Docker - 虚拟网桥
1-容器的网络模式-
在创建容器时,可以通过-network选项指定容器的网络类型(模式)
- None --- 不为容器进行任何网络配置,容器不能访问外部网络,内部存在回路地址。
- Container --- 将容器的网络栈合并到一起,可与其他容器共享IP地址和端口范围等。
- Host --- 与主机共享网络。
- Bridge --- 默认网络模式,通过主机和容器的端口映射(iptable转发)来通信。桥接是在主机上,一般叫docker0。
自定义网络
默认情况下,容器的IP地址是随机分配的,每次启动容器都由可能发生变化。
使用--ip选项为容器指定固定IP,可以创建自定义网络。
Docker安装后会创建自带的三种网络,可以通过docker network ls查看,通过docker network inspect查看详细信息。
[root@CentOS-7 ~]# docker network ls
NETWORK ID NAME DRIVER
08b080b94bcf bridge bridge
cff410b272fe none null
e818cf59d997 host host
[root@CentOS-7 ~]#
[root@CentOS-7 ~]# docker network inspect bridge
[
{
"Name": "bridge",
"Id": "08b080b94bcf5b8a651f27f6954d094eb6c41a200c969a8f80beb0b155655bd9",
"Scope": "local",
"Driver": "bridge",
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16"
}
]
},
"Containers": {},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
}
}
]
[root@CentOS-7 ~]#
2-虚拟网桥
bridge模式是Docker默认的网络配置,会为每一个容器分配Network命名空间、设置IP地址等。
Docker启动时,自动在主机上创建虚拟网桥docker0,并随机分配一个本地空闲私有网段的一个地址给docker0接口。
虚拟网桥docker0在内核层连通了其他的物理或虚拟网卡,将所有容器和本地主机都放到同一个网络。
docker0接口的默认配置包含了IP地址、子网掩码等,可以在docker服务启动的时候进行自定义配置。
[root@CentOS-7 ~]# ip addr show docker0
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:41:3d:c1:6a brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:41ff:fe3d:c16a/64 scope link
valid_lft forever preferred_lft forever
[root@CentOS-7 ~]#
[root@CentOS-7 ~]# brctl show docker0
bridge name bridge id STP enabled interfaces
docker0 8000.0242413dc16a no veth06f0e1b
[root@CentOS-7 ~]#
[root@CentOS-7 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
1d732a1c4f67 bridge bridge local
2e217e480705 host host local
c31d9a1acfc0 none null local
[root@CentOS-7 ~]#
[root@CentOS-7 ~]# docker network inspect bridge
[
{
"Name": "bridge",
"Id": "1d732a1c4f67d124eebfa1ccc19c299f9e0ed88f5f429f7bc5f4d6c263f9d599",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Internal": false,
"Containers": {},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
[root@CentOS-7 ~]#
3-容器的默认网络
Bridge是容器启动的默认网络模式。
当创建一个Docker容器时,容器会自动获得Bridge网段的一个空闲IP地址,并使用docker0接口的IP地址作为容器的默认网关,从而建立了主机和容器之间的一个虚拟共享网络。
主机可以跟容器通信,容器之间也可以相互通信。
容器通过docker0网桥以nat方式连接外网,外网通过端口映射(-p参数)连接到容器。
[root@CentOS-7 ~]# docker run -it -d --name test-network docker.io/ubuntu /bin/bash
7fb2253c974113452a534b0b423e5d62ca45243272f68f6f36726f3b71088816
[root@CentOS-7 ~]#
[root@CentOS7 ~]# ip link show |grep docker0
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
7: veth6e8b8d1@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
[root@CentOS7 ~]#
[root@CentOS-7 ~]# docker network inspect bridge
[
{
"Name": "bridge",
"Id": "1d732a1c4f67d124eebfa1ccc19c299f9e0ed88f5f429f7bc5f4d6c263f9d599",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Internal": false,
"Containers": {
"7fb2253c974113452a534b0b423e5d62ca45243272f68f6f36726f3b71088816": {
"Name": "test-network",
"EndpointID": "d434340768b76da42f9d61da848aa197111826c38eaca05886bca17c42123de3",
"MacAddress": "02:42:ac:11:00:02",
"IPv4Address": "172.17.0.2/16",
"IPv6Address": ""
}
},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
[root@CentOS-7 ~]#
[root@CentOS-7 ~]# docker attach test-network
