Tip:
netshoot;nc;conntrack;物理机的广播在pod转换成了点播
1、netshoot 其实就是一个装满了各种工具的镜像。https://blog.csdn.net/weixin_54750412/article/details/119935062
2、To troubleshoot these issues, netshoot includes a set of powerful tools as recommended by this diagram。
3、待诊断的pod:fdp2以NodePort方式运行在节点k8s-node03,在主机k8s-node03的网络名称空间上启动容器:
[root@k8s-node03 ~]# kubectl run tmp-shell --rm -i --tty --overrides='{"spec": {"hostNetwork": true}}' --image nicolaka/netshoot -- /bin/bash
If you don't see a command prompt, try pressing enter.
bash-5.1#--overrides='{"spec": {"hostNetwork": true}}'意思是使用宿主机网络,具体哪台宿主机要看这个 Pod 调度到哪个节点。- -- /bin/bash
--这是 bash 的内置命令选项,是标志命令的结束的意思,举个例子:如果我想要在文件里用grep搜索-v字符串,grep -v filename中-v会被视为选项,但我如果使用grep -- -v filename那么就可以正常搜索了。
4、服务svc-fdp2在主机k8s-node03以NodePort方式暴露的端口为6357
[root@k8s-master01 ~]# k get svc -owide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
svc-fdp2 NodePort 10.102.160.33 <none> 6157:6157/UDP,6099:6099/UDP,6357:6357/UDP 5d21h app=pod-fdp25、在ens4上捕获tcp port 6357的数据,这里是168.192.11.51.6357不是需要的168.192.11.64的。
bash-5.1# tcpdump -i ens4 port 6357 -c 1 -Xvv
tcpdump: listening on ens4, link-type EN10MB (Ethernet), snapshot length 262144 bytes
02:06:28.669348 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 904)
168.192.11.51.6357 > 168.192.11.255.6059: [udp sum ok] UDP, length 876
0x0000: 4500 0388 0000 4000 4011 ceb2 a8c0 0b33 E.....@.@......3
0x0010: a8c0 0bff 18d5 17ab 0374 3a16 036c 000b .........t:..l..
0x0020: 019d 9bff 3b00 0001 01ff 1888 c261 9402 ....;........a..
0x0030: 0200 0104 4c69 6e75 7820 5665 7273 696f ....Linux.Versio
0x0040: 6e20 2331 2053 4d50 2053 756e 204e 6f76 n.#1.SMP.Sun.Nov
0x0050: 2031 3020 3232 3a31 393a 3534 2045 5354 .10.22:19:54.EST
0x0060: 2032 3031 332e 322e 362e 3332 2d34 3331 .2013.2.6.32-431
0x0070: 2e65 6c36 2520 8003 c047 009e 2e47 0070 .el6%....G...G.p6、UDP抓包测试:
在pod-A上开启UDP监听:(在本机上tcpdump不到数据)
[root@k8s-node03 ~]# k exec -ti netshoot-5cb9f8b654-78htm -- bash //172.16.135.157
bash-5.1# nc -ulp 8888在pod-B上卡其客户端读取UDP端口:
[root@k8s-node03 ~]# k exec -ti fdp-netshoot-dp-f48d75dc-rqzr6 -c netshoot -- bash //172.16.135.135
bash-5.1# nc -u 172.16.135.157 8888在pod-A上eth0抓包OK。
bash-5.1# tcpdump -i eth0 port 8888 -Xvv //172.16.135.157
01:10:17.698964 IP (tos 0x0, ttl 64, id 49138, offset 0, flags [DF], proto UDP (17), length 34)
172.16.135.157.8888 > 172.16.32.128.36143: [bad udp cksum 0x005e -> 0x11ca!] UDP, length 6在pod-A上开启UDP监听,并在pod-A上开启客户端,在客户端首次输入内容后,可以tcpdump到双向传输数据;
另测试不开启监听,只开启客户端,在客户端首次输入内容后,也可以tcpdump到数据
[root@k8s-node03 ~]# k exec -ti netshoot-5cb9f8b654-78htm -- bash //172.16.135.157
bash-5.1# nc -u 172.16.135.157 8888
bash-5.1# tcpdump -i lo port 8888 -Xvv -nn
03:08:25.112681 IP (tos 0x0, ttl 64, id 62832, offset 0, flags [DF], proto UDP (17), length 35)
172.16.135.157.44209 > 172.16.135.157.8888: [bad udp cksum 0x677c -> 0x8cd8!] UDP, length 7
0x0000: 4500 0023 f570 4000 4011 ddfd ac10 879d E..#.p@.@.......
