A network namespace is a logical copy of the network stack from the host system. Network namespaces are useful for setting up containers or virtual environments. Each namespace has its own IP addresses, network interfaces, routing tables, and so forth. The default or global namespace is the one in which the host system physical interfaces exist.网络命名空间是来自主机系统的网络堆栈的逻辑副本。网络命名空间对于设置容器或虚拟环境非常有用。每个命名空间都有自己的IP地址、网络接口、路由表等。默认或全局命名空间是主机系统物理接口所在的命名空间。
Namespace-specific address spaces can lead to problems when MySQL connections cross namespaces. For example, the network address space for a MySQL instance running in a container or virtual network may differ from the address space of the host machine. 当MySQL连接跨越命名空间时,特定于命名空间的地址空间可能会导致问题。例如,在容器或虚拟网络中运行的MySQL实例的网络地址空间可能与主机的地址空间不同。This can produce phenomena such as a client connection from an address in one namespace appearing to the MySQL server to be coming from a different address, even for client and server running on the same machine. 这可能会产生这样的现象,例如MySQL服务器认为来自一个命名空间中的地址的客户端连接来自不同的地址,即使对于在同一台机器上运行的客户端和服务器也是如此。Suppose that both processes run on a host with IP address 假设这两个进程都在IP地址为203.0.113.10 but use different namespaces. A connection may produce a result like this:203.0.113.10的主机上运行,但使用不同的命名空间。连接可能会产生这样的结果:
shell>mysql --user=admin --host=203.0.113.10 --protocol=tcpmysql>SELECT USER();+--------------------+ | USER() | +--------------------+ | admin@198.51.100.2 | +--------------------+
In this case, the expected 在这种情况下,预期的USER() value is admin@203.0.113.10. Such behavior can make it difficult to assign account permissions properly if the address from which an connection originates is not what it appears.USER()值为admin@203.0.113.10。如果连接的起始地址不是它所显示的地址,这种行为可能会使正确分配帐户权限变得困难。
To address this issue, MySQL enables specifying the network namespace to use for TCP/IP connections, so that both endpoints of connections use an agreed-upon common address space.为了解决这个问题,MySQL允许指定用于TCP/IP连接的网络命名空间,以便连接的两个端点都使用商定的公共地址空间。
MySQL 8.0.22 and higher supports network namespaces on platforms that implement them. Support within MySQL applies to:MySQL 8.0.22及更高版本在实现网络命名空间的平台上支持网络命名空间。MySQL中的支持适用于:
The MySQL server, mysqld.
X Plugin.X插件。
The mysql client and the mysqlxtest test suite client. mysql客户端和mysqlxtest测试套件客户端。(Other clients are not supported. They must be invoked from within the network namespace of the server to which they are to connect.)(不支持其他客户端。必须从要连接到的服务器的网络命名空间中调用它们。)
Regular replication. (Group Replication is not supported.)定期复制。(不支持组复制。)
The following sections describe how to use network namespaces in MySQL:以下部分描述了如何在MySQL中使用网络命名空间:
Prior to using network namespace support in MySQL, these host system prerequisites must be satisifed:在MySQL中使用网络命名空间支持之前,必须满足以下主机系统先决条件:
The host operating system must support network namespaces. (For example, Linux.)主机操作系统必须支持网络命名空间。(例如,Linux。)
Any network namespace to be used by MySQL must first be created on the host system.MySQL使用的任何网络命名空间都必须首先在主机系统上创建。
Host name resolution must be configured by the system administrator to support network namespaces.主机名解析必须由系统管理员配置,以支持网络命名空间。
A known limitation is that, within MySQL, host name resolution does not work for names specified in network namespace-specific host files. 一个已知的限制是,在MySQL中,主机名解析不适用于特定于网络命名空间的主机文件中指定的名称。For example, if the address for a host name in the 例如,如果在red namespace is specified in the /etc/netns/red/hosts file, binding to the name fails on both the server and client sides. /etc/netns/red/hosts文件中指定了红色命名空间中主机名的地址,则绑定到该名称在服务器和客户端都会失败。The workaround is to use the IP address rather than the host name.解决方法是使用IP地址而不是主机名。
The system administrator must enable the 系统管理员必须为支持网络命名空间(mysqld、MySQL、mysqlxtest)的MySQL二进制文件启用CAP_SYS_ADMIN operating system privilege for the MySQL binaries that support network namespaces (mysqld, mysql, mysqlxtest).CAP_SYS_ADMIN操作系统权限。
Enabling 启用CAP_SYS_ADMIN is a security sensitive operation because it enables a process to perform other privileged actions in addition to setting namespaces. CAP_SYS_ADMIN是一个安全敏感的操作,因为它使进程除了设置命名空间外,还可以执行其他特权操作。For a description of its effects, see https://man7.org/linux/man-pages/man7/capabilities.7.html.有关其效果的描述,请参阅https://man7.org/linux/man-pages/man7/capabilities.7.html。
Because 因为CAP_SYS_ADMIN must be enabled explicitly by the system administrator, MySQL binaries by default do not have network namespace support enabled. CAP_SYS_ADMIN必须由系统管理员显式启用,所以MySQL二进制文件默认不启用网络命名空间支持。The system administrator should evaluate the security implications of running MySQL processes with 在启用CAP_SYS_ADMIN before enabling it.CAP_SYS_ADMIN之前,系统管理员应评估使用CAP_SYS-ADMIN运行MySQL进程的安全影响。
The instructions in the following example set up network namespaces named 以下示例中的说明设置了名为红色和蓝色的网络命名空间。您选择的名称可能不同,主机系统上的网络地址和接口也可能不同。red and blue. The names you choose may differ, as may the network addresses and interfaces on your host system.
