[docker 網(wǎng)絡(luò)] ovs-docker 使用及原理

1. 當(dāng)前環(huán)境

[root@vm1 ~]# ovs-vsctl show
c152c245-2f6c-478c-9c07-2e4a3c7a2403
[root@vm1 ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@vm1 ~]# iptables -t nat -F
[root@vm1 ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.19.0.1      0.0.0.0         UG    0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
172.19.0.0      0.0.0.0         255.255.240.0   U     0      0        0 eth0

安裝ovs可以參考 在 Centos 上安裝 ovs

2. 用ovs模擬docker

添加一個(gè)ovs 網(wǎng)橋br0 并且配置ip為192.168.1.250/24

[root@vm1 ~]# ovs-vsctl add-br br0 
[root@vm1 ~]# ovs-vsctl show
c152c245-2f6c-478c-9c07-2e4a3c7a2403
    Bridge "br0"
        Port "br0"
            Interface "br0"
                type: internal
    ovs_version: "2.5.1"
[root@vm1 ~]# ifconfig br0 192.168.1.250/24 
[root@vm1 ~]# ifconfig br0
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.250  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::c0b6:92ff:fe4d:7649  prefixlen 64  scopeid 0x20<link>
        ether c2:b6:92:4d:76:49  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 8  overruns 0  frame 0
        TX packets 6  bytes 508 (508.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

創(chuàng)建一個(gè)network namespace ns1, 創(chuàng)建一對(duì)veth為veth0和veth1, 將veth0加入到br0中, 將veth1加入到ns1中, 并且給ns1配置ip為192.168.1.1/24.

// 創(chuàng)建一個(gè)network namespace ns1
[root@vm1 ~]# ip netns add ns1
// 創(chuàng)建一對(duì)veth pair (veth0 和 veth1)
[root@vm1 ~]# ip link add veth0 type veth peer name veth1
// 將veth0加入到br0中
[root@vm1 ~]# ip link set veth0 up
[root@vm1 ~]# ovs-vsctl add-port br0 veth0
[root@vm1 ~]# ovs-vsctl show
c152c245-2f6c-478c-9c07-2e4a3c7a2403
    Bridge "br0"
        Port "veth0"
            Interface "veth0"
        Port "br0"
            Interface "br0"
                type: internal
    ovs_version: "2.5.1"
[root@vm1 ~]# 
// 將veth1加入到ns1中
[root@vm1 ~]# ip link set veth1 netns ns1
// 設(shè)置veth1 ip 與br0是同一個(gè)網(wǎng)絡(luò)
[root@vm1 ~]# ip netns exec ns1 ip addr add 192.168.1.1/24 dev veth1
[root@vm1 ~]# ip netns exec ns1 ip link set veth1 up
[root@vm1 ~]# ip netns exec ns1 ip link set lo up
// 在ns1中ping br0成功
[root@vm1 ~]# ip netns exec ns1 ping -c 1 192.168.1.250
PING 192.168.1.250 (192.168.1.250) 56(84) bytes of data.
64 bytes from 192.168.1.250: icmp_seq=1 ttl=64 time=0.392 ms

--- 192.168.1.250 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.392/0.392/0.392/0.000 ms

給ns1增加路由

[root@vm1 ~]# ip netns exec ns1 route add default gw 192.168.1.250
[root@vm1 ~]# ip netns exec ns1 ping -c 1 172.19.0.12
PING 172.19.0.12 (172.19.0.12) 56(84) bytes of data.
64 bytes from 172.19.0.12: icmp_seq=1 ttl=64 time=0.224 ms

--- 172.19.0.12 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.224/0.224/0.224/0.000 ms

打開ip_forward功能和加iptables規(guī)則

[root@vm1 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@vm1 ~]# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
[root@vm1 ~]# ip netns exec ns1 ping -c 1 www.baidu.com
PING www.wshifen.com (103.235.46.39) 56(84) bytes of data.
64 bytes from 103.235.46.39 (103.235.46.39): icmp_seq=1 ttl=55 time=1.77 ms

--- www.wshifen.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.772/1.772/1.772/0.000 ms
[root@vm1 ~]#

