document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-13 22:30:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5680 from geekpi/master

Browse Source 
translated
This commit is contained in:
geekpi 2017-06-12 10:48:51 +08:00 committed by GitHub
commit 7cf8c21dbd
2 changed files with 212 additions and 212 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

212
sources/tech/20161027 Network management with LXD.md
View File

@ -1,212 +0,0 @@
translating---geekpi
# Network management with LXD (2.3+)
![LXD logo](https://linuxcontainers.org/static/img/containers.png)
### Introduction
When LXD 2.0 shipped with Ubuntu 16.04, LXD networking was pretty simple. You could either use that “lxdbr0” bridge that “lxd init” would have you configure, provide your own or just use an existing physical interface for your containers.
While this certainly worked, it was a bit confusing because most of that bridge configuration happened outside of LXD in the Ubuntu packaging. Those scripts could only support a single bridge and none of this was exposed over the API, making remote configuration a bit of a pain.
That was all until LXD 2.3 when LXD finally grew its own network management API and command line tools to match. This post is an attempt at an overview of those new capabilities.
### Basic networking
Right out of the box, LXD 2.3 comes with no network defined at all. “lxd init” will offer to set one up for you and attach it to all new containers by default, but lets do it by hand to see whats going on under the hood.
To create a new network with a random IPv4 and IPv6 subnet and NAT enabled, just run:
```
stgraber@castiana:~$ lxc network create testbr0
Network testbr0 created
```
You can then look at its config with:
```
stgraber@castiana:~$ lxc network show testbr0
name: testbr0
config:
ipv4.address: 10.150.19.1/24
ipv4.nat: "true"
ipv6.address: fd42:474b:622d:259d::1/64
ipv6.nat: "true"
managed: true
type: bridge
usedby: []
```
If you dont want those auto-configured subnets, you can go with:
```
stgraber@castiana:~$ lxc network create testbr0 ipv6.address=none ipv4.address=10.0.3.1/24 ipv4.nat=true
Network testbr0 created
```
Which will result in:
```
stgraber@castiana:~$ lxc network show testbr0
name: testbr0
config:
ipv4.address: 10.0.3.1/24
ipv4.nat: "true"
ipv6.address: none
managed: true
type: bridge
usedby: []
```
Having a network created and running wont do you much good if your containers arent using it.
To have your newly created network attached to all containers, you can simply do:
```
stgraber@castiana:~$ lxc network attach-profile testbr0 default eth0
```
To attach a network to a single existing container, you can do:
```
stgraber@castiana:~$ lxc network attach my-container default eth0
```
Now, lets say you have openvswitch installed on that machine and want to convert that bridge to an OVS bridge, just change the driver property:
```
stgraber@castiana:~$ lxc network set testbr0 bridge.driver openvswitch
```
If you want to do a bunch of changes all at once, “lxc network edit” will let you edit the network configuration interactively in your text editor.
### Static leases and port security
One of the nice thing with having LXD manage the DHCP server for you is that it makes managing DHCP leases much simpler. All you need is a container-specific nic device and the right property set.
```
root@yak:~# lxc init ubuntu:16.04 c1
Creating c1
root@yak:~# lxc network attach testbr0 c1 eth0
root@yak:~# lxc config device set c1 eth0 ipv4.address 10.0.3.123
root@yak:~# lxc start c1
root@yak:~# lxc list c1
+------+---------+-------------------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+---------+-------------------+------+------------+-----------+
| c1 | RUNNING | 10.0.3.123 (eth0) | | PERSISTENT | 0 |
+------+---------+-------------------+------+------------+-----------+
```
And same goes for IPv6 but with the “ipv6.address” property instead.
Similarly, if you want to prevent your container from ever changing its MAC address or forwarding traffic for any other MAC address (such as nesting), you can enable port security with:
```
root@yak:~# lxc config device set c1 eth0 security.mac_filtering true
```
### DNS
LXD runs a DNS server on the bridge. On top of letting you set the DNS domain for the bridge (“dns.domain” network property), it also supports 3 different operating modes (“dns.mode”):
* “managed” will have one DNS record per container, matching its name and known IP addresses. The container cannot alter this record through DHCP.
* “dynamic” allows the containers to self-register in the DNS through DHCP. So whatever hostname the container sends during the DHCP negotiation ends up in DNS.
* “none” is for a simple recursive DNS server without any kind of local DNS records.
The default mode is “managed” and is typically the safest and most convenient as it provides DNS records for containers but doesnt let them spoof each others records by sending fake hostnames over DHCP.
