Shulou(Shulou.com)06/02 Report--

1. Brief introduction to Macvlan

Before the emergence of Macvlan, we can only add multiple IP addresses to an Ethernet card, but we cannot add multiple MAC addresses, because the MAC address identifies an Ethernet card through its global uniqueness. Even if you use the way you create ethx:y, you will find that the MAC address and ethx of all these "network cards" are the same. In essence, they are still the same network card, which will limit you to do a lot of layer 2 operations. With Macvlan technology, you can do this.

Macvlan allows you to configure multiple virtual network interfaces on a network interface of a host. These network interface have their own independent MAC addresses, or they can be configured with IP addresses to communicate. The virtual machine or container network under Macvlan shares the same broadcast domain with the host in the same network segment. Macvlan is similar to Bridge, but because it eliminates the existence of Bridge, it is relatively simple to configure and debug, and relatively efficient. In addition, Macvlan itself perfectly supports VLAN.

Data transmission between the same VLAN is achieved through layer 2 mutual access, that is, MAC addresses, without the need for routing. Unicast users of different VLAN cannot communicate directly by default. If you want to communicate, you also need layer 3 devices to route, and so is Macvlan. The virtual network card virtualized by Macvlan technology is logically equivalent to the physical network card. The physical network card is also equivalent to a switch, recording the corresponding virtual network card and MAC address. When the physical network card receives the data packet, it will judge which virtual network card the packet belongs to according to the destination MAC address. This means that as long as it is a packet sent from the Macvlan subinterface (or a packet destined for the Macvlan subinterface), the physical Nic only receives the packet and does not process the packet, so this leads to a problem: the IP on the local Macvlan Nic cannot communicate with the IP on the physical Nic! We will discuss the solution to this problem in the next section.

To put it simply, Macvlan virtual network card devices are parasitic on physical network card devices. When sending a package, call your own function to find the parasitic physical device, and then send the package through the physical device. When receiving the packet, the packet is processed by registering the rx_handler callback function of the parasitic physical device.

two。 A brief introduction to the process of manual

Macvlan, like its name, is a network card virtualization technology, it can virtualize a physical network card into multiple interfaces, each interface can be configured with MAC address, and each interface can also be equipped with its own IP, and each interface can be divided into VLAN just like the port of the switch.

In fact, the practice of macvlan is to connect these virtual interfaces directly to the Docker container to achieve the purpose of communication. A macvlan network corresponds to an interface, and different macvlan networks are assigned different subnets, so the same macvlan can communicate with each other, but different macvlan networks can not communicate on layer 2, and it takes the help of layer 3 routers to complete the communication. The following shows the communication flow between two different macvlan networks.

We can use a Linux host to exchange data between different macvlan networks by configuring its routing table and iptables into a router (virtual, of course). Of course, there is nothing wrong with using a physical router.

Characteristics of 3.Macvlan:

1. It allows users to set multiple MAC addresses on the same physical network card.

two。 The network card with the MAC address set above is called the child interface (sub interface), while the physical network card is called the parent interface (parent interface).

The 3.parent interface can be a physical interface (eth0), a subinterface of 802.1q (eth0.10), or an bonding interface.

4. But not only the MAC address can be set on parent/sub interface, but the IP address can also be set.

5.sub interface cannot communicate directly with parent interface (VM with sub interface or containers cannot communicate directly with host).

If the VM or container needs to communicate with host, an additional sub 6.interface must be created for host.

7.sub interface is usually named in the form of mac0@eth0 to facilitate identification.

Use a picture to explain what the Macvlan looks like after setting it:

4. Experimental environment docker01docker02192.168.1.11192.168.1.13

Turn off the firewall and disable selinux, change the hostname

[root@localhost ~] # hostnamectl set-hostname docker01 [root@localhost ~] # su-Last login: December 17 08:20:36 CST 2019 from 192.168.1.1pts/0 [root@docker01 ~] # systemctl stop firealldFailed to stop firealld.service: Unit firealld.service not loaded. [root@docker01 ~] # setenforce 0setenforce: SELinux is disabled [root@docker01 ~] # systemctl daemon-reload [root@docker01 ~] # systemctl restart docker4.1 macvlan single network communication

1) turn on the hybrid mode of the network card

/ / you need to operate on both docker01 and docker02_.

