如何在 Linux 容器 (LXC) 中为容器设置外部网络

这篇文章的目的是设置可以连接到外部网络的 LXC 容器。
有多种网络模式可用于设置 LXC。

默认情况下,lxc-oracle 模板脚本通过设置 veth 桥来设置网络。
在这种模式下,容器从 libvirtd 运行在容器和主机之间的私有虚拟桥接网络(virbr0)上的 dnsmasq 服务器获取其 IP 地址。
主机允许容器通过使用 iptables 中的 NAT 规则连接到网络的其余部分,但这些规则不允许传入连接到容器。
veth 网桥上的主机和其他容器都可以通过网桥访问容器。

如果要允许来自主机外部的网络连接能够连接到容器,则容器需要具有与主机位于同一网络上的 IP 地址。
实现此配置的一种方法是使用 macvlan 网桥为容器创建独立的逻辑网络。

这可以通过使用 macvlan 网桥来实现,下面的场景显示了如何设置它。
该场景基于 CentOS/RHEL 6,应该也适用于 CentOS/RHEL 7.

  1. 在host节点上,有两个接口,目前没有创建网桥。
[root@centos6-LXC container]# ifconfig
eth1 Link encap:Ethernet HWaddr 08:00:27:B2:16:F7
inet addr:XX.XX.22.189 Bcast:XX.XX.23.255 Mask:255.255.252.0
eth2 Link encap:Ethernet HWaddr 08:00:27:1C:2C:5F
inet6 addr: 2606:b400:c11:68:a00:27ff:fe1c:2c5f/64 Scope:Global
virbr0 Link encap:Ethernet HWaddr 52:54:00:3F:E9:36
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
  1. 如何在宿主节点上新建网桥:
[root@centos6-LXC container]# brctl addbr lxcbr1
[root@centos6-LXC container]# brctl addif lxcbr1 eth2
[root@centos6-LXC container]# brctl show
bridge name   bridge id          STP enabled   interfaces
lxcbr1        8000.0800271c2c5f  no            eth2
virbr0        8000.5254003fe936  yes           virbr0-nic
[root@centos6-LXC container]# ip link set lxcbr1 up
[root@centos6-LXC container]# ip link
2: eth1: [BROADCAST,MULTICAST,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:b2:16:f7 brd ff:ff:ff:ff:ff:ff
3: eth2: [BROADCAST,MULTICAST,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast master lxcbr1 state UP qlen 1000
link/ether 08:00:27:1c:2c:5f brd ff:ff:ff:ff:ff:ff
6: lxcbr1: [BROADCAST,MULTICAST,UP,LOWER_UP] mtu 1500 qdisc noqueue state UP
link/ether 08:00:27:1c:2c:5f brd ff:ff:ff:ff:ff:ff
[root@centos6-LXC ~]# egrep -v "^$|#" /container/contnr01/config
lxc.rootfs = /container/contnr01/rootfs
lxc.include = /usr/share/lxc/config/oracle.common.conf
lxc.arch = x86_64
lxc.utsname = contnr01
lxc.cap.drop = sys_resource
lxc.cap.drop = setfcap setpcap
lxc.network.type = macvlan
lxc.network.flags = up
lxc.network.link = lxcbr1
lxc.network.macvlan.mode = bridge
lxc.network.name = eth0
lxc.network.mtu = 1500
lxc.network.hwaddr = fe:71:08:9d:10:58
  1. 启动 lxc 容器:
[root@centos6-LXC ~]# lxc-start --name contnr01
lxc-start: cgfs.c: handle_cgroup_settings: 2077 Device or resource busy - failed to set memory.use_hierarchy to 1; continuing
INIT: version 2.86 booting
Welcome to Oracle Linux Oracle Linux Server release 5.9
Press 'I' to enter interactive startup.
Setting hostname contnr01: [ OK ]
Checking filesystems
WARNING: Your /etc/fstab does not contain the fsck passno
field. I will kludge around things for you, but you
should fix your /etc/fstab file as soon as you can.
[ OK ]
Mounting local filesystems: [ OK ]
Enabling /etc/fstab swaps: [ OK ]
INIT: Entering runlevel: 3
Entering non-interactive startup
Bringing up loopback interface: [ OK ]
Bringing up interface eth0:
Determining IP information for eth0... done.
[ OK ]
Mounting other filesystems: [ OK ]
Starting system logger: [ OK ]
Starting sshd: [ OK ]
Oracle Linux Server release 5.9
Kernel 3.8.13-98.2.1.el6uek.x86_64 on an x86_64
contnr01 login:
  1. 从lxc容器显示配置并尝试访问外网
[root@centos6-LXC ~]# lxc-attach -n contnr01
[root@contnr01 ~]# hostname
contnr01
[root@contnr01 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr FE:71:08:9D:10:58
inet addr:XX.XX.22.192 Bcast:XX.XX.23.255 Mask:255.255.252.0
inet6 addr: 2606:b400:c11:68:fc71:8ff:fe9d:1058/64 Scope:Global
inet6 addr: fe80::fc71:8ff:fe9d:1058/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8950 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1217259 (1.1 MiB) TX bytes:2003 (1.9 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[root@contnr01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=dhcp   ### Can assign a dedicated or static IP
ONBOOT=yes
HOSTNAME=contnr01
DHCP_HOSTNAME=contnr01
TYPE=Ethernet
[root@contnr01 ~]# route -n
Kernel IP routing table
Destination       Gateway       Genmask       Flags   Metric Ref Use Iface
0.0.0.0           XX.XX.20.1    0.0.0.0       UG      0      0   0   eth0
XX.XX.20.0        0.0.0.0       255.255.252.0 U       0      0   0   eth0
169.254.0.0       0.0.0.0       255.255.0.0   U       0      0   0   eth0

现在我们可以 ping 外部主机 IP 以验证连接。

注意:对于 VMware 主机中的容器,请在虚拟机连接的 vswitch 上将“Forge 传输”设置更改为“接受”。
当该选项设置为接受时,ESXi 不会比较源 MAC 地址和有效 MAC 地址。

日期:2020-09-17 00:16:29 来源:oir作者:oir