3. ovs-docker

3.1 配置

[root@vm1 ~]# docker version
Client:
 Version:           18.09.6
[root@vm1 ~]# docker run -d --name con1 --net=none busybox top
[root@vm1 ~]# docker exec -it con1 ifconfig
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
// 此時(shí)利用ovs-docker 設(shè)置此容器ip地址為192.168.1.2/24  網(wǎng)關(guān)為192.168.1.250
[root@vm1 ~]# ovs-docker add-port br0 eth0 con1 --ipaddress=192.168.1.2/24 --gateway=192.168.1.250
[root@vm1 ~]# docker exec -it con1 ifconfig
eth0      Link encap:Ethernet  HWaddr 56:39:36:6A:B0:61  
          inet addr:192.168.1.2  Bcast:0.0.0.0  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:578 (578.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

[root@vm1 ~]# docker exec -it con1 route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.250   0.0.0.0         UG    0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
[root@vm1 ~]# ovs-vsctl show
c152c245-2f6c-478c-9c07-2e4a3c7a2403
    Bridge "br0"
        Port "veth0"
            Interface "veth0"
        Port "7506959a37594_l"
            Interface "7506959a37594_l"
        Port "br0"
            Interface "br0"
                type: internal
    ovs_version: "2.5.1"
[root@vm1 ~]#

從上面結(jié)果可以知道ovs-docker所做的操作的就是2. 用ovs模擬docker中所做的內(nèi)容,說(shuō)白了就是一些shell命令的集合.

3.2 測(cè)試

// 訪問(wèn)br0
[root@vm1 ~]# docker exec -it con1 ping -c 1 192.168.1.250
PING 192.168.1.250 (192.168.1.250): 56 data bytes
64 bytes from 192.168.1.250: seq=0 ttl=64 time=3.972 ms

--- 192.168.1.250 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 3.972/3.972/3.972 ms
// 訪問(wèn)ns1
[root@vm1 ~]# docker exec -it con1 ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=3.751 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 3.751/3.751/3.751 ms
// 訪問(wèn)本機(jī)ip
[root@vm1 ~]# docker exec -it con1 ping -c 1 172.19.0.12
PING 172.19.0.12 (172.19.0.12): 56 data bytes
64 bytes from 172.19.0.12: seq=0 ttl=64 time=4.743 ms

--- 172.19.0.12 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 4.743/4.743/4.743 ms
// 訪問(wèn)另外一臺(tái)機(jī)器vm2
[root@vm1 ~]# docker exec -it con1 ping -c 1 172.19.0.8
PING 172.19.0.8 (172.19.0.8): 56 data bytes
64 bytes from 172.19.0.8: seq=0 ttl=63 time=3.829 ms

--- 172.19.0.8 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 3.829/3.829/3.829 ms
// 訪問(wèn)互聯(lián)網(wǎng)
[root@vm1 ~]# docker exec -it con1 ping -c 1 www.baidu.com
PING www.baidu.com (119.63.197.151): 56 data bytes
64 bytes from 119.63.197.151: seq=0 ttl=49 time=50.983 ms

--- www.baidu.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 50.983/50.983/50.983 ms

從ns1中訪問(wèn)con1

[root@vm1 ~]# ip netns exec ns1 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.230 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.230/0.230/0.230/0.000 ms
[root@vm1 ~]#

如果ovs-docker 配置不成功, 可以在創(chuàng)建容器的時(shí)候加上--privileged=true.

3.3 ovs-docker 原理

源碼訪問(wèn) http://github.com/openvswitch/ovs/raw/master/utilities/ovs-docker

...

add_port () {
    BRIDGE="$1"
    INTERFACE="$2"
    CONTAINER="$3"

    if [ -z "$BRIDGE" ] || [ -z "$INTERFACE" ] || [ -z "$CONTAINER" ]; then
        echo >&2 "$UTIL add-port: not enough arguments (use --help for help)"
        exit 1
    fi

    shift 3
    while [ $# -ne 0 ]; do
        case $1 in
            --ipaddress=*)
                ADDRESS=`expr X"$1" : 'X[^=]*=\(.*\)'`
                shift
                ;;
            --macaddress=*)
                MACADDRESS=`expr X"$1" : 'X[^=]*=\(.*\)'`
                shift
                ;;
            --gateway=*)
                GATEWAY=`expr X"$1" : 'X[^=]*=\(.*\)'`
                shift
                ;;
            --mtu=*)
                MTU=`expr X"$1" : 'X[^=]*=\(.*\)'`
                shift
                ;;
            *)
                echo >&2 "$UTIL add-port: unknown option \"$1\""
                exit 1
                ;;
        esac
    done