### Using tunnels
On top of all that, LXD also supports connecting to other hosts using GRE or VXLAN tunnels.
A LXD network can have any number of tunnels attached to it, making it easy to create networks spanning multiple hosts. This is mostly useful for development, test and demo uses, with production environment usually preferring VLANs for that kind of segmentation.
So say, you want a basic “testbr0” network running with IPv4 and IPv6 on host “edfu” and want to spawn containers using it on host “djanet”. The easiest way to do that is by using a multicast VXLAN tunnel. This type of tunnels only works when both hosts are on the same physical segment.
```
root@edfu:~# lxc network create testbr0 tunnel.lan.protocol=vxlan
Network testbr0 created
root@edfu:~# lxc network attach-profile testbr0 default eth0
```
This defines a “testbr0” bridge on host “edfu” and sets up a multicast VXLAN tunnel on it for other hosts to join it. In this setup, “edfu” will be the one acting as a router for that network, providing DHCP, DNS, … the other hosts will just be forwarding traffic over the tunnel.
```
root@djanet:~# lxc network create testbr0 ipv4.address=none ipv6.address=none tunnel.lan.protocol=vxlan
Network testbr0 created
root@djanet:~# lxc network attach-profile testbr0 default eth0
```
Now you can start containers on either host and see them getting IP from the same address pool and communicate directly with each other through the tunnel.
As mentioned earlier, this uses multicast, which usually wont do you much good when crossing routers. For those cases, you can use VXLAN in unicast mode or a good old GRE tunnel.
To join another host using GRE, first configure the main host with:
```
root@edfu:~# lxc network set testbr0 tunnel.nuturo.protocol gre
root@edfu:~# lxc network set testbr0 tunnel.nuturo.local 172.17.16.2
root@edfu:~# lxc network set testbr0 tunnel.nuturo.remote 172.17.16.9
```
And then the “client” host with:
```
root@nuturo:~# lxc network create testbr0 ipv4.address=none ipv6.address=none tunnel.edfu.protocol=gre tunnel.edfu.local=172.17.16.9 tunnel.edfu.remote=172.17.16.2
Network testbr0 created
root@nuturo:~# lxc network attach-profile testbr0 default eth0
```
If youd rather use vxlan, just do:
```
root@edfu:~# lxc network set testbr0 tunnel.edfu.id 10
root@edfu:~# lxc network set testbr0 tunnel.edfu.protocol vxlan
```
And:
```
root@nuturo:~# lxc network set testbr0 tunnel.edfu.id 10
root@nuturo:~# lxc network set testbr0 tunnel.edfu.protocol vxlan
```
The tunnel id is required here to avoid conflicting with the already configured multicast vxlan tunnel.
And thats how you make cross-host networking easily with recent LXD!
### Conclusion
LXD now makes it very easy to define anything from a simple single-host network to a very complex cross-host network for thousands of containers. It also makes it very simple to define a new network just for a few containers or add a second device to a container, connecting it to a separate private network.
While this post goes through most of the different features we support, there are quite a few more knobs that can be used to fine tune the LXD network experience.
