Skip to content

Instantly share code, notes, and snippets.

@minimum2scp

minimum2scp/00_haconiwa-netns.md

Last active August 24, 2016 11:46
Show Gist options
  • Save minimum2scp/fba849cffd9a32e643aa98dde73826c4 to your computer and use it in GitHub Desktop.
Save minimum2scp/fba849cffd9a32e643aa98dde73826c4 to your computer and use it in GitHub Desktop.
Download ZIP
haconiwa v0.3.2 netns 使ってみた (Fukuoka.rb #63)
Raw
00_haconiwa-netns.md

環境:

  • PC: ThinkPad X1 Carbon
  • OS: Debian sid amd64
  • カーネル: 4.6.4
  • haconiwa: v0.3.2

haconiwa new で haco ファイル作成

sudo haconiwa new -n haco1 haco1.haco

haco1.haco を変更

--- haco1_bak.haco	2016-08-24 20:35:51.816558411 +0900
+++ haco1.haco	2016-08-24 20:28:45.068547510 +0900
@@ -15,12 +15,12 @@
   # The bootstrap process...
   # Choose lxc or debootstrap:
   config.bootstrap do |b|
-    b.strategy = "lxc"
-    b.os_type  = "alpine"
+    # b.strategy = "lxc"
+    # b.os_type  = "alpine"
 
-    # b.strategy = "debootstrap"
-    # b.variant = "minbase"
-    # b.debian_release = "jessie"
+    b.strategy = "debootstrap"
+    b.variant = "minbase"
+    b.debian_release = "jessie"
   end
   # Check that the required binary is installed(lxc-create / debootstrap)
 
@@ -28,7 +28,8 @@
   # You can declare run_shell step by step:
   config.provision do |p|
     p.run_shell <<-SHELL
-apk add --update bash
+apt-get update
+apt-get install -y --no-install-recommends bash iproute2 inetutils-ping
     SHELL
   end
 
@@ -43,9 +44,9 @@
   # These are recommended when namespaces such as pid and net are unshared:
   config.mount_independent "procfs"
   config.mount_independent "sysfs"
-  config.mount_independent "devtmpfs"
-  config.mount_independent "devpts"
-  config.mount_independent "shm"
+  # config.mount_independent "devtmpfs"
+  # config.mount_independent "devpts"
+  # config.mount_independent "shm"
 
   # The namespaces to unshare:
   config.namespace.unshare "mount"
@@ -54,7 +55,7 @@
   config.namespace.unshare "pid"
 
   # You can use existing namespace via symlink file. e.g.:
-  # config.namespace.enter "net", via: "/var/run/netns/sample001"
+  config.namespace.enter "net", via: "/run/netns/haco001"
 
   # The cgroup configuration example:
   # config.cgroup["cpu.cfs_period_us"] = 100000

haconiwa create で debootstrap とかしてくれる (http_proxy には apt-cacher-ng を指定してキャッシュを効かせている)

sudo http_proxy=http://172.17.0.2:3142/ haconiwa create haco1.haco

netns をシュッと作成 (http://udzura.hatenablog.jp/entry/2016/08/22/120209)

sudo ip netns add haco001
sudo ip link add haco01 type veth peer name eth101
sudo ip link set haco01 up
sudo ip link set eth101 netns haco001 up
sudo ip addr add 172.200.0.10/24 dev haco01
sudo ip netns exec haco001 ip addr add 172.200.0.11/24 dev eth101
sudo ip netns exec haco001 ip link set lo up

作成された netns を ip a show で確認:

tsuyoshi@mira% ip a show dev haco01
10: haco01@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 1a:b7:1d:cd:72:a3 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.200.0.10/24 scope global haco01
       valid_lft forever preferred_lft forever
    inet6 fe80::18b7:1dff:fecd:72a3/64 scope link 
       valid_lft forever preferred_lft forever

iptables 設定 (IP masquerade、IP forward)

sudo iptables -t nat -A POSTROUTING -s 172.200.0.0/24 ! -o haco01@if9 -j MASQUERADE
sudo iptables -t filter -A FORWARD -i haco01@if9 ! -o haco01@if9 -j ACCEPT

haconiwa でコンテナ起動

sudo haconiwa run haco1.haco

コンテナの中でデフォルトルートを設定するとping通るようになった!