    # Check if a port is already attached for the given container and interface
    PORT=`get_port_for_container_interface "$CONTAINER" "$INTERFACE" \
            2>/dev/null`
    if [ -n "$PORT" ]; then
        echo >&2 "$UTIL: Port already attached" \
                 "for CONTAINER=$CONTAINER and INTERFACE=$INTERFACE"
        exit 1
    fi

    if ovs_vsctl br-exists "$BRIDGE" || \
        ovs_vsctl add-br "$BRIDGE"; then :; else
        echo >&2 "$UTIL: Failed to create bridge $BRIDGE"
        exit 1
    fi

    if PID=`docker inspect -f '{{.State.Pid}}' "$CONTAINER"`; then :; else
        echo >&2 "$UTIL: Failed to get the PID of the container"
        exit 1
    fi

    create_netns_link

    # Create a veth pair.
    ID=`uuidgen | sed 's/-//g'`
    PORTNAME="${ID:0:13}"
    ip link add "${PORTNAME}_l" type veth peer name "${PORTNAME}_c"

    # Add one end of veth to OVS bridge.
    if ovs_vsctl --may-exist add-port "$BRIDGE" "${PORTNAME}_l" \
       -- set interface "${PORTNAME}_l" \
       external_ids:container_id="$CONTAINER" \
       external_ids:container_iface="$INTERFACE"; then :; else
        echo >&2 "$UTIL: Failed to add "${PORTNAME}_l" port to bridge $BRIDGE"
        ip link delete "${PORTNAME}_l"
        exit 1
    fi

    ip link set "${PORTNAME}_l" up

    # Move "${PORTNAME}_c" inside the container and changes its name.
    ip link set "${PORTNAME}_c" netns "$PID"
    ip netns exec "$PID" ip link set dev "${PORTNAME}_c" name "$INTERFACE"
    ip netns exec "$PID" ip link set "$INTERFACE" up

    if [ -n "$MTU" ]; then
        ip netns exec "$PID" ip link set dev "$INTERFACE" mtu "$MTU"
    fi

    if [ -n "$ADDRESS" ]; then
        ip netns exec "$PID" ip addr add "$ADDRESS" dev "$INTERFACE"
    fi

    if [ -n "$MACADDRESS" ]; then
        ip netns exec "$PID" ip link set dev "$INTERFACE" address "$MACADDRESS"
    fi

    if [ -n "$GATEWAY" ]; then
        ip netns exec "$PID" ip route add default via "$GATEWAY"
    fi
}
...

很簡(jiǎn)單就看到這個(gè)方法就是ovs-docker剛才的操作過(guò)程, 基本上也就是2. 用ovs模擬docker的基礎(chǔ)上加入了一些判斷.

4. 參考

1. https://blog.csdn.net/silvester123/article/details/80867168
2. https://blog.csdn.net/yeya24/article/details/79829240

