[docker 网络] 跨主机docker容器隔离 VLAN

1. 前言

[docker 网络] 单主机docker容器网络隔离 VLAN 使用了单主机内的容器网络隔离, 本文将测试跨主机容器的网络隔离. (容器都在同一个网络中)

2. 配置

2.1 当前环境

[root@vm1 ovs-learning]# iptables -t nat -F
[root@vm1 ovs-learning]# echo 0 > /proc/sys/net/ipv4/ip_forward

2.2 vm1配置

脚本

docker run -d --name con1 --net=none --privileged=true busybox top
docker run -d --name con2 --net=none --privileged=true busybox top
# 添加ovs网桥br0
ovs-vsctl add-br br0
# 为两个容器配置网络
ovs-docker add-port br0 eth0 con1 --ipaddress=192.168.0.1/16
ovs-docker add-port br0 eth0 con2 --ipaddress=192.168.0.2/16
# 建立gre tunnel
ovs-vsctl add-port br0 gre0 -- set interface gre0 type=gre options:remote_ip=172.19.0.8

执行完

[root@vm1 ovs-learning]# ovs-vsctl show
c152c245-2f6c-478c-9c07-2e4a3c7a2403
    Bridge "br0"
        Port "ffaf166ee3bd4_l"
            Interface "ffaf166ee3bd4_l"
        Port "e051d19358344_l"
            Interface "e051d19358344_l"
        Port "gre0"
            Interface "gre0"
                type: gre
                options: {remote_ip="172.19.0.8"}
        Port "br0"
            Interface "br0"
                type: internal
    ovs_version: "2.5.1"
[root@vm1 ovs-learning]# 
[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=7.182 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.182/7.182/7.182 ms
[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: seq=0 ttl=64 time=8.603 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 8.603/8.603/8.603 ms

con1 与 con2 互相通信.

2.3 vm2配置

vm2 配置

[root@vm2 ovs-learning]# echo 0 > /proc/sys/net/ipv4/ip_forward
[root@vm2 ovs-learning]# iptables -t nat -F

脚本

docker run -d --name con1 --net=none --privileged=true busybox top
docker run -d --name con2 --net=none --privileged=true busybox top
# 添加ovs网桥br0
ovs-vsctl add-br br0
# 为两个容器配置网络
ovs-docker add-port br0 eth0 con1 --ipaddress=192.168.1.1/16
ovs-docker add-port br0 eth0 con2 --ipaddress=192.168.1.2/16
# 建立gre tunnel
ovs-vsctl add-port br0 gre0 -- set interface gre0 type=gre options:remote_ip=172.19.0.12

执行完

[root@vm2 ovs-learning]# ovs-vsctl show
533800d4-246f-4099-a776-8254610db91f
    Bridge "br0"
        Port "82d505eb9e2e4_l"
            Interface "82d505eb9e2e4_l"
        Port "br0"
            Interface "br0"
                type: internal
        Port "77a338b1a9494_l"
            Interface "77a338b1a9494_l"
        Port "gre0"
            Interface "gre0"
                type: gre
                options: {remote_ip="172.19.0.12"}
    ovs_version: "2.5.1"
[root@vm2 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=0.064 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.064/0.064/0.064 ms
[root@vm2 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: seq=0 ttl=64 time=3.374 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 3.374/3.374/3.374 ms

con1 与 con2是互通的.

2.4 测试互相访问

origin.png

测试vm1中的con1,con2与vm2中的con1,con2是否可以互相访问, 因为有gre tunnel,并且处于同一网络内,所以理论上是可以访问.

