在上一节中将LXC安装好,创建了一个名为test的Ubuntu容器并成功运行,下面分析一下LXC容器访问网络的过程
Host侧容器网络接口
– bridge接口

 
root@li29-8:~# ifconfig
lxcbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.3.1  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::216:3eff:fe00:0  prefixlen 64  scopeid 0x20
        ether 00:16:3e:00:00:00  txqueuelen 1000  (Ethernet)
        RX packets 106  bytes 7336 (7.3 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 98  bytes 202667 (202.6 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

– 当 test容器启动时,会临时创建一个interface并加入到lxcbr0这个bridge中

root@li29-8:~# ifconfig
vethA4T43A: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::fc67:bcff:fe8c:ccf0  prefixlen 64  scopeid 0x20
        ether fe:67:bc:8c:cc:f0  txqueuelen 1000  (Ethernet)
        RX packets 88  bytes 6706 (6.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 90  bytes 201427 (201.4 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
root@li29-8:~# brctl show
bridge name     bridge id               STP enabled     interfaces
lxcbr0          8000.00163e000000       no              vethA4T43A

– 路由,NAT路由表中自动添加了进去外网的NAT配置项, 这样从lxcbr0s收到的来自10.0.3.x网段的包就可以出外网了

root@li297-28:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere
MASQUERADE  all  --  10.0.3.0/24         !10.0.3.0/24

LXC容器内网络接口
eth0接口会”物理上”连接到Host的vethA4T43A,并给它分配一个10.0.3.x网段的ip, 网关为Host侧的lxcbr0

root@test:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.3.143  netmask 255.255.255.0  broadcast 10.0.3.255
        inet6 fe80::216:3eff:fe71:28e7  prefixlen 64  scopeid 0x20
        ether 00:16:3e:71:28:e7  txqueuelen 1000  (Ethernet)
        RX packets 90  bytes 201427 (201.4 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 89  bytes 6776 (6.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 6  bytes 582 (582.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6  bytes 582 (582.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
root@test:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         li29-8        0.0.0.0         UG    100    0        0 eth0
10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
li29-8        0.0.0.0         255.255.255.255 UH    100    0        0 eth0

你可以通过修改test 容器的配置文件修改其网络相关配置,如Host侧的接口名字类型,容器对接的bridge接口,网卡MAC地址等,详细配置相关参见后面章节

root@li29-8:~# cat /var/lib/lxc/test/config
# Template used to create this container: /usr/share/lxc/templates/lxc-ubuntu
# Parameters passed to the template:
# Template script checksum (SHA-1): 865a6e4050da6a45575473b0a71f84ced41604fe
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)


# Common configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf

# Container specific configuration
lxc.rootfs.path = dir:/var/lib/lxc/test/rootfs
lxc.uts.name = test
lxc.arch = amd64

# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:71:28:e7
分类: LXC/LXD

0 条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注