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
  • 人面猴
    序言:七十年代末般哼,一起剝皮案震驚了整個(gè)濱河市鸯隅,隨后出現(xiàn)的幾起案子改执,更是在濱河造成了極大的恐慌,老刑警劉巖,帶你破解...
    沈念sama閱讀 206,126評(píng)論 6 481
  • 死咒
    序言:濱河連續(xù)發(fā)生了三起死亡事件埠帕,死亡現(xiàn)場(chǎng)離奇詭異拔恰,居然都是意外死亡,警方通過(guò)查閱死者的電腦和手機(jī)闹获,發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 88,254評(píng)論 2 382
  • 救了他兩次的神仙讓他今天三更去死
    文/潘曉璐 我一進(jìn)店門期犬,熙熙樓的掌柜王于貴愁眉苦臉地迎上來(lái),“玉大人避诽,你說(shuō)我怎么就攤上這事龟虎。” “怎么了沙庐?”我有些...
    開封第一講書人閱讀 152,445評(píng)論 0 341
  • 道士緝兇錄:失蹤的賣姜人
    文/不壞的土叔 我叫張陵遣总,是天一觀的道長(zhǎng)。 經(jīng)常有香客問(wèn)我轨功,道長(zhǎng)旭斥,這世上最難降的妖魔是什么? 我笑而不...
    開封第一講書人閱讀 55,185評(píng)論 1 278
  • ?港島之戀(遺憾婚禮)
    正文 為了忘掉前任古涧,我火速辦了婚禮垂券,結(jié)果婚禮上,老公的妹妹穿的比我還像新娘羡滑。我一直安慰自己菇爪,他們只是感情好,可當(dāng)我...
    茶點(diǎn)故事閱讀 64,178評(píng)論 5 371
  • 惡毒庶女頂嫁案:這布局不是一般人想出來(lái)的
    文/花漫 我一把揭開白布柒昏。 她就那樣靜靜地躺著凳宙,像睡著了一般。 火紅的嫁衣襯著肌膚如雪职祷。 梳的紋絲不亂的頭發(fā)上氏涩,一...
    開封第一講書人閱讀 48,970評(píng)論 1 284
  • 城市分裂傳說(shuō)
    那天届囚,我揣著相機(jī)與錄音,去河邊找鬼是尖。 笑死意系,一個(gè)胖子當(dāng)著我的面吹牛,可吹牛的內(nèi)容都是我干的饺汹。 我是一名探鬼主播蛔添,決...
    沈念sama閱讀 38,276評(píng)論 3 399
  • 雙鴛鴦連環(huán)套:你想象不到人心有多黑
    文/蒼蘭香墨 我猛地睜開眼,長(zhǎng)吁一口氣:“原來(lái)是場(chǎng)噩夢(mèng)啊……” “哼兜辞!你這毒婦竟也來(lái)了迎瞧?” 一聲冷哼從身側(cè)響起,我...
    開封第一講書人閱讀 36,927評(píng)論 0 259
  • 萬(wàn)榮殺人案實(shí)錄
    序言:老撾萬(wàn)榮一對(duì)情侶失蹤逸吵,失蹤者是張志新(化名)和其女友劉穎凶硅,沒(méi)想到半個(gè)月后,有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體胁塞,經(jīng)...
    沈念sama閱讀 43,400評(píng)論 1 300
  • ?護(hù)林員之死
    正文 獨(dú)居荒郊野嶺守林人離奇死亡咏尝,尸身上長(zhǎng)有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點(diǎn)故事閱讀 35,883評(píng)論 2 323
  • ?白月光啟示錄
    正文 我和宋清朗相戀三年,在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了啸罢。 大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片编检。...
    茶點(diǎn)故事閱讀 37,997評(píng)論 1 333
  • 活死人
    序言:一個(gè)原本活蹦亂跳的男人離奇死亡,死狀恐怖扰才,靈堂內(nèi)的尸體忽然破棺而出允懂,到底是詐尸還是另有隱情,我是刑警寧澤衩匣,帶...
    沈念sama閱讀 33,646評(píng)論 4 322
  • ?日本核電站爆炸內(nèi)幕
    正文 年R本政府宣布蕾总,位于F島的核電站,受9級(jí)特大地震影響琅捏,放射性物質(zhì)發(fā)生泄漏生百。R本人自食惡果不足惜,卻給世界環(huán)境...
    茶點(diǎn)故事閱讀 39,213評(píng)論 3 307
  • 男人毒藥:我在死后第九天來(lái)索命
    文/蒙蒙 一柄延、第九天 我趴在偏房一處隱蔽的房頂上張望蚀浆。 院中可真熱鬧,春花似錦搜吧、人聲如沸市俊。這莊子的主人今日做“春日...
    開封第一講書人閱讀 30,204評(píng)論 0 19
  • 一樁弒父案滤奈,背后竟有這般陰謀
    文/蒼蘭香墨 我抬頭看了看天上的太陽(yáng)摆昧。三九已至,卻和暖如春蜒程,著一層夾襖步出監(jiān)牢的瞬間绅你,已是汗流浹背伺帘。 一陣腳步聲響...
    開封第一講書人閱讀 31,423評(píng)論 1 260
  • 情欲美人皮
    我被黑心中介騙來(lái)泰國(guó)打工, 沒(méi)想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留勇吊,地道東北人曼追。 一個(gè)月前我還...
    沈念sama閱讀 45,423評(píng)論 2 352
  • 代替公主和親
    正文 我出身青樓窍仰,卻偏偏與公主長(zhǎng)得像汉规,于是被迫代替她去往敵國(guó)和親。 傳聞我的和親對(duì)象是個(gè)殘疾皇子驹吮,可洞房花燭夜當(dāng)晚...
    茶點(diǎn)故事閱讀 42,722評(píng)論 2 345

推薦閱讀更多精彩內(nèi)容