从vm1的con1,con2访问vm2中的con1,con2成功

[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=7.182 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.182/7.182/7.182 ms
[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: seq=0 ttl=64 time=8.603 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 8.603/8.603/8.603 ms
[root@vm1 ovs-learning]# docker exec -it con2 ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=6.881 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 6.881/6.881/6.881 ms
[root@vm1 ovs-learning]# docker exec -it con2 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: seq=0 ttl=64 time=9.141 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 9.141/9.141/9.141 ms

从vm2的con1,con2访问vm1中的con1,con2成功

[root@vm2 ovs-learning]# docker exec -it con1 ping -c 1 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: seq=0 ttl=64 time=4.804 ms

--- 192.168.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 4.804/4.804/4.804 ms
[root@vm2 ovs-learning]# docker exec -it con1 ping -c 1 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes
64 bytes from 192.168.0.2: seq=0 ttl=64 time=4.920 ms

--- 192.168.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 4.920/4.920/4.920 ms
[root@vm2 ovs-learning]# docker exec -it con2 ping -c 1 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: seq=0 ttl=64 time=4.652 ms

--- 192.168.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 4.652/4.652/4.652 ms
[root@vm2 ovs-learning]# docker exec -it con2 ping -c 1 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes
64 bytes from 192.168.0.2: seq=0 ttl=64 time=3.129 ms

--- 192.168.0.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 3.129/3.129/3.129 ms

3. 设置tag

3.1 为vm1中的容器设置tag

vm1

[root@vm1 ovs-learning]# ovs-vsctl show
c152c245-2f6c-478c-9c07-2e4a3c7a2403
    Bridge "br0"
        Port "ffaf166ee3bd4_l"
            Interface "ffaf166ee3bd4_l"
        Port "e051d19358344_l"
            Interface "e051d19358344_l"
        Port "gre0"
            Interface "gre0"
                type: gre
                options: {remote_ip="172.19.0.8"}
        Port "br0"
            Interface "br0"
                type: internal
    ovs_version: "2.5.1"
[root@vm1 ovs-learning]# ovs-vsctl list interface ffaf166ee3bd4_l | grep container_id
external_ids        : {container_id="con2", container_iface="eth0"}
[root@vm1 ovs-learning]# ovs-vsctl set port ffaf166ee3bd4_l tag=200
[root@vm1 ovs-learning]# 
[root@vm1 ovs-learning]# ovs-vsctl list interface e051d19358344_l | grep container_id
external_ids        : {container_id="con1", container_iface="eth0"}
[root@vm1 ovs-learning]# ovs-vsctl set port e051d19358344_l tag=100

3.2 为vm2中的容器设置tag

vm2

[root@vm2 ovs-learning]# ovs-vsctl show
533800d4-246f-4099-a776-8254610db91f
    Bridge "br0"
        Port "82d505eb9e2e4_l"
            Interface "82d505eb9e2e4_l"
        Port "br0"
            Interface "br0"
                type: internal
        Port "77a338b1a9494_l"
            Interface "77a338b1a9494_l"
        Port "gre0"
            Interface "gre0"
                type: gre
                options: {remote_ip="172.19.0.12"}
    ovs_version: "2.5.1"
[root@vm2 ovs-learning]# ovs-vsctl list interface 82d505eb9e2e4_l | grep container_id
external_ids        : {container_id="con2", container_iface="eth0"}
[root@vm2 ovs-learning]# ovs-vsctl set port 82d505eb9e2e4_l tag=200
[root@vm2 ovs-learning]# 
[root@vm2 ovs-learning]# ovs-vsctl list interface 77a338b1a9494_l | grep container_id
external_ids        : {container_id="con1", container_iface="eth0"}
[root@vm2 ovs-learning]# ovs-vsctl set port 77a338b1a9494_l tag=100

3.3 测试

tag.png

测试后vm1的con1可以互相访问到vm2的con1, 不能访问vm1或者vm2的con2.
测试后vm1的con2可以互相访问到vm2的con2, 不能访问vm1或者vm2的con1.

