Linux虚拟网络1-namespace实践

tap(虚拟以太设备)位于二层，tun位于三层，两者都是操作系统内核中的虚拟网络设备。

Linux使用tun模块实现了tun/tap，要想使用Linux命令行操作一个tap，首先需要检查系统是支持/加载了tum模块。

#输入modinfo tun，如果有输出，说明系统具有tun模块
[root@localhost ~]# modinfo tun
filename:       /lib/modules/3.10.0-1127.8.2.el7.x86_64/kernel/drivers/net/tun.ko.xz
alias:          devname:net/tun
alias:          char-major-10-200
license:        GPL
author:         (C) 1999-2004 Max Krasnyansky 
description:    Universal TUN/TAP device driver
retpoline:      Y
rhelversion:    7.8
srcversion:     E26A36A927427B2BAE3FB17
depends:        
intree:         Y
vermagic:       3.10.0-1127.8.2.el7.x86_64 SMP mod_unload modversions 
signer:         CentOS Linux kernel signing key
sig_key:        FF:31:8C:E9:B8:32:4E:45:57:70:C2:6E:E8:BF:60:81:39:FF:A9:28
sig_hashalgo:   sha256

#lsmod检查是否加载了tun模块
[root@localhost ~]# lsmod | grep tun

#modprobe命令进行加载
[root@localhost ~]# modprobe tun
[root@localhost ~]# lsmod | grep tun
tun                    36164  0 

#检查是否有安装tunctl工具
[root@localhost ~]# tunctl help
-bash: tunctl: command not found

#直接安装，装不了
[root@localhost ~]# yum -y install tunctl 

#指定自定义的Yum源
yum --enablerep o=nux-misc install -y tunctl

2、创建tap

[root@localhost ~]# tunctl -t tap_test
Set 'tap_test' persistent and owned by uid 0

[root@localhost ~]# ip addr add 10.100.50.5/24 dev tap_test

[root@localhost ~]# ifconfig tap_test
tap_test: flags=4098  mtu 1500
        inet 10.100.50.5  netmask 255.255.255.0  broadcast 0.0.0.0
        ether a6:78:f3:c7:4d:79  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

一个namespace提供了一份独立的网络协议栈（网络设备接口、ipv4、ipv6、ip路由、防火墙规则、sockets等）。一个设备（Linux Device）只能位于一个namespace中，不同的namespace中的设备可以利用veth pair进行桥接。

#创建
[root@localhost ~]# ip netns add ns_test

#查看ns列表
[root@localhost yum.repos.d]# ip netns list
ns_test

#将虚拟网卡迁移到ns
[root@localhost ~]# ip link set tap_test netns ns_test

#exec ns执行命令
[root@localhost ~]# ip netns exec ns_test ip link list
1: lo:  mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
6: tap_test:  mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether a6:78:f3:c7:4d:79 brd ff:ff:ff:ff:ff:ff

#设定IP
[root@localhost ~]# ip netns exec ns_test ip addr add 100.10.89.21/24 dev tap_test
[root@localhost ~]# ip netns exec ns_test ifconfig tap_test up
[root@localhost ~]# ip netns exec ns_test ip a
1: lo:  mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
6: tap_test:  mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether a6:78:f3:c7:4d:79 brd ff:ff:ff:ff:ff:ff
    inet 100.10.89.21/24 scope global tap_test
       valid_lft forever preferred_lft forever

#启动虚拟网卡，但启动失败
[root@localhost ~]# ip netns exec ns_test ip link set tap_test up
[root@localhost ~]# ip netns exec ns_test ip a
1: lo:  mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
6: tap_test:  mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether a6:78:f3:c7:4d:79 brd ff:ff:ff:ff:ff:ff
    inet 100.10.89.21/24 scope global tap_test
       valid_lft forever preferred_lft forever

veth pair不是一个设备，而是一对设备，以连接两个虚拟以太端口。

#创建veth pair
[root@localhost ~]# ip link add tap1 type veth peer name tap2

#创建 ns
[root@localhost ~]# ip netns add ns1
[root@localhost ~]# ip netns add ns2

#把两个tap分别迁移到对应的namespace中
[root@localhost ~]# ip link set tap1 netns ns1
[root@localhost ~]# ip link set tap2 netns ns2

#分别给两个tap绑定IP地址
[root@localhost ~]# ip netns exec ns1 ip addr add local 192.168.50.1/24 dev tap1
[root@localhost ~]# ip netns exec ns2 ip addr add local 192.168.50.2/24 dev tap2

#将两个tap设置为tap
[root@localhost ~]# ip netns exec ns1 ifconfig tap1 up
[root@localhost ~]# ip netns exec ns2 ifconfig tap2 up

#ping测试
[root@localhost ~]# ip netns exec ns2 ping 192.168.50.1
PING 192.168.50.1 (192.168.50.1) 56(84) bytes of data.
64 bytes from 192.168.50.1: icmp_seq=1 ttl=64 time=0.053 ms
64 bytes from 192.168.50.1: icmp_seq=2 ttl=64 time=0.046 ms
^C
--- 192.168.50.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.046/0.049/0.053/0.007 ms
[root@localhost ~]# ip netns exec ns1 ping 192.168.50.2
PING 192.168.50.2 (192.168.50.2) 56(84) bytes of data.
64 bytes from 192.168.50.2: icmp_seq=1 ttl=64 time=0.030 ms
^C
--- 192.168.50.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.030/0.030/0.030/0.000 ms

参考来源：《深入理解Openstack Neutron》-李宗标