1. 前言
[docker 网络] 单主机docker容器网络隔离 VLAN 使用了单主机内的容器网络隔离, 本文将测试跨主机容器的网络隔离. (容器都在同一个网络中)
2. 配置
2.1 当前环境
[root@vm1 ovs-learning]# iptables -t nat -F
[root@vm1 ovs-learning]# echo 0 > /proc/sys/net/ipv4/ip_forward
2.2 vm1配置
脚本
docker run -d --name con1 --net=none --privileged=true busybox top
docker run -d --name con2 --net=none --privileged=true busybox top
# 添加ovs网桥br0
ovs-vsctl add-br br0
# 为两个容器配置网络
ovs-docker add-port br0 eth0 con1 --ipaddress=192.168.0.1/16
ovs-docker add-port br0 eth0 con2 --ipaddress=192.168.0.2/16
# 建立gre tunnel
ovs-vsctl add-port br0 gre0 -- set interface gre0 type=gre options:remote_ip=172.19.0.8
执行完
[root@vm1 ovs-learning]# ovs-vsctl show
c152c245-2f6c-478c-9c07-2e4a3c7a2403
Bridge "br0"
Port "ffaf166ee3bd4_l"
Interface "ffaf166ee3bd4_l"
Port "e051d19358344_l"
Interface "e051d19358344_l"
Port "gre0"
Interface "gre0"
type: gre
options: {remote_ip="172.19.0.8"}
Port "br0"
Interface "br0"
type: internal
ovs_version: "2.5.1"
[root@vm1 ovs-learning]#
[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=7.182 ms
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.182/7.182/7.182 ms
[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: seq=0 ttl=64 time=8.603 ms
--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 8.603/8.603/8.603 ms
con1 与 con2 互相通信.
2.3 vm2配置
vm2 配置
[root@vm2 ovs-learning]# echo 0 > /proc/sys/net/ipv4/ip_forward
[root@vm2 ovs-learning]# iptables -t nat -F
脚本
docker run -d --name con1 --net=none --privileged=true busybox top
docker run -d --name con2 --net=none --privileged=true busybox top
# 添加ovs网桥br0
ovs-vsctl add-br br0
# 为两个容器配置网络
ovs-docker add-port br0 eth0 con1 --ipaddress=192.168.1.1/16
ovs-docker add-port br0 eth0 con2 --ipaddress=192.168.1.2/16
# 建立gre tunnel
ovs-vsctl add-port br0 gre0 -- set interface gre0 type=gre options:remote_ip=172.19.0.12
执行完
[root@vm2 ovs-learning]# ovs-vsctl show
533800d4-246f-4099-a776-8254610db91f
Bridge "br0"
Port "82d505eb9e2e4_l"
Interface "82d505eb9e2e4_l"
Port "br0"
Interface "br0"
type: internal
Port "77a338b1a9494_l"
Interface "77a338b1a9494_l"
Port "gre0"
Interface "gre0"
type: gre
options: {remote_ip="172.19.0.12"}
ovs_version: "2.5.1"
[root@vm2 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=0.064 ms
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.064/0.064/0.064 ms
[root@vm2 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: seq=0 ttl=64 time=3.374 ms
--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 3.374/3.374/3.374 ms
con1 与 con2是互通的.
2.4 测试互相访问
origin.png
测试vm1中的con1,con2与vm2中的con1,con2是否可以互相访问, 因为有gre tunnel,并且处于同一网络内,所以理论上是可以访问.
从vm1的con1,con2访问vm2中的con1,con2成功
[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=7.182 ms
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.182/7.182/7.182 ms
[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: seq=0 ttl=64 time=8.603 ms
--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 8.603/8.603/8.603 ms
[root@vm1 ovs-learning]# docker exec -it con2 ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=6.881 ms
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 6.881/6.881/6.881 ms
[root@vm1 ovs-learning]# docker exec -it con2 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: seq=0 ttl=64 time=9.141 ms
--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 9.141/9.141/9.141 ms
从vm2的con1,con2访问vm1中的con1,con2成功
[root@vm2 ovs-learning]# docker exec -it con1 ping -c 1 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: seq=0 ttl=64 time=4.804 ms
--- 192.168.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 4.804/4.804/4.804 ms
[root@vm2 ovs-learning]# docker exec -it con1 ping -c 1 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes
64 bytes from 192.168.0.2: seq=0 ttl=64 time=4.920 ms
--- 192.168.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 4.920/4.920/4.920 ms
[root@vm2 ovs-learning]# docker exec -it con2 ping -c 1 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: seq=0 ttl=64 time=4.652 ms
--- 192.168.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 4.652/4.652/4.652 ms
[root@vm2 ovs-learning]# docker exec -it con2 ping -c 1 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes
64 bytes from 192.168.0.2: seq=0 ttl=64 time=3.129 ms
--- 192.168.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 3.129/3.129/3.129 ms
3. 设置tag
3.1 为vm1中的容器设置tag
vm1
[root@vm1 ovs-learning]# ovs-vsctl show
c152c245-2f6c-478c-9c07-2e4a3c7a2403
Bridge "br0"