[root@docker01 ~] # ip link show ens33// View Nic mode

[root@docker01 ~] # ip link set ens33 promisc on// create network card mode is mixed mode [root@docker01 ~] # ip link show ens33// view network card mode

2) in docker01. Create a macvlan network on the

[root@docker01 ~] # docker network create-d macvlan-- subnet 172.22.16.0 take 24-- gateway 172.22.16.1-o parent=ens33 mac_net1// create a network in macvlan mode-o parent= is bound to which network card [root@docker01 ~] # docker network ls// to check the network card information

3) run a container based on the created macvlan network

[root@docker01] # docker run-itd-- name bbox1-- ip 172.22.16.10-- network mac_net1 busybox

4) in docker02. Create a macvlan network on the (to be exactly the same as docker01's macvlan)

[root@docker02] # docker network create-d macvlan-- subnet 172.22.16.0 take 24-- gateway 172.22.16.1-o parent=ens33 mac_ net1 [root @ docker02 ~] # docker network ls

5) in docker02. Based on the created macvlan network, run a container to verify and docker01. Communication on the container.

[root@docker02 ~] # docker run-itd-- name bbox2-- network mac_net1-- ip 172.22.16.20 busybox// create a container based on busybox [root@docker02 ~] # docker exec-it bbox2 / bin/sh// enter bbox2 container / # ping 172.22.16.10//ping the host under docker01

Multi-network Communication of 4.2macvlan

1) docker01 and docker02 verify kernel module 8021q encapsulation

Macvlan needs to solve the problem: based on the real ens33 network card, the production of new virtual network card.

[root@docker01 ~] # modinfo 8021q// verifies kernel module 8021q encapsulation

[root@docker01 ~] # modprobe 8021q// if the kernel module is not open, run the command above to import it

2) docker01 creates virtual network card based on ens33

Modify the configuration file of ens33 network card

[root@docker01 ~] # cd / etc/sysconfig/network-scripts/ [root@docker01 network-scripts] # vim ifcfg-ens33

Manually add a virtual network card profile

[root@docker01 ~] # cd / etc/sysconfig/network-scripts/ [root@docker01 network-scripts] # cp-p ifcfg-ens33 ifcfg-ens33.10//-p retains the attributes of the source file or directory [root@docker01 network-scripts] # vim ifcfg-ens33.10// modifies the ens33.10 Nic configuration file BOOTPROTO=noneNAME=ens33.10DEVICE=ens33.10ONBOOT=yesIPADDR=192.168.10.10PREFIX=24GATEWAY=192.168.10.2VLAN=yes

Note here that IP should be distinguished from ens33 network segment, ensure the consistency of gateway and network segment IP, the specificity of device name and configuration file, and turn on VLAN support mode.

Create a second virtual network card profile

[root@docker01 network-scripts] # cp-p ifcfg-ens33.10 ifcfg-ens33.20 [root@docker01 network-scripts] # vim ifcfg-ens33.20// modifies ens33.20 Nic configuration file BOOTPROTO=noneNAME=ens33.20DEVICE=ens33.20ONBOOT=yesIPADDR=192.168.20.20PREFIX=24GATEWAY=192.168.20.2VLAN=yes

Action on docker01 to enable the created virtual network card:

[root@docker01 network-scripts] # ifup ifcfg-ens33.10 [root@docker01 network-scripts] # ifup ifcfg-ens33.20 [root@docker01 network-scripts] # ifconfig// View IP

3) docker02 creates virtual network card based on ens33

Modify the configuration file of ens33 network card

[root@docker02 ~] # cd / etc/sysconfig/network-scripts/ [root@docker02 network-scripts] # vim ifcfg-ens33

Manually add a virtual network card profile

[root@docker02 ~] # cd / etc/sysconfig/network-scripts/ [root@docker02 network-scripts] # cp-p ifcfg-ens33 ifcfg-ens33.10//-p retains the attributes of the source file or directory [root@docker02 network-scripts] # vim ifcfg-ens33.10// modifies the ens33.10 Nic configuration file BOOTPROTO=noneNAME=ens33.10DEVICE=ens33.10ONBOOT=yesIPADDR=192.168.10.11PREFIX=24GATEWAY=192.168.10.2VLAN=yes

Note here that IP should be distinguished from ens33 network segment, ensure the consistency of gateway and network segment IP, the specificity of device name and configuration file, and turn on VLAN support mode.

Create a second virtual network card profile

[root@docker02 network-scripts] # cp-p ifcfg-ens33.10 ifcfg-ens33.20 [root@docker02 network-scripts] # vim ifcfg-ens33.20// modifies ens33.20 Nic configuration file BOOTPROTO=noneNAME=ens33.20DEVICE=ens33.20ONBOOT=yesIPADDR=192.168.20.21PREFIX=24GATEWAY=192.168.20.2VLAN=yes

Action on docker02 to enable the created virtual network card:

[root@docker02 network-scripts] # systemctl restart network [root@docker02 network-scripts] # ifup ifcfg-ens33.10 [root@docker02 network-scripts] # ifup ifcfg-ens33.20 [root@docker02 network-scripts] # ifconfig// View IP