[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=9.737 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 9.737/9.737/9.737 ms
[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes

--- 192.168.0.2 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
[root@vm1 ovs-learning]# 
[root@vm1 ovs-learning]# docker exec -it con2 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: seq=0 ttl=64 time=7.109 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 7.109/7.109/7.109 ms
[root@vm1 ovs-learning]# docker exec -it con2 ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
[root@vm1 ovs-learning]# docker exec -it con2 ping -c 1 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes

--- 192.168.0.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
[root@vm1 ovs-learning]#

4. 设置trunk

4.1 为vm1的gre0设置trunk

vm1

[root@vm1 ovs-learning]# ovs-vsctl set port gre0 VLAN_mode=trunk
[root@vm1 ovs-learning]# ovs-vsctl set port gre0 trunk=100
[root@vm1 ovs-learning]# ovs-vsctl show
c152c245-2f6c-478c-9c07-2e4a3c7a2403
    Bridge "br0"
        Port "ffaf166ee3bd4_l"
            tag: 200
            Interface "ffaf166ee3bd4_l"
        Port "e051d19358344_l"
            tag: 100
            Interface "e051d19358344_l"
        Port "gre0"
            trunks: [100]
            Interface "gre0"
                type: gre
                options: {remote_ip="172.19.0.8"}
        Port "br0"
            Interface "br0"
                type: internal
    ovs_version: "2.5.1"

4.2 为vm2的gre0设置trunk

vm2

[root@vm2 ovs-learning]# ovs-vsctl set port gre0 VLAN_mode=trunk
[root@vm2 ovs-learning]# ovs-vsctl set port gre0 trunk=100
[root@vm2 ovs-learning]# ovs-vsctl show
533800d4-246f-4099-a776-8254610db91f
    Bridge "br0"
        Port "82d505eb9e2e4_l"
            tag: 200
            Interface "82d505eb9e2e4_l"
        Port "br0"
            Interface "br0"
                type: internal
        Port "77a338b1a9494_l"
            tag: 100
            Interface "77a338b1a9494_l"
        Port "gre0"
            trunks: [100]
            Interface "gre0"
                type: gre
                options: {remote_ip="172.19.0.12"}
    ovs_version: "2.5.1"

4.3 测试

trunk.png

此时只有tag=100的容器可以互相访问, 所以vm1的con1可以与vm2的con1互相访问, vm1的con2就不能互相访问vm2的con2了.

[root@vm1 ovs-learning]# docker exec -it con2 ping -c 1 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
[root@vm1 ovs-learning]# docker exec -it con1 ping -c 1 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=4.467 ms

--- 192.168.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 4.467/4.467/4.467 ms
[root@vm1 ovs-learning]#

vm2中的con2访问不了vm1的con2, vm2的con1可以访问vm1的con1.

[root@vm2 ovs-learning]# docker exec -it con2 ping -c 1 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes

--- 192.168.0.2 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
[root@vm2 ovs-learning]# docker exec -it con1 ping -c 1 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: seq=0 ttl=64 time=4.642 ms

--- 192.168.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 4.642/4.642/4.642 ms
[root@vm2 ovs-learning]#

5. 参考

1. Docker 容器与容器云
2. https://zpzhou.com/archives/openvswitch_vlan.html

©著作权归作者所有,转载或内容合作请联系作者
  • 人面猴
    序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 159,117评论 4 362
  • 死咒
    序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 67,328评论 1 293
  • 救了他两次的神仙让他今天三更去死
    文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 108,839评论 0 243
  • 道士缉凶录:失踪的卖姜人
    文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 44,007评论 0 206
  • 港岛之恋(遗憾婚礼)
    正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 52,384评论 3 287
  • 恶毒庶女顶嫁案:这布局不是一般人想出来的
    文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 40,629评论 1 219
  • 城市分裂传说
    那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 31,880评论 2 313
  • 双鸳鸯连环套:你想象不到人心有多黑
    文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 30,593评论 0 198
  • 万荣杀人案实录
    序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 34,313评论 1 243
  • 护林员之死
    正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 30,575评论 2 246
  • 白月光启示录
    正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 32,066评论 1 260
  • 活死人
    序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 28,392评论 2 253
  • 日本核电站爆炸内幕
    正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 33,052评论 3 236
  • 男人毒药:我在死后第九天来索命
    文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 26,082评论 0 8
  • 一桩弑父案,背后竟有这般阴谋
    文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 26,844评论 0 195
  • 情欲美人皮
    我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 35,662评论 2 274
  • 代替公主和亲
    正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 35,575评论 2 270

推荐阅读更多精彩内容