docker networking namespace not visible in ip netn

2019-01-30 05:18发布

站内问答 / Linux
366 3 6

When I create a new docker container like with 

docker run -it -m 560m --cpuset-cpus=1,2 ubuntu sleep 120

and check its namespaces, I can see that new namespaces have been created (example for pid 7047).

root@dude2:~# ls /proc/7047/ns -la
total 0
dr-x--x--x 2 root root 0 Jul  7 12:17 .
dr-xr-xr-x 9 root root 0 Jul  7 12:16 ..
lrwxrwxrwx 1 root root 0 Jul  7 12:17 ipc -> ipc:[4026532465]
lrwxrwxrwx 1 root root 0 Jul  7 12:17 mnt -> mnt:[4026532463]
lrwxrwxrwx 1 root root 0 Jul  7 12:17 net -> net:[4026532299]
lrwxrwxrwx 1 root root 0 Jul  7 12:17 pid -> pid:[4026532466]
lrwxrwxrwx 1 root root 0 Jul  7 12:17 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 Jul  7 12:17 uts -> uts:[4026532464]
root@dude2:~# ls /proc/self/ns -la

When I check with ip netns list I cannot see the new net namespace.

dude@dude2:~/docker/testroot$ ip netns list
dude@dude2:~/docker/testroot$

Any idea why?

3条回答
等我变得足够好
2楼-- · 2019-01-30 05:42

As @jary indicates, the ip netns command only works with namespace symlinks in /var/run/netns. However, if you you have the nsenter command available (part of the util-linux package), you can accomplish the same thing using the PID of your docker container.

To get the PID of a docker container, you can run:

docker inspect --format '{{.State.Pid}}' <container_name_or_Id>

To get a command inside the network namespace of a container:

nsenter -t <contanier_pid> -n <command>

E.g:

$ docker inspect --format '{{.State.Pid}}' weechat
4432
$ sudo nsenter -t 4432 -n ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
75: eth0@if76: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:1b brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.27/16 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe11:1b/64 scope link 
       valid_lft forever preferred_lft forever

The above was equivalent to running ip netns exec <some_namespace> ip addr show.

As you can see here, you will need to run nsenter with root privileges.

查看更多
0人赞 添加讨论(0) 举报
时光不老,我们不散
3楼-- · 2019-01-30 05:51

Similar but different with @jary’s answer.
There is no need to introduce /proc/<pid>/ or netster. Only one move below to achieve what you want. Thus, you could operate containers’ network namespace just like they are created manually on host machine.

One Move: 

ln -s /var/run/docker/netns  /var/run/netns

Result:

Start a container: 

docker run -tid ubuntu:18.04

List container:

root@Light-G:/var/run# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
972909a27ea1        ubuntu:18.04        "/bin/bash"         19 seconds ago      Up 18 seconds                           peaceful_easley

List network namespace of this container: 

root@Light-G:/var/run# ip netns list
733443afef58 (id: 0)

Delete container:

root@Light-G:/var/run# docker rm -f 972909a27ea1
972909a27ea1

List network namespace again:

root@Light-G:/var/run# ip netns list
root@Light-G:/var/run#
查看更多
0人赞 添加讨论(0) 举报
疯言疯语
4楼-- · 2019-01-30 05:56

That's because docker is not creating the reqired symlink:

# (as root)
pid=$(docker inspect -f '{{.State.Pid}}' ${container_id})
mkdir -p /var/run/netns/
ln -sfT /proc/$pid/ns/net /var/run/netns/$container_id

Then, the container's netns namespace can be examined with ip netns ${container_id}, e.g.:

# e.g. show stats about eth0 inside the container 
ip netns exec "${container_id}" ip -s link show eth0
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)