[TOC] ### **目标** 本文将使用macvlan技术来打通容器的网络，容器的IP设置为和主机同网段IP。 我们在主机A上进行操作，该主机的网络现状如下：IP为192.168.92.202、24，网卡名为ens33，网关为192.168.92.2 ``` $ ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:5f:70:45 brd ff:ff:ff:ff:ff:ff inet 192.168.92.202/24 brd 192.168.92.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever $ ip route default via 192.168.92.2 dev ens33 proto static metric 100 192.168.92.0/24 dev ens33 proto kernel scope link src 192.168.92.202 metric 100 ``` ### **步骤** 首先，我们来创建一个容器（用网络命名空间模拟） ``` $ ip netns add pod0 ``` 然后，创建一个macvlan设备，设置它的父设备为ens33，使用网桥模式 ``` $ ip link add eth0 link ens33 type macvlan mode bridge ``` 把eth0放到pod0中 ``` $ ip link set eth0 netns pod0 ``` 启用eth0 ``` $ ip netns exec pod0 ip link set eth0 up ``` 给eth0设置IP ``` $ ip netns exec pod0 ip addr add 192.168.92.199/24 dev eth0 ``` 给pod0设置默认网关 ``` $ ip netns exec pod0 ip route add 0.0.0.0/0 via 192.168.92.2 dev eth0 ``` 接下来，我们看一下pod0中的网络情况，如下（lo网卡没有手动设置，先忽略） ``` $ ip netns exec pod0 ip addr show 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 3: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 6e:2c:7c:3d:54:eb brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.168.92.199/24 scope global eth0 valid_lft forever preferred_lft forever $ ip netns exec pod0 ip route default via 192.168.92.2 dev eth0 192.168.92.0/24 dev eth0 proto kernel scope link src 192.168.92.199 ``` 接下来，我们从pod0上Ping一下子网中的其他主机192.168.92.203以及外网主机114，都可以通： ``` $ ip netns exec pod0 ping -c 1 192.168.92.203 PING 192.168.92.203 (192.168.92.203) 56(84) bytes of data. 64 bytes from 192.168.92.203: icmp_seq=1 ttl=64 time=0.315 ms --- 192.168.92.203 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.315/0.315/0.315/0.000 ms $ ip netns exec pod0 ping -c 1 114.114.114.114 PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data. 64 bytes from 114.114.114.114: icmp_seq=1 ttl=128 time=45.5 ms --- 114.114.114.114 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 45.580/45.580/45.580/0.000 ms ``` 不过需要注意的是，从pod0中是Ping不通本机ens33的IP（192.168.92.202）的，这是macvlan的特性决定的（参考文献中的文章）： ``` ip netns exec pod0 ping -c 1 192.168.92.202 PING 192.168.92.202 (192.168.92.202) 56(84) bytes of data. --- 192.168.92.202 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms ``` 如果pod0要本机进行通信，则可以在ens33上再创建一个macvlan子设备，放在主机的root网络命名空间下，然后把ens33的IP放在该子设备上（参考[stackoverflow上此文](https://stackoverflow.com/questions/49600665/docker-macvlan-network-inside-container-is-not-reaching-to-its-own-host)的第一个回答） ### **命令汇总** ``` # 创建macvlan接口 ip link add eth0 link ens33 type macvlan mode bridge # 把接口放在ns1下 ip link set eth0 netns ns1 ``` ### **参考文献** * https://www.bbsmax.com/A/ke5jknG9dr/ * https://cizixs.com/2017/02/14/network-virtualization-macvlan/ * https://stackoverflow.com/questions/49600665/docker-macvlan-network-inside-container-is-not-reaching-to-its-own-host