这篇文章的目的是设置可以连接到外部网络的 LXC 容器。
有多种网络模式可用于设置 LXC。
默认情况下,lxc-oracle 模板脚本通过设置 veth 桥来设置网络。
在这种模式下,容器从 libvirtd 运行在容器和主机之间的私有虚拟桥接网络(virbr0)上的 dnsmasq 服务器获取其 IP 地址。
主机允许容器通过使用 iptables 中的 NAT 规则连接到网络的其余部分,但这些规则不允许传入连接到容器。
veth 网桥上的主机和其他容器都可以通过网桥访问容器。
如果要允许来自主机外部的网络连接能够连接到容器,则容器需要具有与主机位于同一网络上的 IP 地址。
实现此配置的一种方法是使用 macvlan 网桥为容器创建独立的逻辑网络。
这可以通过使用 macvlan 网桥来实现,下面的场景显示了如何设置它。
该场景基于 CentOS/RHEL 6,应该也适用于 CentOS/RHEL 7.
- 在host节点上,有两个接口,目前没有创建网桥。
[root@centos6-LXC container]# ifconfig eth1 Link encap:Ethernet HWaddr 08:00:27:B2:16:F7 inet addr:XX.XX.22.189 Bcast:XX.XX.23.255 Mask:255.255.252.0 eth2 Link encap:Ethernet HWaddr 08:00:27:1C:2C:5F inet6 addr: 2606:b400:c11:68:a00:27ff:fe1c:2c5f/64 Scope:Global virbr0 Link encap:Ethernet HWaddr 52:54:00:3F:E9:36 inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
- 如何在宿主节点上新建网桥:
[root@centos6-LXC container]# brctl addbr lxcbr1
[root@centos6-LXC container]# brctl addif lxcbr1 eth2
[root@centos6-LXC container]# brctl show bridge name bridge id STP enabled interfaces lxcbr1 8000.0800271c2c5f no eth2 virbr0 8000.5254003fe936 yes virbr0-nic
[root@centos6-LXC container]# ip link set lxcbr1 up
[root@centos6-LXC container]# ip link 2: eth1: [BROADCAST,MULTICAST,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 08:00:27:b2:16:f7 brd ff:ff:ff:ff:ff:ff 3: eth2: [BROADCAST,MULTICAST,UP,LOWER_UP] mtu 1500 qdisc pfifo_fast master lxcbr1 state UP qlen 1000 link/ether 08:00:27:1c:2c:5f brd ff:ff:ff:ff:ff:ff 6: lxcbr1: [BROADCAST,MULTICAST,UP,LOWER_UP] mtu 1500 qdisc noqueue state UP link/ether 08:00:27:1c:2c:5f brd ff:ff:ff:ff:ff:ff
[root@centos6-LXC ~]# egrep -v "^$|#" /container/contnr01/config lxc.rootfs = /container/contnr01/rootfs lxc.include = /usr/share/lxc/config/oracle.common.conf lxc.arch = x86_64 lxc.utsname = contnr01 lxc.cap.drop = sys_resource lxc.cap.drop = setfcap setpcap lxc.network.type = macvlan lxc.network.flags = up lxc.network.link = lxcbr1 lxc.network.macvlan.mode = bridge lxc.network.name = eth0 lxc.network.mtu = 1500 lxc.network.hwaddr = fe:71:08:9d:10:58
- 启动 lxc 容器:
[root@centos6-LXC ~]# lxc-start --name contnr01 lxc-start: cgfs.c: handle_cgroup_settings: 2077 Device or resource busy - failed to set memory.use_hierarchy to 1; continuing INIT: version 2.86 booting Welcome to Oracle Linux Oracle Linux Server release 5.9 Press 'I' to enter interactive startup. Setting hostname contnr01: [ OK ] Checking filesystems WARNING: Your /etc/fstab does not contain the fsck passno field. I will kludge around things for you, but you should fix your /etc/fstab file as soon as you can. [ OK ] Mounting local filesystems: [ OK ] Enabling /etc/fstab swaps: [ OK ] INIT: Entering runlevel: 3 Entering non-interactive startup Bringing up loopback interface: [ OK ] Bringing up interface eth0: Determining IP information for eth0... done. [ OK ] Mounting other filesystems: [ OK ] Starting system logger: [ OK ] Starting sshd: [ OK ] Oracle Linux Server release 5.9 Kernel 3.8.13-98.2.1.el6uek.x86_64 on an x86_64 contnr01 login:
- 从lxc容器显示配置并尝试访问外网
[root@centos6-LXC ~]# lxc-attach -n contnr01
[root@contnr01 ~]# hostname contnr01
[root@contnr01 ~]# ifconfig eth0 Link encap:Ethernet HWaddr FE:71:08:9D:10:58 inet addr:XX.XX.22.192 Bcast:XX.XX.23.255 Mask:255.255.252.0 inet6 addr: 2606:b400:c11:68:fc71:8ff:fe9d:1058/64 Scope:Global inet6 addr: fe80::fc71:8ff:fe9d:1058/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8950 errors:0 dropped:0 overruns:0 frame:0 TX packets:16 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1217259 (1.1 MiB) TX bytes:2003 (1.9 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[root@contnr01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=dhcp ### Can assign a dedicated or static IP ONBOOT=yes HOSTNAME=contnr01 DHCP_HOSTNAME=contnr01 TYPE=Ethernet
[root@contnr01 ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 XX.XX.20.1 0.0.0.0 UG 0 0 0 eth0 XX.XX.20.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
现在我们可以 ping 外部主机 IP 以验证连接。
注意:对于 VMware 主机中的容器,请在虚拟机连接的 vswitch 上将“Forge 传输”设置更改为“接受”。
当该选项设置为接受时,ESXi 不会比较源 MAC 地址和有效 MAC 地址。
日期:2020-09-17 00:16:29 来源:oir作者:oir