0x0010: ac10 879d acb1 22b8 000f 677c 6466 6764 ......"...g|dfgd
0x0020: 6667 0a fg.7、测试FDP-2镜像,镜像中mca.linux的UDP服务端6357输出到了环回lo接口,没有到eth0接口?
[root@k8s-node03 ~]# k exec -ti fdp-netshoot-dp-f48d75dc-rqzr6 -c netshoot -- bash
bash-5.1# netstat -anup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 172.16.135.135:6099 0.0.0.0:* -
udp 0 0 0.0.0.0:6157 0.0.0.0:* -
udp 0 0 172.16.135.135:6357 0.0.0.0:* -
//udp 0 0 168.192.11.63:6357 0.0.0.0:* 2170/./mca.linux FDP-1(IP63)的主机信息
bash-5.1# tcpdump -i eth0 port 6357 -Xvv -nn //eth0接口没有信息
bash-5.1# tcpdump -i lo port 6357 -Xvv -nn //lo本地环回接口有信息,
06:46:26.450440 IP (tos 0x0, ttl 64, id 18952, offset 0, flags [DF], proto UDP (17), length 904)
172.16.135.135.6357 > 172.16.135.135.6059: [bad udp cksum 0x6ab5 -> 0x3fff!] UDP, length 876
0x0000: 4500 0388 4a08 4000 4011 862d ac10 8787 E...J.@.@..-....
0x0010: ac10 8787 18d5 17ab 0374 6ab5 036c 000b .........tj..l..
0x0020: be9d 54ff 3b00 0001 01ff c26c c561 5cdf ..T.;......l.a\.
0x0030: 0600 be04 4c69 6e75 7820 5665 7273 696f ....Linux.Versio
0x0040: 6e20 2331 2053 4d50 2054 7565 204e 6f76 n.#1.SMP.Tue.Nov
0x0050: 2031 3620 3134 3a34 323a 3335 2055 5443 .16.14:42:35.UTC
0x0060: 2032 3032 312e 342e 3138 2e30 2d33 3438 .2021.4.18.0-348
0x0070: 2e32 2e31 0120 80ee 8b47 0054 3e47 00da .2.1.....G.T>G..
//从另一台物理主机[或pod](k8s-master01:tunl0@NONE:172.16.32.128)udp客户端连接172.16.135.135 6357后,
//tcpdump在eth0接口可以抓到UDP客户端发出的内容,但是没有UDP服务端mca输出的信息,mca输出怎么到eth0?
[root@k8s-master01 ~]# nc -u 172.16.135.135 6357
test 135:6357
bash-5.1# tcpdump -i eth0 port 6357 -Xvv -nn
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
06:43:30.717862 IP (tos 0x0, ttl 63, id 39950, offset 0, flags [DF], proto UDP (17), length 42)
172.16.32.128.52960 > 172.16.135.135.6357: [udp sum ok] UDP, length 14
0x0000: 4500 002a 9c0e 4000 3f11 9f8c ac10 2080 E..*..@.?.......
0x0010: ac10 8787 cee0 18d5 0016 382e 7465 7374 ..........8.test
0x0020: 2031 3335 3a36 3335 370a .135:6357.8、pod里面的进程例如从UDP 服务端口6357输出信息,走的是calico的网卡,在pod里面抓包抓127.0.0.1(lo)的,在宿主机需要抓CNI插件的网卡(calib5ccb194323),是从本地回环地址出去的。
[root@k8s-node03 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.135.135 0.0.0.0 255.255.255.255 UH 0 0 0 calib5ccb194323
172.16.135.157 0.0.0.0 255.255.255.255 UH 0 0 0 cali5bcce71417a9、使用物理主机168.192.11.63(FDP-1)测试
FDP1物理主机MCA.LINUX的UDP单向广播输出:168.192.11.63.6357 > 168.192.11.255.6059
[root@FDP-1 ~]# tcpdump -i bond0 -Xvv -nn 'src 168.192.11.63 and udp port 6357'
tcpdump: listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:13:22.876623 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 904)
168.192.11.63.6357 > 168.192.11.255.6059: [bad udp cksum b318!] UDP, length 876
0x0000: 4500 0388 0000 4000 4011 cea6 a8c0 0b3f E.....@.@......?
0x0010: a8c0 0bff 18d5 17ab 0374 6c44 036c 000b .........tlD.l..