A full list can be found here: [https://github.com/lxc/lxd/blob/master/doc/configuration.md][2]
# Extra information
The main LXD website is at: [https://linuxcontainers.org/lxd
][3]Development happens on Github at: [https://github.com/lxc/lxd][4]
Mailing-list support happens on: [https://lists.linuxcontainers.org][5]
IRC support happens in: #lxcontainers on irc.freenode.net
Try LXD online: [https://linuxcontainers.org/lxd/try-it][6]
--------------------------------------------------------------------------------
via: https://www.stgraber.org/2016/10/27/network-management-with-lxd-2-3/
作者:[Stéphane Graber][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.stgraber.org/author/stgraber/
[1]:https://www.stgraber.org/author/stgraber/
[2]:https://github.com/lxc/lxd/blob/master/doc/configuration.md#network-configuration
[3]:https://linuxcontainers.org/lxd
[4]:https://github.com/lxc/lxd
[5]:https://lists.linuxcontainers.org/
[6]:https://linuxcontainers.org/lxd/try-it
[7]:https://www.stgraber.org/2016/10/27/network-management-with-lxd-2-3/

212
translated/tech/20161027 Network management with LXD.md Normal file
View File

@ -0,0 +1,212 @@
# 使用 LXD (2.3+) 管理网络
![LXD logo](https://linuxcontainers.org/static/img/containers.png)
### 介绍
当 LXD 2.0 随着 Ubuntu 16.04 一起发布时LXD 联网就简单了。你可以使用 “lxdbr0” 桥接,配置 “lxd init”为你的容器提供你自己或者使用一个已存在的物理接口。
虽然这确实有效,但是有点混乱,因为大部分的桥接配置发生在 Ubuntu 包的 LXD 之外。那些脚本只能支持一个桥接,并且没有通过 API 暴露,这使得远程配置有点痛苦。
直到 LXD 2.3LXD 终于发展了自己的网络管理 API 和命令行工具来匹配。这篇文章是对这些新功能概述的尝试。
### 基础联网
在初始情况下LXD 2.3 没有定义任何网络。“lxd init” 会为你设置一个,并且默认将所有新的容器连接到它,但是让我们亲手尝试看下究竟发生了些什么。
要创建一个新的带有随机 IPv4 和 IP6 以及启用 NAT 的网络,只需要运行:
```
stgraber@castiana:~$ lxc network create testbr0
Network testbr0 created
```
你可以如下查看它的配置:
```
stgraber@castiana:~$ lxc network show testbr0
name: testbr0
config:
ipv4.address: 10.150.19.1/24
ipv4.nat: "true"
ipv6.address: fd42:474b:622d:259d::1/64
ipv6.nat: "true"
managed: true
type: bridge
usedby: []
```
如果你不想要那些自动配置的子网,你可以这么做:
```
stgraber@castiana:~$ lxc network create testbr0 ipv6.address=none ipv4.address=10.0.3.1/24 ipv4.nat=true
Network testbr0 created
```
那就会这样:
```
stgraber@castiana:~$ lxc network show testbr0
name: testbr0
config:
ipv4.address: 10.0.3.1/24
ipv4.nat: "true"
ipv6.address: none
managed: true
type: bridge
usedby: []
```
如果你的容器没有使用,那么创建的网络对你也没什么用。要将你新创建的网络连接到所有容器,你可以这么做:
```
stgraber@castiana:~$ lxc network attach-profile testbr0 default eth0
```
要将一个网络连接到一个已存在的容器中,你可以这么做:
```
stgraber@castiana:~$ lxc network attach my-container default eth0
```
现在,假设你已经在机器中安装了 openvswitch并且要将这个桥接转换成 OVS 桥接,只需合适地更改驱动:
```
stgraber@castiana:~$ lxc network set testbr0 bridge.driver openvswitch
```
如果你想要一次性做一系列修改。“lxc network edit” 可以让你在编辑器中交互编辑网络配置。
### 静态租约及端口安全
使用 LXD 管理 DHCP 服务器的一个好处是可以使得管理 DHCP 租约很简单。你所需要的是一个容器特定的 nic 设备以及正确的属性设置。
```
root@yak:~# lxc init ubuntu:16.04 c1
Creating c1
root@yak:~# lxc network attach testbr0 c1 eth0
root@yak:~# lxc config device set c1 eth0 ipv4.address 10.0.3.123
root@yak:~# lxc start c1
root@yak:~# lxc list c1
+------+---------+-------------------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+---------+-------------------+------+------------+-----------+
| c1 | RUNNING | 10.0.3.123 (eth0) | | PERSISTENT | 0 |
+------+---------+-------------------+------+------------+-----------+
```