Port "ffaf166ee3bd4_l"
Interface "ffaf166ee3bd4_l"
Port "e051d19358344_l"
Interface "e051d19358344_l"
Port "gre0"
Interface "gre0"
type: gre
options: {remote_ip="172.19.0.8"}
Port "br0"
Interface "br0"
type: internal
ovs_version: "2.5.1"
[root@vm1 ovs-learning]# ovs-vsctl list interface ffaf166ee3bd4_l | grep container_id
external_ids : {container_id="con2", container_iface="eth0"}
[root@vm1 ovs-learning]# ovs-vsctl set port ffaf166ee3bd4_l tag=200
[root@vm1 ovs-learning]#
[root@vm1 ovs-learning]# ovs-vsctl list interface e051d19358344_l | grep container_id
external_ids : {container_id="con1", container_iface="eth0"}
[root@vm1 ovs-learning]# ovs-vsctl set port e051d19358344_l tag=100
3.2 为vm2中的容器设置tag
vm2
[root@vm2 ovs-learning]# ovs-vsctl show
533800d4-246f-4099-a776-8254610db91f
Bridge "br0"
Port "82d505eb9e2e4_l"
Interface "82d505eb9e2e4_l"
Port "br0"
Interface "br0"
type: internal
Port "77a338b1a9494_l"
Interface "77a338b1a9494_l"
Port "gre0"
Interface "gre0"
type: gre
options: {remote_ip="172.19.0.12"}
ovs_version: "2.5.1"
[root@vm2 ovs-learning]# ovs-vsctl list interface 82d505eb9e2e4_l | grep container_id
external_ids : {container_id="con2", container_iface="eth0"}
[root@vm2 ovs-learning]# ovs-vsctl set port 82d505eb9e2e4_l tag=200
[root@vm2 ovs-learning]#
[root@vm2 ovs-learning]# ovs-vsctl list interface 77a338b1a9494_l | grep container_id
external_ids : {container_id="con1", container_iface="eth0"}
[root@vm2 ovs-learning]# ovs-vsctl set port 77a338b1a9494_l tag=100
3.3 测试
tag.png
测试后vm1的con1可以互相访问到vm2的con1, 不能访问vm1或者vm2的con2.
测试后vm1的con2可以互相访问到vm2的con2, 不能访问vm1或者vm2的con1.
[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=9.737 ms
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 9.737/9.737/9.737 ms
[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
--- 192.168.1.2 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes
--- 192.168.0.2 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
[root@vm1 ovs-learning]#
[root@vm1 ovs-learning]# docker exec -it con2 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: seq=0 ttl=64 time=7.109 ms
--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.109/7.109/7.109 ms
[root@vm1 ovs-learning]# docker exec -it con2 ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
[root@vm1 ovs-learning]# docker exec -it con2 ping -c 1 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
--- 192.168.0.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
[root@vm1 ovs-learning]#
4. 设置trunk
4.1 为vm1的gre0设置trunk
vm1
[root@vm1 ovs-learning]# ovs-vsctl set port gre0 VLAN_mode=trunk
[root@vm1 ovs-learning]# ovs-vsctl set port gre0 trunk=100
[root@vm1 ovs-learning]# ovs-vsctl show
c152c245-2f6c-478c-9c07-2e4a3c7a2403
Bridge "br0"
Port "ffaf166ee3bd4_l"
tag: 200
Interface "ffaf166ee3bd4_l"
Port "e051d19358344_l"
tag: 100
Interface "e051d19358344_l"
Port "gre0"
trunks: [100]
Interface "gre0"
type: gre
options: {remote_ip="172.19.0.8"}
Port "br0"
Interface "br0"
type: internal
ovs_version: "2.5.1"
4.2 为vm2的gre0设置trunk
vm2
[root@vm2 ovs-learning]# ovs-vsctl set port gre0 VLAN_mode=trunk
[root@vm2 ovs-learning]# ovs-vsctl set port gre0 trunk=100
[root@vm2 ovs-learning]# ovs-vsctl show
533800d4-246f-4099-a776-8254610db91f
Bridge "br0"
Port "82d505eb9e2e4_l"
tag: 200
Interface "82d505eb9e2e4_l"
Port "br0"
Interface "br0"
type: internal
Port "77a338b1a9494_l"
tag: 100
Interface "77a338b1a9494_l"
Port "gre0"
trunks: [100]
Interface "gre0"
type: gre
options: {remote_ip="172.19.0.12"}
ovs_version: "2.5.1"
4.3 测试
trunk.png
此时只有tag=100的容器可以互相访问, 所以vm1的con1可以与vm2的con1互相访问, vm1的con2就不能互相访问vm2的con2了.
[root@vm1 ovs-learning]# docker exec -it con2 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
--- 192.168.1.2 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=4.467 ms
--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 4.467/4.467/4.467 ms
[root@vm1 ovs-learning]#
vm2中的con2访问不了vm1的con2, vm2的con1可以访问vm1的con1.
[root@vm2 ovs-learning]# docker exec -it con2 ping -c 1 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes
--- 192.168.0.2 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
[root@vm2 ovs-learning]# docker exec -it con1 ping -c 1 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: seq=0 ttl=64 time=4.642 ms
--- 192.168.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 4.642/4.642/4.642 ms
[root@vm2 ovs-learning]#
5. 参考
1. Docker 容器与容器云
2. https://zpzhou.com/archives/openvswitch_vlan.html
网友评论