Invoke the commands shown here either as the 以root operating system user or by prefixing each command with sudo. For example, to invoke the ip or setcap command if you are not root, use sudo ip or sudo setcap.root操作系统用户或通过在每个命令前加上sudo来调用此处显示的命令。例如,如果您不是root用户,要调用ip或setcap命令,请使用sudo ip或sudo setcap。
To configure network namespaces, use the ip command. For some operations, the ip command must execute within a particular namespace (which must already exist). In such cases, begin the command like this:要配置网络命名空间,请使用ip命令。对于某些操作,ip命令必须在特定的命名空间(必须已经存在)内执行。在这种情况下,按如下方式开始命令:
ip netns exec namespace_name
For example, this command executes within the 例如,此命令在红色名称空间内执行以打开环回接口:red namespace to bring up the loopback interface:
ip netns exec red ip link set lo up
To add namespaces named 要添加名为红色和蓝色的命名空间,每个命名空间都有自己的虚拟以太网设备,用作命名空间和自己的环回接口之间的链接:red and blue, each with its own virtual Ethernet device used as a link between namespaces and its own loopback interface:
ip netns add red ip link add veth-red type veth peer name vpeer-red ip link set vpeer-red netns red ip addr add 192.0.2.1/24 dev veth-red ip link set veth-red up ip netns exec red ip addr add 192.0.2.2/24 dev vpeer-red ip netns exec red ip link set vpeer-red up ip netns exec red ip link set lo up ip netns add blue ip link add veth-blue type veth peer name vpeer-blue ip link set vpeer-blue netns blue ip addr add 198.51.100.1/24 dev veth-blue ip link set veth-blue up ip netns exec blue ip addr add 198.51.100.2/24 dev vpeer-blue ip netns exec blue ip link set vpeer-blue up ip netns exec blue ip link set lo up # if you want to enable inter-subnet routing... sysctl net.ipv4.ip_forward=1 ip netns exec red ip route add default via 192.0.2.1 ip netns exec blue ip route add default via 198.51.100.1
A diagram of the links between namespaces looks like this:命名空间之间的链接图如下:
red global blue
192.0.2.2 <=> 192.0.2.1
(vpeer-red) (veth-red)
198.51.100.1 <=> 198.51.100.2
(veth-blue) (vpeer-blue)
To check which namespaces and links exist:要检查存在哪些命名空间和链接,请执行以下操作:
ip netns list ip link list
To see the routing tables for the global and named namespaces:要查看全局命名空间和命名命名空间的路由表,请执行以下操作:
ip route show ip netns exec red ip route show ip netns exec blue ip route show
To remove the 要删除红色和蓝色链接和命名空间,请执行以下操作:red and blue links and namespaces:
ip link del veth-red ip link del veth-blue ip netns del red ip netns del blue sysctl net.ipv4.ip_forward=0
So that the MySQL binaries that include network namespace support can actually use namespaces, you must grant them the 为了使包含网络命名空间支持的MySQL二进制文件能够实际使用命名空间,您必须授予它们CAP_SYS_ADMIN capability. CAP_SYS_ADMIN功能。The following setcap commands assume that you have changed location to the directory containing your MySQL binaries (adjust the pathname for your system as necessary):以下setcap命令假定您已将位置更改为包含MySQL二进制文件的目录(必要时调整系统的路径名):
cd /usr/local/mysql/bin
To grant 要向相应的二进制文件授予CAP_SYS_ADMIN capability to the appropriate binaries:CAP_SYS_ADMIN功能,请执行以下操作:
setcap cap_sys_admin+ep ./mysqld setcap cap_sys_admin+ep ./mysql setcap cap_sys_admin+ep ./mysqlxtest
To check 要检查CAP_SYS_ADMIN capability:CAP_SYS_ADMIN功能:
shell> getcap ./mysqld ./mysql ./mysqlxtest
./mysqld = cap_sys_admin+ep
./mysql = cap_sys_admin+ep
./mysqlxtest = cap_sys_admin+ep
To remove 要删除CAP_SYS_ADMIN capability:CAP_SYS_ADMIN功能,请执行以下操作:
setcap -r ./mysqld setcap -r ./mysql setcap -r ./mysqlxtest
If you reinstall binaries to which you have previously applied setcap, you must use setcap again. 如果重新安装之前应用了setcap的二进制文件,则必须再次使用setcap。For example, if you perform an in-place MySQL upgrade, failure to grant the 例如,如果您执行MySQL就地升级,则无法再次授予CAP_SYS_ADMIN capability again results in namespace-related failures. CAP_SYS_ADMIN功能会导致与命名空间相关的故障。The server fails with this error for attempts to bind to an address with a named namespace:服务器在尝试绑定到具有命名命名空间的地址时失败,出现此错误:
[ERROR] [MY-013408] [Server] setns() failed with error 'Operation not permitted'
A client invoked with the 使用--network-namespace option fails like this:--network-namespace选项调用的客户端失败如下:
