Docker自定义网络——MacVLAN

一般来说,我们在自定义Docker与外部网络通信的网络,除了NAT,还有Linux Bridge、Open vSwitch、MacVLAN几种选择。MacVLAN相对于前两者,拥有更好的性能。

MacVLAN有4种模式,参考这里 。 VEPA需要接入交换机支持hairpin mode。相对而言,Bridge mode更加常用。

环境

yy1: 172.16.213.128 yy2: 172.16.213.129

我们在yy2上启动容器

#docker run -d --net="none" --name=test1 dbyin/centos# docker inspect --format="{{ .State.Pid }}" test12084

创建MACVLAN设备

# ip link add eth0.1 link eth0 type macvlan mode bridge# ip link list8: eth0.1@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWNlink/ether 6e:e2:9c:e3:15:c6 brd ff:ff:ff:ff:ff:ff

将MACVLAN设备加入到容器的network space:

# ip link set netns 2084 eth0.1# nsenter --target=2084 --net --mount --uts --pid-bash-4.2# ip link list8: eth0.1@if2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT    link/ether 6e:e2:9c:e3:15:c6 brd ff:ff:ff:ff:ff:ff-bash-4.2# ip link set eth0.1 up-bash-4.2# ifconfigeth0.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet6 fe80::6ce2:9cff:fee3:15c6  prefixlen 64  scopeid 0x20<link>        ether 6e:e2:9c:e3:15:c6  txqueuelen 0  (Ethernet)        RX packets 0  bytes 0 (0.0 B)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 6  bytes 468 (468.0 B)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

设置ip和网关:

-bash-4.2# ip addr add 172.16.213.180/16 dev eth0.1-bash-4.2# ip route add default via 172.16.213.2 dev eth0.1

对于MACVLAN,Host是无法访问的,

[root@yy2 ~]# ping 172.16.213.180PING 172.16.213.180 (172.16.213.180) 56(84) bytes of data.From 172.16.213.129 icmp_seq=2 Destination Host Unreachable

可以在另外的Host上访问:

[root@yy1 ~]# ssh [email protected]@172.16.213.180's password:Last login: Tue Nov 11 07:49:27 2014 from 172.16.213.128-bash-4.2#

注意:如果你是在虚拟机VMWare上测试,需要把Host的网卡设置为promisc模式:[root@yy2 ~]# ip link set eth0 promisc on否则,其它Host也无法访问容器的网络。原因参考 WMware 82545EM不支持unicast filtering

主要参考