IPv6 也是相同的方法,但是换成 “ipv6.address” 属性。
相似地,如果你想要阻止你的容器更改它的 MAC 地址或者为其他 MAC 地址转发流量(比如嵌套),你可以用下面的命令启用端口安全:
```
root@yak:~# lxc config device set c1 eth0 security.mac_filtering true
```
### DNS
LXD 在桥接中运行了一个 DNS 服务器。除了设置网桥的 DNS 域( “dns.domain” 网络属性)之外,还支持 3 种不同的操作模式“dns.mode”
* “managed” 为每个容器都会有一条 DNS 记录,匹配它的名字以及已知的 IP 地址。容器无法通过 DHCP 改变这条记录。
* “dynamic” 允许容器通过 DHCP 在 DNS 中自己注册。因此,在 DHCP 协商期间容器发送的任何主机名都会在 DNS 中终止。
* “none” 针对那些没有任何本地 DNS 记录的递归 DNS 服务器。
默认的模式是 “managed”并且典型的是最安全以及最方便的因为它为容器提供了 DNS 记录,但是不允许它们通过 DHCP 发送虚假主机名嗅探其他的记录。
### 使用隧道
除了这些LXD 还支持使用 GRE 或者 VXLAN 隧道连接到其他主机。
LXD 网络可以连接任何数量的隧道,从而轻松地创建跨多个主机的网络。这对于开发、测试和演示非常有用,生产环境通常更喜欢使用 VLAN 进行分割。
所以说,你想在主机 “edfu” 上有一个运行 IPv4 和 IPv6 的基础 “testbr0” 网络,并希望在主机 “djanet” 上使用它来生成容器。最简单的方法是使用组播 VXLAN 隧道。这种类型的隧道仅在两个主机位于同一物理段上时才起作用。
```
root@edfu:~# lxc network create testbr0 tunnel.lan.protocol=vxlan
Network testbr0 created
root@edfu:~# lxc network attach-profile testbr0 default eth0
```
它在主机 “edfu” 上定义了一个 “testbr0” 桥接,并为其他主机能加入它设置了一个组播 VXLAN。在这个设置中“edfu” 为这个网络扮演了一个路由器角色,提供 DHCP、DNS 等等,其他主机只是通过隧道转发流量。
```
root@djanet:~# lxc network create testbr0 ipv4.address=none ipv6.address=none tunnel.lan.protocol=vxlan
Network testbr0 created
root@djanet:~# lxc network attach-profile testbr0 default eth0
```
现在你可以在任何一台主机上启动容器,并看它们从相同的地址池中获取 IP通过隧道直接互相交流。
如先前所述,这个使用了组播,它通常在跨越路由器时无法很好工作。在这些情况下,你可以用单播模式使用 VXLAN 或者 GRE 隧道。
要使用 GRE 加入另一台主机,首先配置服务主机:
```
root@edfu:~# lxc network set testbr0 tunnel.nuturo.protocol gre
root@edfu:~# lxc network set testbr0 tunnel.nuturo.local 172.17.16.2
root@edfu:~# lxc network set testbr0 tunnel.nuturo.remote 172.17.16.9
```
接着是“客户端”主机:
```
root@nuturo:~# lxc network create testbr0 ipv4.address=none ipv6.address=none tunnel.edfu.protocol=gre tunnel.edfu.local=172.17.16.9 tunnel.edfu.remote=172.17.16.2
Network testbr0 created
root@nuturo:~# lxc network attach-profile testbr0 default eth0
```
如果你像使用 VXLAN只要这么做
```
root@edfu:~# lxc network set testbr0 tunnel.edfu.id 10
root@edfu:~# lxc network set testbr0 tunnel.edfu.protocol vxlan
```
还有:
```
root@nuturo:~# lxc network set testbr0 tunnel.edfu.id 10
root@nuturo:~# lxc network set testbr0 tunnel.edfu.protocol vxlan
```
这里需要隧道 id 以防与已经配置的多播 VXLAN 隧道冲突。
这就是如何使用最近的 LXD 简化跨主机联网了!
### 总结
LXD 可以容易地定义简单的单主机网络定义到数千个容器的非常复杂的跨主机网络。它也使为一些容器定义一个新网络或者给容器添加第二个设备,并连接到隔离的私有网络变得很简单。
虽然这篇文章介绍了支持的大部分功能,但仍有很有可以微调 LXD 网络体验的窍门。
可以在这里找到完整的列表:[https://github.com/lxc/lxd/blob/master/doc/configuration.md][2]
# 额外信息
LXD 主站:[https://linuxcontainers.org/lxd][3]
Github 地址: [https://github.com/lxc/lxd][4]
邮件列表支持:[https://lists.linuxcontainers.org][5]
IRC 频道:#lxcontainers on irc.freenode.net
在线尝试 LXD[https://linuxcontainers.org/lxd/try-it][6]
--------------------------------------------------------------------------------
via: https://www.stgraber.org/2016/10/27/network-management-with-lxd-2-3/
作者:[Stéphane Graber][a]
译者:[geekpi](https://github.com/geekpi)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.stgraber.org/author/stgraber/
[1]:https://www.stgraber.org/author/stgraber/
[2]:https://github.com/lxc/lxd/blob/master/doc/configuration.md#network-configuration
[3]:https://linuxcontainers.org/lxd
[4]:https://github.com/lxc/lxd
[5]:https://lists.linuxcontainers.org/
[6]:https://linuxcontainers.org/lxd/try-it
[7]:https://www.stgraber.org/2016/10/27/network-management-with-lxd-2-3/