ERROR: Network namespace error: Operation not permitted
Assuming that the preceding host system prerequisites have been satisfied, MySQL enables configuring the server-side namespace for the listening (inbound) side of connections and the client-side namespace for the outbound side of connections.假设满足了前面的主机系统先决条件,MySQL允许为连接的监听(入站)侧配置服务器端命名空间,为连接的出站侧配置客户端命名空间。
On the server side, the 在服务器端,bind_address, admin_address, and mysqlx_bind_address system variables have extended syntax for specifying the network namespace to use for a given IP address or host name on which to listen for incoming connections. To specify a namespace for an address, add a slash and the namespace name. bind_address、admin_address和mysqlx_bind_address系统变量具有扩展的语法,用于指定用于监听传入连接的给定IP地址或主机名的网络命名空间。要为地址指定命名空间,请添加斜线和命名空间名称。For example, a server 例如,服务器my.cnf file might contain these lines:my.cnf文件可能包含以下行:
[mysqld] bind_address = 127.0.1.1,192.0.2.2/red,198.51.100.2/blue admin_address = 102.0.2.2/red mysqlx_bind_address = 102.0.2.2/red
These rules apply:这些规则适用于:
A network namespace can be specified for an IP address or a host name.可以为IP地址或主机名指定网络命名空间。
A network namespace cannot be specified for a wildcard IP address.无法为通配符IP地址指定网络命名空间。
For a given address, the network namespace is optional. If given, it must be specified as a 对于给定的地址,网络命名空间是可选的。如果给定,则必须将其指定为地址后面的/ suffix immediately following the address.ns/ns后缀。
An address with no 没有/ suffix uses the host system global namespace. The global namespace is therefore the default.ns/ns后缀的地址使用主机系统全局命名空间。因此,全局命名空间是默认名称空间。
An address with a 后缀为/ suffix uses the namespace named nsns./ns的地址使用名为ns的命名空间。
The host system must support network namespaces and each named namespace must previously have been set up. Naming a nonexistent namespace produces an error.主机系统必须支持网络命名空间,并且每个命名命名空间必须以前都已设置。命名不存在的命名空间会产生错误。
bind_address and (as of MySQL 8.0.21) mysqlx_bind_address accept a list of multiple comma-separated addresses, the variable value can specify addresses in the global namespace, in named namespaces, or a mix.bind_address和(从MySQL 8.0.21开始)mysqlx_bind_address接受多个逗号分隔的地址列表,变量值可以指定全局命名空间、命名命名空间或混合命名空间中的地址。
If an error occurs during server startup for attempts to use a namespace, the server does not start. If errors occur for X Plugin during plugin initialization such that it is unable to bind to any address, the plugin fails its initialization sequence and the server does not load it.如果在服务器启动过程中尝试使用命名空间时出错,则服务器不会启动。如果X插件在插件初始化过程中发生错误,无法绑定到任何地址,则插件初始化序列失败,服务器不会加载它。
On the client side, a network namespace can be specified in these contexts:在客户端,可以在以下上下文中指定网络命名空间:
For the mysql client and the mysqlxtest test suite client, use the 对于mysql客户端和mysqlxtest测试套件客户端,使用--network-namespace option. For example:--network命名空间选项。例如:
mysql --host=192.0.2.2 --network-namespace=red
If the 如果省略--network-namespace option is omitted, the connection uses the default (global) namespace.--network-namespace选项,则连接将使用默认(全局)命名空间。
For replication connections from replica servers to source servers, use the 对于从副本服务器到源服务器的复制连接,请使用CHANGE REPLICATION SOURCE TO statement (from MySQL 8.0.23) or CHANGE MASTER TO statement (before MySQL 8.0.23) and specify the NETWORK_NAMESPACE option. For example:CHANGE REPLICATION SOURCE TO语句(来自MySQL 8.0.23)或CHANGE MASTER TO语句(在MySQL 8.0.22之前),并指定NETWORK_NAMESPACE选项。例如:
CHANGE REPLICATION SOURCE TO SOURCE_HOST = '192.0.2.2', NETWORK_NAMESPACE = 'red';
If the 如果省略NETWORK_NAMESPACE option is omitted, replication connections use the default (global) namespace.NETWORK_NAMESPACE选项,复制连接将使用默认(全局)命名空间。
The following example sets up a MySQL server that listens for connections in the global, 以下示例设置了一个MySQL服务器,该服务器监听全局、红色和蓝色命名空间中的连接,并显示了如何配置从红色和蓝色名称空间连接的帐户。假设红色和蓝色命名空间已经创建,如主机系统先决条件中所示。red, and blue namespaces, and shows how to configure accounts that connect from the red and blue namespaces. It is assumed that the red and blue namespaces have already been created as shown in Host System Prerequisites.