0x0020: 0d9d 6bff 3b00 0001 01ff 3270 c661 3c60 ..k.;.....2p.a<`
0x0030: 0d00 0d04 4c69 6e75 7820 5665 7273 696f ....Linux.Versio
[root@k8s-node03 ~]# conntrack -L -p udp --src 168.192.11.63 --sport 6357 --dport 6059
udp 17 29 src=168.192.11.63 dst=168.192.11.255 sport=6357 dport=6059 [UNREPLIED] src=168.192.11.255 dst=168.192.11.63 sport=6059 dport=6357 mark=0 use=1使用UDP客户端在WINDOWS主机上接收数据:(168.192.11.63.6357 > 168.192.11.255.6059)广播
使用UDP客户端工具nc在linux主机上接收数据:(168.192.11.63.6357 > 168.192.11.255.6059)广播
[root@SMPC ~]# nc -u -s 168.192.11.255 -p 6059 168.192.11.63 6357
l
Linux Version #1 SMP Sun Nov 10 22:19:54 EST 2013.2.6.32-431.el6)10、使用pod 168.192.11.64(FDP-2)测试,物理机的广播在pod转换成了点播!
在运行fdp2-mca进程的pod上测试:(172.16.135.135.6357 > 172.16.135.135.6059)点播
[root@k8s-node03 ~]# k exec -ti fdp-netshoot-dp-f48d75dc-rqzr6 -c netshoot -- bash
bash-5.1# tcpdump -i lo port 6357 -Xvv -nn
04:49:15.463164 IP (tos 0x0, ttl 64, id 63487, offset 0, flags [DF], proto UDP (17), length 904)
172.16.135.135.6357 > 172.16.135.135.6059: [bad udp cksum 0x6ab5 -> 0x9dc2!] UDP, length 876
bash-5.1# nc -u -s 172.16.135.135 -p 6059 172.16.135.135 6357
l
��$�;�J��a* �Linux Version #1 SMP Tue Nov 16 14:42:35 UTC 2021.4.18.0-348.2.1 ��G�<G在另一个pod上测试:(172.16.135.135.6357 > 172.16.135.135.6059)点播(172.16.135.135.6059替换为172.16.135.157:6059)
bash-5.1# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
4: eth0@if52: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1480 qdisc noqueue state UP group default
link/ether 32:ce:78:f0:e0:eb brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.16.135.157/32 brd 172.16.135.157 scope global eth0
valid_lft forever preferred_lft forever
bash-5.1# nc -u -s 172.16.135.157 -p 6059 192.16.135.135 6357
......没有信息11、conntrack命令宿主机使用,pod中条目为空。
bash-5.1# conntrack -D -p UDP --orig-port-dst 6357
conntrack v1.4.6 (conntrack-tools): Operation failed: sorry, you must be root or get CAP_NET_ADMIN capability to do this在kubernetes 里面比较完整定义了 SecurityContext: capabilities: add: ["NET_ADMIN"],需要在pod的yaml中增加如下定义:
- image: nicolaka/netshoot:latest
name: netshoot
securityContext:
privileged: true
capabilities:
add: ["NET_ADMIN"]
//使用该参数,container内的root拥有真正的root权限。否则,container内的root只是外部的一个普通用户权限。
bash-5.1# conntrack -L
conntrack v1.4.6 (conntrack-tools): 0 flow entries have been shown.12、“物理机的广播在pod转换成了点播!”的问题需用hostNetwork解决(——用hostNetwork就不用service了)。
*:hostNetwork走的calico的网卡,即下面加入集群的IP(192.168.31.10)。在宿主机和pod里ifconfig看到的内容一样。假如网卡设置了第二IP(例如168.192.11.64),用不了,只能改变加入集群的IP。一个网卡不推荐配置太多IP。
——192.168.31.10.6357 > 192.168.31.255.6059这里是广播。
# k get po -n kube-system -owide
calico-node-m9nr2 1/1 Running 0 81m 192.168.31.10 k8s-node03
[root@k8s-node03 fdp-2-mca]# k get pod -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
fdp-pod 1/1 Running 0 20m 192.168.31.10 k8s-node03 <none> <none>
[root@k8s-node03 ~]# tcpdump -i ens4 port 6357 -Xvv -nn |grep 192.168.31.10
tcpdump: listening on ens4, link-type EN10MB (Ethernet), capture size 262144 bytes
192.168.31.10.6357 > 192.168.31.255.6059: [bad udp cksum 0xc3df -> 0xe60a!] UDP, length 876“多播”:好像大部分云都是不支持的
yaml使用hostNetwork时kind是Pod,(Deployment不行),也不能在cni指定IP,因为使用host的IP;也不需要设置ports:
annotations:
cni.projectcalico.org/ipAddrs: "[\"172.16.135.135\"]"
ports:
- name: mca-1
protocol: UDP
port: 6157
targetPort: 6157
nodePort: 6157另外,device.ini需修改:否则pod起不来。
name1=ens4
STATION39=192.168.31.10