4) docekr01 and docker02 create macvlan network based on virtual network card

[root@docker02 network-scripts] # docker network create-d macvlan-- subnet 172.16.10 parent=ens33.10 mac_net10// 24-- gateway 172.16.10.1-o parent=ens33.10 mac_net10// create a new network card based on ens33.10 [root @ docker02 network-scripts] # docker network create-d macvlan-- subnet 172.16.20.0 parent=ens33.20 mac_net20// create a new network card based on ens33.20

5) Docker01 deploys a private warehouse

Docker01

72 docker pull registry// download registry image 73 docker run-itd-- name registry-p 5000 itd-- restart=always registry:latest / / based on the registry image, start a container 76 docker tag busybox:latest 192.168.1.11:5000/busybox:v1 / / rename the container with a label 77 docker ps

78 vim / usr/lib/systemd/system/docker.service # 13 Line modify ExecStart=/usr/bin/dockerd-- insecure-registry 192.168.1.11 insecure-registry 5000 80 systemctl daemon-reload 81 systemctl restart docker.service / / restart docker 100 docker push 192.168.1.11:5000/busybox:v1// upload container to private warehouse 101 docker images

Docker02

78 vim / usr/lib/systemd/system/docker.service # 13 Line modify ExecStart=/usr/bin/dockerd-- insecure-registry 192.168.1.11 insecure-registry 5000 80 systemctl daemon-reload 81 systemctl restart docker.service / / restart docker 99 docker pull 192.168.1.11/busybox:v1 / / download the image you just uploaded

6) docker01 and docker02 create containers based on busybox:v1 image and Nic mac_net10,mac_net20.

Docker01

[root@docker01 ~] # docker run-itd-- name bbox10-- network mac_net10-- ip 172.16.10.10 192.168.1.11:5000/busybox:v1 [root@docker01 ~] # docker run-itd-- name bbox20-- network mac_net20-- ip 172.16.20.20 192.168.1.11Writer 5000pulsbusyboxV1168.1.11Writer 5000pulsbusyboxV1BV 1x Docker02pm * [root@docker02 ~] # docker run-itd-name bbox10-network mac_net10-ip 172.16 .10.10 192.168.1.11:5000/busybox:v1 [root@docker02 ~] # docker run-itd-name bbox20-network mac_net20-ip 172.16.20.20 192.168.1.11:5000/busybox:v1

* just note here that our operations here are exactly the same as those on docker01 and above, and the sequence of operations is roughly as follows:

Verify 8021q kernel encapsulation

Create new virtual network cards based on ens33 network cards, ens33.10 and ens33.20 (Note and docker01. The ens33.10 and ens33.20 on the must be on the same network segment, and the IP cannot conflict) run the container based on this network. (note that both the container and the container on docker01 are based on the macvlan network just created, but the IP address cannot conflict.)

7) Verification

In docker01. Enter the containers bbox10 and docker02. Communicate with bbox11 on the.

In docker01. Enter the containers bbox20 and docker02. Communicate with bbox21 on the.

Note: the network for VMware must be set to Bridge mode.

Now set the network mode of docker01 and docker02 to bridge mode

Test whether the host with the same network card can ping.

[root@docker01 ~] # docker exec-it bbox10 / bin/sh/ # ping 172.16.20.20

[root@docker02 ~] # docker exec-it bbox20 / bin/sh/ # ping 172.16.20.20

Limitations of 5.Macvlan

Macvlan is a near-ideal solution for connecting a VM or container to a physical network through layer 2, but it also has some limitations:

Switches to which 1.Linux hosts are connected may limit the number of MAC addresses on the same physical port. Although you can ask the network administrator to change these policies, sometimes this approach is impossible (for example, you have to give a quick PoC demonstration to the customer).

two。 Many NIC also have limits on the number of MAC addresses on this physical network card. Exceeding this limit will affect the performance of the system.

3.IEEE 802.11 doesn't like having multiple MAC addresses on the same client, which means that your Macvlan subinterface cannot communicate on either the wireless card or the AP. You can break through this limitation in a complex way, but there is a simpler way to use Ipvlan, where you can consult the relevant information yourself if you are interested.

6. Summary

Macvlan is a kind of network card virtualization technology, which can virtualize one network card into multiple network cards.

The specific communication mode of macvlan, commonly used is bridge.

In Docker, macvlan only supports bridge mode.

The same macvlan can communicate, different macvlan layer 2 can not communicate, can complete the communication through layer 3 routing.

Think about it:

Similarities and differences between macvlan bridge and bridge

There is a similar technology, multiple virtual network cards share the same MAC address, but have a separate IP address, what is this technology?

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.