Docker 网络管理--网络创建和通信
一、网络驱动 docker可以通过创建虚拟网卡,通过虚拟网卡转发到宿主机网卡和外部进行通信。除此之外,也可以不创建自己的虚拟网卡而是直接和宿主机共 用网卡直接占用宿主机IP和端口的方式和外部进行通信。docker的网络驱动是可插拔的,默认情况下存在以下几种网络模式: 1、桥接网络模式(bridge): 这是docker默认的网络驱动程序,如果在创建驱动程序时未指定驱动程序类型,默认便是bridge模式。 当你的应用程序是在同一个主机部署独立容器时,推荐使用桥接网络模式。连接到同一桥接网络的容器可以互相通信,对不同桥接网络的容器则无法直接相互通信。 2、覆盖网络模式(overlay):覆盖网络模式可以将不同的Dockerd守护进程连接在一起,该网络模式支持集群容器之间相互通信, 以及集群和某个单机版独立容器直接相互通信,或不同Dockerd守护进程的独立容器之间进行通信。该网络模式使用场景比较广泛,通常集群部署时会使用该模式。 3、主机网络模式(host):如果某个容器需要访问主机的某个服务,那么需要配置主机网络模式,该模式直接占用主机的网络端口和网卡资源。 也就是说docker网络并非隔离而是直接和宿主机共享资源,就好像应用是直接在宿主机上运行一样。但是其它(例如存储,进程命名空间和用户命名空间)相对宿主机隔离的。 该模式仅适用于Docker 17.06及更高版本的swarm服务。 4、MAC网络模式(macvlan):Macvlan网络允许您为容器分配MAC地址,使其显示为网络上的物理设备。Docker守护程序通过其MAC地址将流量路由到容器。 macvlan 使用场景在于如果希望直接连接到物理网络时,使用驱动程序有时是最佳选择,而不是通过Docker宿主机的网络堆栈进行路由。 5、禁用网络模式(none): 禁用容器所有网络。通常与自定义网络驱动程序一起使用。none不适用于群组服务。 6、其它模式(网络插件):可以使用Docker安装和使用第三方网络插件 [root@localhost7C ~]# docker network create -d bridge macvlan overlay [root@localhost7C ~]# docker network ls NETWORK ID NAME DRIVER SCOPE 796c38ad861b bridge bridge local 00e08763c06a host host local 0bf2813ea139 none null local 使用场景 下面我们总结下不同场景建议使用的网络模式: 1、当您需要多个容器在同一个Docker宿主机上进行通信时,使用自定义的桥接网络模式(bridge)是最佳选择。 2、当容器网络堆栈不应与Docker主机隔离但又希望隔离容器的其他方面(cgroup,unix file system)时,使用主机网络模式(host)是最佳选择。 3、当您需要在不同Docker守护进程上运行的容器进行通信时,或者当多个应用程序使用swarm服务协同工作时,覆盖网络模式(overlay)是最佳选择。 4、当您从VM设置迁移或需要容器看起来像网络上的物理主机时,Macvlan网络是最佳的,这样每个主机都具有唯一的MAC地址。 5、另外如果以上模式都不能满足您的需求是,可以查找第三方网络插件进行集成。 例:使用下面的命令创建一个基于bridge driver的自定义网络: [root@localhost7C ~]# docker network create -d bridge --subnet 172.27.0.0/16 --gateway 172.27.0.1 zzhz b3a5712a5391eff8db290b25893e88a496432d54c63df050efb05c44ccbf938f [root@localhost7C ~]# docker network ls NETWORK ID NAME DRIVER SCOPE 796c38ad861b bridge bridge local 00e08763c06a host host local 0bf2813ea139 none null local b3a5712a5391 zzhz bridge local [root@localhost7C ~]# ip a 6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:cd:40:f8:77 brd ff:ff:ff:ff:ff:ff inet 10.100.0.1/24 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:cdff:fe40:f877/64 scope link valid_lft forever preferred_lft forever 21: br-b3a5712a5391: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:ac:d8:d7:4a brd ff:ff:ff:ff:ff:ff inet 172.27.0.1/16 scope global br-b3a5712a5391 valid_lft forever preferred_lft forever [root@localhost7C ~]# brctl show bridge name bridge id STP enabled interfaces br-b3a5712a5391 8000.0242acd8d74a no docker0 8000.0242cd40f877 no virbr0 8000.525400fbc09b yes virbr0-nic [root@localhost7C ~]# route -n Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0 10.100.0.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0 172.27.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-b3a5712a5391 [root@localhost7C ~]# docker run -it -d --name centosA --network zzhz centos-base:v1 [root@localhost7C ~]# docker exec -it centosA bash [root@833c8730e36d /]# ip a 22: eth0@if23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:1b:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.27.0.2/16 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::42:acff:fe1b:2/64 scope link valid_lft forever preferred_lft forever
二、网络通信
1.容器之间的通信和互联 即在同一个宿主机上的容器之间可以通过自定义的容器名称相互访问,比如一个业务前端静态页面是使用 nginx, 动态页面使用的是 tomcat,由于容器在启动 的时候其内部 IP 地址是 DHCP 随机分配的, 所以如果通过内部访问的话,自定 义名称是相对比较固定的,因此比较适用于此场景。 解决的问题:IP不固定。 docker run -it -d --name centosA centos-base:v1 bash f98aa064f560972755d2024104395d94648936e877164fa1a37b96fe77671914 [root@localhost7B ~]# docker exec -it centosA bash [root@f98aa064f560 /]# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255 ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet) RX packets 8 bytes 656 (656.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@f98aa064f560 /]# cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.17.0.2 f98aa064f560 [root@localhost7B ~]# docker run -it -d --name centosC --link centosA centos-base:v1 bash 7583cf048ef8030dc697e3b1e1eac0e13e3757cce381acaf7561588c8172fd7f [root@localhost7B ~]# docker exec -it centosC bash [root@7583cf048ef8 /]# ping 172.17.0.2 PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data. 64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.214 ms 64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.045 ms ^C --- 172.17.0.2 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.045/0.129/0.214/0.085 ms [root@7583cf048ef8 /]# cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.17.0.2 centosA f98aa064f560 172.17.0.3 7583cf048ef8 [root@7583cf048ef8 /]# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.17.0.3 netmask 255.255.0.0 broadcast 172.17.255.255 ether 02:42:ac:11:00:03 txqueuelen 0 (Ethernet) RX packets 12 bytes 936 (936.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 4 bytes 280 (280.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@7583cf048ef8 /]# ping www.qq.com PING ins-r23tsuuf.ias.tencent-cloud.net (101.91.42.232) 56(84) bytes of data. 64 bytes from 101.91.42.232 (101.91.42.232): icmp_seq=1 ttl=127 time=11.8 ms 64 bytes from 101.91.42.232 (101.91.42.232): icmp_seq=2 ttl=127 time=11.6 ms
2.同宿主机的网络通信 同宿主机的相同网络类型的容器网络通信 桥接模式是可以访问宿主机 #使用其它物理主机安装一个服务 [root@localhost7A ~]# yum install nginx [root@localhost7A ~]# echo 192.168.80.100 > /usr/share/nginx/html/index.html [root@localhost7A ~]# systemctl start nginx.service #宿主机运行bridge网络容器 [root@localhost7B ~]# docker run -it -d --name centosA --network bridge centos-base:v1 92dc6a928cb96c6dfe25e105415e85ce52db0ba976613c3d7400f6777ba72578 [root@localhost7B ~]# [root@localhost7B ~]# docker exec -it centosA bash [root@92dc6a928cb9 /]# [root@92dc6a928cb9 /]# ip a 204: eth0@if205: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever [root@92dc6a928cb9 /]# ping 172.17.0.3 PING 172.17.0.3 (172.17.0.3) 56(84) bytes of data. 64 bytes from 172.17.0.3: icmp_seq=1 ttl=64 time=0.138 ms 64 bytes from 172.17.0.3: icmp_seq=2 ttl=64 time=0.069 ms 64 bytes from 172.17.0.3: icmp_seq=3 ttl=64 time=0.049 ms #宿主机运行bridge网络容器 [root@localhost7B ~]# docker run -it -d --name centosB --network bridge centos-base:v1 9fc9f973b8c11f08d6fe8d3ac3bae47080be67a722ebd01fb5cb36e39b7db5b2 [root@localhost7B ~]# docker exec -it centosB bash [root@9fc9f973b8c1 /]# ip a 206: eth0@if207: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever #测试 [root@9fc9f973b8c1 /]# ping 172.17.0.2 PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data. 64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.174 ms 64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.064 ms [root@9fc9f973b8c1 /]# curl 192.168.80.100 192.168.80.100 -------------------------------------------------------------- 2.同宿主机的不同网络类型名的容器网络通信 #创建网络类型和网段 [root@localhost7B ~]# docker network create -d bridge --subnet 10.100.0.0/16 --gateway 10.100.0.1 AAAA d940641ff2e2cdddb92d99e0376116a92d729b1fedb10d48acc189fca0f2f9ca [ [root@localhost7B ~]# docker network create -d bridge --subnet 172.27.0.0/16 --gateway 172.27.0.1 BBBB efd6f5041a54161390745cfa0fca1dd5292125cc774fc0583d5819a7e187ca8c [root@localhost7B ~]# docker network ls NETWORK ID NAME DRIVER SCOPE d940641ff2e2 AAAA bridge local efd6f5041a54 BBBB bridge local dadcee624d9f bridge bridge local c3a3c664c940 host host local 7dd7ae01904e none null local #查看网络相关信息 [root@localhost7B ~]# ifconfig br-d940641ff2e2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.100.0.1 netmask 255.255.0.0 broadcast 10.100.255.255 inet6 fe80::42:47ff:fe51:d929 prefixlen 64 scopeid 0x20<link> ether 02:42:47:51:d9:29 txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 br-efd6f5041a54: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.27.0.1 netmask 255.255.0.0 broadcast 172.27.255.255 inet6 fe80::42:7bff:fee0:add5 prefixlen 64 scopeid 0x20<link> ether 02:42:7b:e0:ad:d5 txqueuelen 0 (Ethernet) RX packets 1109 bytes 106616 (104.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 78 bytes 6228 (6.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 #查看网络相关信息 [root@localhost7B ~]# brctl show bridge name bridge id STP enabled interfaces br-d940641ff2e2 8000.02424751d929 no vethaee927d br-efd6f5041a54 8000.02427be0add5 no veth4f5b3e9 veth5e8cbf8 docker0 8000.0242f1d70496 no virbr0 8000.525400ecdab8 yes virbr0-nic #创建容器 [root@localhost7B ~]# docker run -it -d --name centosA --network AAAA centos-base:v1 bash 89b91f8ae4310fac0ffa797e47cba153369bff122c76bb1d6ac7df54bd0137c9 [root@localhost7B ~]# docker exec -it centosA bash [root@89b91f8ae431 /]# ip a 211: eth0@if212: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:0a:64:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.100.0.2/16 brd 10.100.255.255 scope global eth0 valid_lft forever preferred_lft forever #创建容器 [root@localhost7B ~]# docker run -it -d --name centosB --network BBBB centos-base:v1 bash 1592786ecfc7272e86d6c37a3bb3f9b8d618654bc0ac8b5a505dc019a5f43785 [root@localhost7B ~]# docker exec -it centosB bash [root@1592786ecfc7 /]# ip a 213: eth0@if214: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:1b:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.27.0.2/16 brd 172.27.255.255 scope global eth0 valid_lft forever preferred_lft forever #创建容器 [root@localhost7B ~]# docker run -it -d --name centosC --network BBBB centos-base:v1 bash [root@574a608904fa /]# ip a 215: eth0@if216: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:1b:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.27.0.3/16 brd 172.27.255.255 scope global eth0 valid_lft forever preferred_lft forever #测试: 同网段的相通,不同网段的不通。(网络类型是相同) [root@574a608904fa /]# ping 172.27.0.2 PING 172.27.0.2 (172.27.0.2) 56(84) bytes of data. 64 bytes from 172.27.0.2: icmp_seq=1 ttl=64 time=24.4 ms 64 bytes from 172.27.0.2: icmp_seq=2 ttl=64 time=0.050 ms 64 bytes from 172.27.0.2: icmp_seq=3 ttl=64 time=0.050 ms [root@574a608904fa /]# curl 192.168.80.100 [root@574a608904fa /]# ping www.qq.com PING ins-r23tsuuf.ias.tencent-cloud.net (101.91.42.232) 56(84) bytes of data. 64 bytes from 101.91.42.232 (101.91.42.232): icmp_seq=1 ttl=127 time=11.6 ms 64 bytes from 101.91.42.232 (101.91.42.232): icmp_seq=2 ttl=127 time=11.5 ms #不通。 [root@574a608904fa /]# ping 10.100.0.2 PING 10.100.0.2 (10.100.0.2) 56(84) bytes of data. ^C 解决产:同宿主机的不同网络类型名的容器网络通信 [root@localhost7B ~]# iptables -vnL ..... ..... Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 5 420 DOCKER-ISOLATION-STAGE-2 all -- br-efd6f5041a54 !br-efd6f5041a54 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-d940641ff2e2 !br-d940641ff2e2 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 修改iptalbes配置 [root@localhost7B ~]# iptables-save [root@localhost7B ~]# iptables-save > iptables.rule [root@localhost7B ~]# vim iptables.rule ...... ...... -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT #-A DOCKER-ISOLATION-STAGE-1 -i br-efd6f5041a54 ! -o br-efd6f5041a54 -j DOCKER-ISOLATION-STAGE-2 #注意此行规则 #-A DOCKER-ISOLATION-STAGE-1 -i br-d940641ff2e2 ! -o br-d940641ff2e2 -j DOCKER-ISOLATION-STAGE-2 #注意此行规则 -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN [root@localhost7B ~]# iptables-restore < iptables.rule #进入容器测试,通了。 [root@localhost7B ~]# docker exec -it centosB bash [root@574a608904fa /]# ping 10.100.0.2 PING 10.100.0.2 (10.100.0.2) 56(84) bytes of data. 64 bytes from 10.100.0.2: icmp_seq=1 ttl=63 time=0.055 ms 64 bytes from 10.100.0.2: icmp_seq=2 ttl=63 time=0.056 ms 64 bytes from 10.100.0.2: icmp_seq=3 ttl=63 time=0.057 ms
3.不同宿主机的网络通信 不同宿主机之间的容器IP地址重复,不能相互通信,一台宿主机可以有多个网络模式(bridge 或host等)。有多台宿主机时,要修改网络中的网段,才能通信。 localhost7B 192.168.80.110 容器网段:172.17.0.0/16 localhost7C 192.168.80.120 容器网段:10.100.0.0/24 #修改bridge网络配置,重启docker服务 cat /etc/docker/daemon.json { "bip": "10.100.0.1/24", } #宿主机IP和路由信息 [root@localhost7B ~]# ifconfig docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255 inet6 fe80::42:f1ff:fed7:496 prefixlen 64 scopeid 0x20<link> ether 02:42:f1:d7:04:96 txqueuelen 0 (Ethernet) RX packets 256630 bytes 10327647 (9.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 390337 bytes 303390504 (289.3 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.80.110 netmask 255.255.255.0 broadcast 192.168.80.255 inet6 fe80::de87:2dd4:969e:491e prefixlen 64 scopeid 0x20<link> ether 00:0c:29:81:5d:42 txqueuelen 1000 (Ethernet) RX packets 1662403 bytes 1356328786 (1.2 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1132122 bytes 1638302559 (1.5 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 root@localhost7B ~]# route -n Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 [root@localhost7B ~]# docker run -it -d --name centosBB --network bridge centos-base:v1 62e5459ec0893322a9a66aee91beb2550f14c7c9757a28fb3082c14c14913304 [root@localhost7B ~]# docker exec -it centosBB bash [root@62e5459ec089 /]# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255 ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet) RX packets 8 bytes 656 (656.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@62e5459ec089 /]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.17.0.1 0.0.0.0 UG 0 0 0 eth0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 #修改bridge网络后宿主机的网络和路由信息 [root@localhost7C ~]# ifconfig docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.100.0.1 netmask 255.255.0.0 broadcast 0.0.0.0 inet6 fe80::42:cdff:fe40:f877 prefixlen 64 scopeid 0x20<link> ether 02:42:cd:40:f8:77 txqueuelen 0 (Ethernet) RX packets 10709 bytes 446373 (435.9 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 15230 bytes 26260116 (25.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.80.120 netmask 255.255.255.0 broadcast 192.168.80.255 inet6 fe80::7cd:a65c:16d4:ff57 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:a2:14:02 txqueuelen 1000 (Ethernet) RX packets 1095894 bytes 1029481316 (981.7 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 128831 bytes 10661668 (10.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@localhost7C ~]# route -n Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0 10.100.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0 [root@localhost7C ~]# docker run -it -d --name centosCC --network bridge centos-base:v1 ddf282697c2a905311a639dc0b63f41fb6106cb7763c640f412fe817ed1b7846 [root@localhost7C ~]# [root@localhost7C ~]# [root@localhost7C ~]# docker exec -it centosCC bash [root@ddf282697c2a /]# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.100.0.2 netmask 255.255.0.0 broadcast 0.0.0.0 inet6 fe80::42:aff:fe64:2 prefixlen 64 scopeid 0x20<link> ether 02:42:0a:64:00:02 txqueuelen 0 (Ethernet) RX packets 8 bytes 656 (656.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 8 bytes 656 (656.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@ddf282697c2a /]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.100.0.1 0.0.0.0 UG 0 0 0 eth0 10.100.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 #测试 不通 [root@ddf282697c2a /]# ping 172.17.0.2 PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data. #添加静态路由和iptables规则,在各宿主机添加静态路由,网关指向对方宿主机的IP [root@localhost7B ~]# route add -net 10.100.0.0/24 gw 192.168.80.120 [root@localhost7B ~]# iptables -A FORWARD -s 192.168.80.0/24 -j ACCEPT #添加静态路由和iptables规则,在各宿主机添加静态路由,网关指向对方宿主机的IP [root@localhost7C ~]# route add -net 172.17.0.0/16 gw 192.168.80.110 [root@localhost7C ~]# iptables -A FORWARD -s 192.168.80.0/24 -j ACCEPT #测试 通 [root@localhost7C ~]# docker exec -it centosCC bash [root@ddf282697c2a /]# ping 172.17.0.2 PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data. 64 bytes from 172.17.0.2: icmp_seq=1 ttl=62 time=0.370 ms 64 bytes from 172.17.0.2: icmp_seq=2 ttl=62 time=0.381 ms 64 bytes from 172.17.0.2: icmp_seq=3 ttl=62 time=0.401 ms 64 bytes from 172.17.0.2: icmp_seq=4 ttl=62 time=0.413 ms 64 bytes from 172.17.0.2: icmp_seq=5 ttl=62 time=1.15 ms #宿主机B上tcpdump抓包观察 [root@localhost7B ~]# tcpdump -i eth0 -nn icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 15:33:16.862295 IP 192.168.80.120 > 172.17.0.2: ICMP echo request, id 39, seq 1, length 64 15:33:16.862401 IP 172.17.0.2 > 192.168.80.120: ICMP echo reply, id 39, seq 1, length 64
