作正常的host接口使用,如果要組建跨網絡訪問,則需要路由器或交換機的支持,如hairpin,以及路由等。
參考:
https://blog.csdn.net/daye5465/article/details/77412619
https://blog.csdn.net/dog250/article/details/45788279
https://backreference.org/2014/03/20/some-notes-on-macvlanmacvtap/
https://superuser.com/questions/1205346/macvtap-interface-created-on-top-of-macvlan-interface-of-a-docker-container-cann
https://docs.docker.com/network/macvlan/#8021q-trunk-bridge-mode
https://docs.docker.com/v17.09/engine/userguide/networking/get-started-macvlan/#macvlan-bridge-mode-example-usage
https://hicu.be/bridge-vs-macvlan
轉載于:https://www.cnblogs.com/charlieroro/p/9656769.html
總結
以上是生活随笔為你收集整理的docker网络之macvlan的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 转:更改pip源至国内镜像,显著提升下载
- 下一篇: python中字母大小写的转换,和一些字