[系统运维] veth pair实战

开发: C++知识库 Java知识库 JavaScript Python PHP知识库人工智能区块链大数据移动开发嵌入式开发工具数据结构与算法开发测试游戏开发网络协议系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑笔记本显卡显示器固态硬盘硬盘耳机手机 iphone vivo oppo 小米华为单反装机图拉丁

-> 系统运维 -> veth pair实战 -> 正文阅读

[系统运维]veth pair实战

veth pair作用

veth pair用于同一主机不同命名空间通信，其原理为向veth pair设备的一端输入数据，数据通过内核协议栈后从veth pair的另一端出来

veth pair使用

netns帮助

# ip netns help
Usage:?? ?ip netns list
?? ?ip netns add NAME
?? ?ip netns attach NAME PID
?? ?ip netns set NAME NETNSID
?? ?ip [-all] netns delete [NAME]
?? ?ip netns identify [PID]
?? ?ip netns pids NAME
?? ?ip [-all] netns exec [NAME] cmd ...
?? ?ip netns monitor
?? ?ip netns list-id [target-nsid POSITIVE-INT] [nsid POSITIVE-INT]
NETNSID := auto | POSITIVE-INT

创建network namespace

ip netns add ns1

删除network namespace

ip netns del ns1

创建veth pair

ip link add veth0 type veth peer name veth1

查看veth pair

# ip a
...
8: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
? ? link/ether ea:1c:85:27:14:ca brd ff:ff:ff:ff:ff:ff
9: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
? ? link/ether 72:74:8e:30:ac:7d brd ff:ff:ff:ff:ff:ff

将veth1移动到ns1中

ip link set veth1 netns ns1

注：如果要将ns1中的veth1移动到根命名空间（宿主机），可使用以下命令，1即表示宿主机命名空间

ip netns exec ns1 ip link set veth1 netns 1

给veth0和veth1配上IP

ip addr add 192.168.1.100/24 dev veth0
ip netns exec ns1 ip addr add 192.168.1.101/24 dev veth1

启动网卡

ip link set veth0 up
ip netns exec ns1 ip link set veth1 up

查看ns1中的网卡信息

# ip netns exec ns1 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
? ? link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
8: veth1@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
? ? link/ether ea:1c:85:27:14:ca brd ff:ff:ff:ff:ff:ff link-netnsid 0
? ? inet 192.168.1.101/24 scope global veth1
? ? ? ?valid_lft forever preferred_lft forever
? ? inet6 fe80::e81c:85ff:fe27:14ca/64 scope link?
? ? ? ?valid_lft forever preferred_lft forever

测试连通性

# ping 192.168.1.101
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.
64 bytes from 192.168.1.101: icmp_seq=1 ttl=64 time=0.102 ms
^C
--- 192.168.1.101 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.102/0.102/0.102/0.000 ms

# ip netns exec ns1 ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.076 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.055 ms
^C
--- 192.168.1.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1075ms
rtt min/avg/max/mdev = 0.055/0.065/0.076/0.010 ms

模拟k8s calico网络

k8s使用calico会有如下现象

# ifconfig cali52cd9f5b6c4
cali52cd9f5b6c4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> ?mtu 1500
? ? ? ? inet6 fe80::ecee:eeff:feee:eeee ?prefixlen 64 ?scopeid 0x20<link>
? ? ? ? ether ee:ee:ee:ee:ee:ee ?txqueuelen 0 ?(Ethernet)
? ? ? ? RX packets 0 ?bytes 0 (0.0 B)
? ? ? ? RX errors 0 ?dropped 0 ?overruns 0 ?frame 0
? ? ? ? TX packets 0 ?bytes 0 (0.0 B)
? ? ? ? TX errors 0 ?dropped 0 overruns 0 ?carrier 0 ?collisions 0

该veth并没有配IP，而是添加了如下一条路由规则，宿主机命名空间就能和容器内的命名空间通信了

# ip route
10.233.97.1 dev cali52cd9f5b6c4 scope link?

删除veth0的IP

ip addr del 192.168.1.100/24 dev veth0

添加如calico的路由规则

ip route add 192.168.1.101/32 dev veth0

查看路由规则

# ip route
...
192.168.1.101 dev veth0 scope link

尝试ping ns1中的IP

# ping 192.168.1.101
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.
^C
--- 192.168.1.101 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2089ms

不能ping通，尝试使用tcpdump抓包

# ping 192.168.1.101
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.
From 172.20.42.70 icmp_seq=1 Destination Host Unreachable
From 172.20.42.70 icmp_seq=2 Destination Host Unreachable
From 172.20.42.70 icmp_seq=3 Destination Host Unreachable
From 172.20.42.70 icmp_seq=4 Destination Host Unreachable
From 172.20.42.70 icmp_seq=5 Destination Host Unreachable
From 172.20.42.70 icmp_seq=6 Destination Host Unreachable

# ip netns exec ns1 tcpdump -i veth1
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth1, link-type EN10MB (Ethernet), capture size 262144 bytes
17:20:14.809648 ARP, Request who-has master1 tell deploy, length 28
17:20:15.832062 ARP, Request who-has master1 tell deploy, length 28
17:20:16.872071 ARP, Request who-has master1 tell deploy, length 28
17:20:17.912265 ARP, Request who-has master1 tell deploy, length 28
17:20:18.952076 ARP, Request who-has master1 tell deploy, length 28
17:20:19.992079 ARP, Request who-has master1 tell deploy, length 28
17:20:21.032265 ARP, Request who-has master1 tell deploy, length 28
17:20:22.072065 ARP, Request who-has master1 tell deploy, length 28

查看ns1内路由

ns1内已经接收到了请求，但是并没有回，查看ns1内路由规则，只有192.168.1.0/24网段的地址才会从veth1发出，其他地址的包都被丢弃了

# ip netns exec ns1 ip route
192.168.1.0/24 dev veth1 proto kernel scope link src 192.168.1.101

添加默认路由

# ip netns exec ns1 ip route add default via 192.168.1.101 dev veth1

再次ping ns1

# ping 192.168.1.101
PING 192.168.1.101 (192.168.1.101) 56(84) bytes of data.
64 bytes from 192.168.1.101: icmp_seq=1 ttl=64 time=0.067 ms
64 bytes from 192.168.1.101: icmp_seq=2 ttl=64 time=0.051 ms
^C
--- 192.168.1.101 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1025ms
rtt min/avg/max/mdev = 0.051/0.059/0.067/0.008 ms