Configure the server to listen on addresses in multiple namespaces. Put these lines in the server 配置服务器以监听多个命名空间中的地址。将以下行放入服务器my.cnf file and start the server:my.cnf文件并启动服务器:
[mysqld] bind_address = 127.0.1.1,192.0.2.2/red,198.51.100.2/blue
The value tells the server to listen on the loopback address 值告诉服务器监听全局命名空间中的环回地址127.0.0.1 in the global namespace, the address 192.0.2.2 in the red namespace, and the address 198.51.100.2 in the blue namespace.127.0.0.1、红色命名空间中的地址192.0.2.2和蓝色命名空间中的198.51.100.2。
Connect to the server in the global namespace and create accounts that have permission to connect from an address in the address space of each named namespace:连接到全局命名空间中的服务器,并创建有权从每个命名命名空间的地址空间中的地址进行连接的帐户:
shell>mysql -u root -h 127.0.0.1 -pEnter password:root_passwordmysql>CREATE USER 'red_user'@'192.0.2.2'IDENTIFIED BY 'mysql>red_user_password';CREATE USER 'blue_user'@'198.51.100.2'IDENTIFIED BY 'blue_user_password';
Verify that you can connect to the server in each named namespace:验证您是否可以连接到每个命名命名空间中的服务器:
shell>mysql -u red_user -h 192.0.2.2 --network-namespace=red -pEnter password:red_user_passwordmysql>SELECT USER();+--------------------+ | USER() | +--------------------+ | red_user@192.0.2.2 | +--------------------+
shell>mysql -u blue_user -h 198.51.100.2 --network-namespace=blue -pEnter password:blue_user_passwordmysql>SELECT USER();+------------------------+ | USER() | +------------------------+ | blue_user@198.51.100.2 | +------------------------+
You might see different results from 您可能会看到与USER(), which can return a value that includes a host name rather than an IP address if your DNS is configured to be able to resolve the address to the corresponding host name and the server is not run with the skip_name_resolve system variable enabled.USER()不同的结果,如果您的DNS配置为能够将地址解析为相应的主机名,并且服务器未在启用skip_name_resolve系统变量的情况下运行,则USER会返回一个包含主机名而不是IP地址的值。
You might also try invoking mysql without the 您还可以尝试在不使用--network-namespace option to see whether the connection attempt succeeds, and, if so, how the USER() value is affected.--network命名空间选项的情况下调用mysql,以查看连接尝试是否成功,如果成功,则查看USER()值如何受到影响。
For replication monitoring purposes, these information sources have a column that displays the applicable network namespace for connections:出于复制监控的目的,这些信息源有一列显示连接的适用网络命名空间:
The Performance Schema 性能架构replication_connection_configuration table. replication_connection_configuration表。See Section 27.12.11.1, “The replication_connection_configuration Table”.请参阅第27.12.11.1节,“复制连接配置表”。
The replica server connection metadata repository. See Section 17.2.4.2, “Replication Metadata Repositories”.副本服务器连接元数据存储库。请参阅第17.2.4.2节,“复制元数据存储库”。
The SHOW REPLICA | SLAVE STATUS statement. See Section 13.7.7.35, “SHOW REPLICA | SLAVE STATUS Statement”.SHOW REPLICA | SLAVE STATUS语句。见第13.7.7.35节,“SHOW REPLICA | SLAVE STATUS语句”。