Linux macvlan
在 Docker
网络中只能以 bridge
模式运行,本文以通过示例说明 macvlan
在 Docker
网络的连通性。
基础
Linux macvlan 网卡虚拟化介绍
环境说明
两台vm分别安装 docker,ip地址:
- d1: 172.20.0.21
- d2: 172.20.0.22
vm 的网卡开启混杂模式
。
相同 macvlan 通信
创建网络和容器
创建 docker network:
$ docker network create -d macvlan --subnet=10.0.1.0/24 --gateway=10.0.1.1 -o parent=ens33 mv1
$ docker network ls
NETWORK ID NAME DRIVER SCOPE
69e0c798564a mv1 macvlan local
$ docker network inspect mv1
[
{
"Name": "mv1",
"Id": "69e0c798564a0f473ed72c3a3bca8f234e608bebeecc90ed9e5588f4dfec66c5",
"Created": "2020-09-19T23:03:43.99623058-05:00",
"Scope": "local",
"Driver": "macvlan",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "10.0.1.0/24",
"Gateway": "10.0.1.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"5914aac7af479a2aeb27f3d89ad64e99ad8f49b814340569a922eeec6a6de525": {
"Name": "c1",
"EndpointID": "bbe263d94336c020d6b02b3755cad51a642a97adf155c332a66d52eb44e316d1",
"MacAddress": "02:42:0a:00:01:02",
"IPv4Address": "10.0.1.2/24",
"IPv6Address": ""
}
},
"Options": {
"parent": "ens33"
},
"Labels": {}
}
]
参数说明:
- -d : docker network driver 为 macvlan 类型
- –subnet : macvlan 网络的子网
- –gateway : 网关
- -o parent= : macvlan 网络绑定的物理网卡
启动容器:
docker run -it -d --name c1 --network mv1 --ip=10.0.1.2 alpine
参数说明:
-
–network : 指定网络
-
–ip : 指定 ip 地址
-
d2
创建 docker network:
docker network create -d macvlan --subnet=10.0.1.0/24 --gateway=10.0.1.1 -o parent=ens33 mv2
启动容器:
docker run -it -d --name c2 --network mv2 --ip=10.0.1.3 alpine
连通性验证
$ docker exec -it c1 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:0a:00:01:02 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.2/24 brd 10.0.1.255 scope global eth0
valid_lft forever preferred_lft forever
$ docker exec -it c1 ping -c 1 10.0.1.3
PING 10.0.1.3 (10.0.1.3): 56 data bytes
64 bytes from 10.0.1.3: seq=0 ttl=64 time=0.943 ms
--- 10.0.1.3 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.943/0.943/0.943 ms
$ tcpdump -i ens33 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
23:45:13.459397 IP 10.0.1.2 > 10.0.1.3: ICMP echo request, id 48, seq 0, length 64
23:45:13.459500 IP 10.0.1.3 > 10.0.1.2: ICMP echo reply, id 48, seq 0, length 64
d1
上的容器可以 ping
通 d2
上的容器。
不相同 macvlan 通信
架构图
配置vlan
vconfig: VLAN 配置命令
创建网络和容器
创建 docker network:
$ docker network create -d macvlan --subnet=10.0.1.0/24 --gateway=10.0.1.1 -o parent=ens33.100 mv1
$ docker network create -d macvlan --subnet=10.0.2.0/24 --gateway=10.0.2.1 -o parent=ens33.200 mv2
$ docker network ls
NETWORK ID NAME DRIVER SCOPE
0ffffc4c65fd mv1 macvlan local
c695f0e35611 mv2 macvlan local
启动容器:
docker run -it -d --name c1-1 --network mv1 --ip=10.0.1.2 alpine
docker run -it -d --name c1-2 --network mv2 --ip=10.0.2.2 alpine
创建 docker network:
docker network create -d macvlan --subnet=10.0.1.0/24 --gateway=10.0.1.1 -o parent=ens33.100 mv1
docker network create -d macvlan --subnet=10.0.2.0/24 --gateway=10.0.2.1 -o parent=ens33.200 mv2
启动容器:
docker run -it -d --name c2-1 --network mv1 --ip=10.0.1.3 alpine
docker run -it -d --name c2-2 --network mv2 --ip=10.0.2.3 alpine
连通性验证
$ docker exec -it c1-1 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:0a:00:01:02 brd ff:ff:ff:ff:ff:ff
inet 10.0.1.2/24 brd 10.0.1.255 scope global eth0
valid_lft forever preferred_lft forever
- 从 d1 c1-1 ping d2 c2-1 是通的
$ docker exec -it c1-1 ping -c 1 10.0.1.3
PING 10.0.1.3 (10.0.1.3): 56 data bytes
64 bytes from 10.0.1.3: seq=0 ttl=64 time=3.025 ms
--- 10.0.1.3 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 3.025/3.025/3.025 ms
- 从 d1 c1-1 ping d2 c2-2 是不通的
$ docker exec -it c1-1 ping -c 1 10.0.2.3
PING 10.0.2.3 (10.0.2.3): 56 data bytes
--- 10.0.2.3 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
结论:
联通两个VLAN
新建一个vm(d3: 172.20.0.22
),通过配置Linux 静态路由配置实现两个 VLAN 通信。
vconfig add ens33 100
vconfig set_flag ens33.100 1 1
ip addr add 10.0.1.1/24 dev ens33.100
ip link set ens33.100 up
vconfig add ens33 200
vconfig set_flag ens33.200 1 1
ip addr add 10.0.2.1/24 dev ens33.200
ip link set ens33.200 up
sysctl -w net.ipv4.ip_forward=1
- 连通性验证,从 d1 c1-1 ping d2 c2-2 是通的
$ docker exec -it c1-1 ping -c 1 10.0.2.3
PING 10.0.2.3 (10.0.2.3): 56 data bytes
64 bytes from 10.0.2.3: seq=0 ttl=63 time=6.139 ms
--- 10.0.2.3 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 6.139/6.139/6.139 ms