root@7fb2253c9741:/#
root@7fb2253c9741:/# export http_proxy="http://10.144.1.10:8080"
root@7fb2253c9741:/#
root@7fb2253c9741:/# apt-get update
root@7fb2253c9741:/# apt-get install -yqq inetutils-ping
root@7fb2253c9741:/# apt-get install -yqq iproute
root@7fb2253c9741:/# apt-get install -yqq net-tools
root@7fb2253c9741:/#
root@7fb2253c9741:/# ifconfig -a
eth0 Link encap:Ethernet HWaddr 02:42:ac:11:00:02
inet addr:172.17.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe11:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10951 errors:0 dropped:0 overruns:0 frame:0
TX packets:7358 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:26672806 (26.6 MB) TX bytes:495091 (495.0 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
root@7fb2253c9741:/#
root@7fb2253c9741:/# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.17.0.1 0.0.0.0 UG 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
root@7fb2253c9741:/#
root@7fb2253c9741:/# ping 172.17.0.1
PING 172.17.0.1 (172.17.0.1): 56 data bytes
64 bytes from 172.17.0.1: icmp_seq=0 ttl=64 time=0.235 ms
64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.254 ms
^C--- 172.17.0.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.235/0.244/0.254/0.000 ms
root@7fb2253c9741:/#
root@7fb2253c9741:/# ping www.bing.com
PING a-0001.a-msedge.net (204.79.197.200): 56 data bytes
64 bytes from 204.79.197.200: icmp_seq=0 ttl=108 time=205.742 ms
64 bytes from 204.79.197.200: icmp_seq=1 ttl=108 time=207.676 ms
^C--- a-0001.a-msedge.net ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 205.742/206.709/207.676/0.967 ms
root@7fb2253c9741:/# [root@CentOS-7 ~]#
[root@CentOS-7 ~]#
4-host模式
Docker使用了Linux的命名空间来进行资源隔离。
在默认bridge模式下,一个Docker容器一般会分配一个独立的Network命名空间。
但如果在启动容器的时候使用host模式,那么这个容器将不会获得一个独立的Network命名空间,而是和宿主机共用一个Network命名空间。
容器将不会虚拟出自己的网卡、配置自己的IP地址等,而是使用宿主机的IP与端口。
例如:docker run -d -ti --network=host centos
[root@anliven ~]# docker run -d -ti --network=host centos
5d9e68b2280b4e8129f3ef6ea301525b8ea4673edcb21a760c446d27d909d615
[root@anliven ~]#
[root@anliven ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5d9e68b2280b centos "/bin/bash" 29 seconds ago Up 28 seconds strange_curie
[root@anliven ~]#
[root@anliven ~]# docker exec 5d9e68b2280b ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:a9:38:21 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute enp0s3
valid_lft 81099sec preferred_lft 81099sec
inet6 fe80::d98c:9835:def1:e78c/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:fd:4e:ba brd ff:ff:ff:ff:ff:ff
inet 192.168.56.200/24 brd 192.168.56.255 scope global noprefixroute enp0s8
valid_lft forever preferred_lft forever
inet6 fe80::88ff:3d9c:8b12:a290/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:50:56:94 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:50:56:94 brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:dc:b1:eb:1f brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:dcff:feb1:eb1f/64 scope link
valid_lft forever preferred_lft forever
[root@anliven ~]#
行动是绝望的解药!
欢迎转载和引用,但请在明显处保留原文链接和原作者信息!
本博客内容多为个人工作与学习的记录,少数内容来自于网络并略有修改,已尽力标明原文链接和转载说明。如有冒犯,即刻删除!
以所舍,求所得,有所获,方所成。