root@haco1:/# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sending packet: Network is unreachable
root@haco1:/# ip route show
172.200.0.0/24 dev eth101  proto kernel  scope link  src 172.200.0.11 
root@haco1:/# ip route add default via 172.200.0.10 
root@haco1:/# ip route show
default via 172.200.0.10 dev eth101 
172.200.0.0/24 dev eth101  proto kernel  scope link  src 172.200.0.11 
root@haco1:/# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=56 time=25.163 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=21.974 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=50.066 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=56 time=23.321 ms
^C--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 21.974/30.131/50.066/11.565 ms

謎: コンテナを抜けても、なぜか mount されたまま…

root@haco1:/# exit
Container successfullly exited: #<Process::Status: pid=21599,exited(0)>
tsuyoshi@mira% mount | grep haco
nsfs on /run/netns/haco001 type nsfs (rw)
nsfs on /run/netns/haco001 type nsfs (rw)
proc on /var/lib/haconiwa/6af10602/proc type proc (rw,relatime)
devtmpfs on /var/lib/haconiwa/6af10602/dev type devtmpfs (rw,relatime,size=4014456k,nr_inodes=1003614,mode=755)
sysfs on /var/lib/haconiwa/6af10602/sys type sysfs (rw,relatime)
tmpfs on /var/lib/haconiwa/6af10602/tmp type tmpfs (rw,relatime)
tmpfs on /var/lib/haconiwa/6af10602/tmp type tmpfs (rw,relatime)
proc on /var/lib/haconiwa/6af10602/proc type proc (rw,relatime)
sysfs on /var/lib/haconiwa/6af10602/sys type sysfs (rw,relatime)
Raw
haco1.haco
# -*- mode: ruby -*-
Haconiwa.define do |config|
# The container name and container's hostname:
config.name = "haco1"
# The first process when invoking haconiwa run:
config.init_command = "/bin/bash"
# If your first process is a daemon, please explicitly daemonize by:
# config.daemonize!
# The rootfs location on your host OS
# Pathname class is useful:
root = Pathname.new("/var/lib/haconiwa/6af10602")
config.chroot_to root
# The bootstrap process...
# Choose lxc or debootstrap:
config.bootstrap do |b|
# b.strategy = "lxc"
# b.os_type = "alpine"
b.strategy = "debootstrap"
b.variant = "minbase"
b.debian_release = "jessie"
end
# Check that the required binary is installed(lxc-create / debootstrap)
# The provisioning process...
# You can declare run_shell step by step:
config.provision do |p|
p.run_shell <<-SHELL
apt-get update
apt-get install -y --no-install-recommends bash iproute2 inetutils-ping
SHELL
end
# mount point configuration:
config.add_mount_point "tmpfs", to: root.join("tmp"), fs: "tmpfs"
# more mount point configuration example:
# config.add_mount_point root, to: root, readonly: true
# config.add_mount_point "/lib64", to: root.join("lib64"), readonly: true
# Re-mount specific filesystems under new container namespace
# These are recommended when namespaces such as pid and net are unshared:
config.mount_independent "procfs"
config.mount_independent "sysfs"
# config.mount_independent "devtmpfs"
# config.mount_independent "devpts"
# config.mount_independent "shm"
# The namespaces to unshare:
config.namespace.unshare "mount"
config.namespace.unshare "ipc"
config.namespace.unshare "uts"
config.namespace.unshare "pid"
# You can use existing namespace via symlink file. e.g.:
config.namespace.enter "net", via: "/run/netns/haco001"
# The cgroup configuration example:
# config.cgroup["cpu.cfs_period_us"] = 100000
# config.cgroup["cpu.cfs_quota_us"] = 30000
# The linux capability blacklist
# These are useful when you run container as root:
# config.capabilities.drop "cap_sys_time"
# config.capabilities.drop "cap_kill"
# When you use whitelist capability, set:
# config.capabilities.allow "cap_sys_admin"
# Specify uid/gid who owns container process:
# config.uid = "vagrant"
# config.gid = "vagrant"
# The resource limit:
# config.resource.set_limit(:CPU, 10 * 60)
# config.resource.set_limit(:NOFILE, 30)
# More examples and informations, please visit:
# https://github.com/haconiwa/haconiwa/tree/master/sample
# Enjoy your own container!
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment