Docker网络
Docker 网络
理解Docker0
回顾docker rm命令
$: docker rm --help
Usage: docker rm [OPTIONS] CONTAINER [CONTAINER...]
Remove one or more containers
Options:
-f, --force Force the removal of a running container (uses SIGKILL)
-l, --link Remove the specified link
-v, --volumes Remove anonymous volumes associated with the container
清空所有容器与镜像
删除所有的容器,保证回到最初的状态:docker rm -f $(docker ps -aq)、docker rmi -f $(docker images -aq)
注意:你如果不是看具体效果就不要随意删除东西了。
测试:获取当前的基本网卡:
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether f4:02:70:a0:1d:de brd ff:ff:ff:ff:ff:ff
inet 192.168.0.81/23 brd 192.168.1.255 scope global eno1
valid_lft forever preferred_lft forever
inet6 fe80::74e:fd61:7d1e:9c96/64 scope link
valid_lft forever preferred_lft forever
3: eno2d1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether f4:02:70:a0:1d:df brd ff:ff:ff:ff:ff:ff
4: enp137s0f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether e8:61:1f:10:d4:ce brd ff:ff:ff:ff:ff:ff
5: enp137s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether e8:61:1f:10:d4:cf brd ff:ff:ff:ff:ff:ff
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:32:80:40:30 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:32ff:fe80:4030/64 scope link
valid_lft forever preferred_lft forever
- lo是本机回环地址,即127.0.0.1
- eno1:内网地址
- docker0 docker的网卡地址,类似于路由器
问题:docker是如何处理容器网络访问的?
拉取镜像创建容器
$ docker run -d -P --name tomcat01 tomcat
查看容器内的IP
发现容器启动后有一个eth0@if12 IP地址,是docker给它分配的。
$ docker exec -it tomcat01 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
11: eth0@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
$
思考:linux系统能不能直接访问容器内的网络呢,如ping一下?
$ ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.127 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.069 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.069 ms
64 bytes from 172.17.0.2: icmp_seq=4 ttl=64 time=0.073 ms
64 bytes from 172.17.0.2: icmp_seq=5 ttl=64 time=0.088 ms
^C
--- 172.17.0.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4078ms
rtt min/avg/max/mdev = 0.069/0.085/0.127/0.022 ms
我们可以是可以从宿主机直接ping通的!
原理:同一个网段是可以ping通的
- 我们每启动一个docker容器,docker就会给docker容器分配一个ip,我们只安装了docker, 就只有一个docker0网卡。启动tomcat01之后,在linux宿主机输入:ip addr可以发现多了一个网卡:
$ ip addr
……
12: veth9840e68@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 56:b6:d9:22:88:7c brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::54b6:d9ff:fe22:887c/64 scope link
valid_lft forever preferred_lft forever
--------------------------------------------------
# @if11中的11是容器tomcat01中的网卡11;veth表示是evth-pair技术分配的!
- 新增一个tomcat02容器,又成对增加了一对网卡
$ docker run -d -P --name tomcat02 tomcat
c4917215687a203472e900458c148909f63b93d026c9cfb5a90fc5adf5af4f84
elfin@dell:~$ ip addr
……
12: veth9840e68@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 56:b6:d9:22:88:7c brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::54b6:d9ff:fe22:887c/64 scope link
valid_lft forever preferred_lft forever
14: veth090500c@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether a2:e3:71:a8:7f:c5 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::a0e3:71ff:fea8:7fc5/64 scope link
valid_lft forever preferred_lft forever
---------------------------------------------------
$ docker exec -it tomcat02 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
13: eth0@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
通过对比我们发现自动分配了网卡14m,12过了就是14?网卡13呢?没错网卡13是分配给容器tomcat02了!
这个网卡成对分配的技术就是evth-pair技术;evth-pair被用来充当一个桥梁,一段连接协议,一段彼此相连。
TODO: 查看evth-pair技术
tomcat01 tomcat02之间可以ping通吗?
$ docker exec -it tomcat02 ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.119 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.067 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.058 ms
^C
--- 172.17.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 39ms
rtt min/avg/max/mdev = 0.058/0.081/0.119/0.027 ms
测试发现两者是可以ping通的!
原理图:
结论:tomcat01和tomcat02是共用一个路由器 docker0.
所有的容器不指定网络的情况下,都是docker0路由的,docker会给我们的容器分配一个默认的可用IP。可用的IP有很多0~255?应该有255**2-2个
255.255.0.1/16
255.255.0.1/24 域
小结
Docker使用的是linux的桥接,宿主机是一个Docker容器的网桥 docker0
网络架构图:
- Docker中的所有的网络接口都是虚拟的,虚拟的转发效率高!(内网传递文件)
- 只要容器删除,对应网桥成对就被删除了!
思考一个场景,我们编写了一个微服务,database URL=ip:,项目不重启,数据库ip换掉了,我们希望可以处理这个问题,路由使用名字来访问容器?
自定义网络? --link?
清澈的爱,只为中国
