docker网络模式

docker网络

0. docker网络

docker支持5种网络,截止至今天2019/10/5, 主要提3种常用的~
官网地址 https://docs.docker.com/network/

  1. bridge
  2. host
  3. overlay
  4. macvlan
  5. none

1. bridge 网桥模式

如果docker run 不指定参数的就是bridge模式,相当于--net=bridge ,将新创建出来的容器连接在默认docker0的网桥上。

docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 0.0.0.0
        inet6 fe80::42:84ff:fe40:338d  prefixlen 64  scopeid 0x20<link>
        ether 02:42:84:40:33:8d  txqueuelen 0  (Ethernet)
        RX packets 260371269  bytes 93597700180 (87.1 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 290671878  bytes 1884108176282 (1.7 TiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

network ls查看docker网络,第一个就是bridge网络,默认会创建3类network,分别是bride,host和none:

docker network ls 
NETWORK ID          NAME                DRIVER              SCOPE
f46a424c56c7        bridge              bridge              local
f32b57484090        host                host                local
9090c26d57af        none                null                local

使用docker network inspect命令可以看到这个网络下面有一个容器,他的ip是172.17.0.2/16:

docker network inspect f46a424c56c7
[
    {
        "Name": "bridge",
        "Id": "f46a424c56c76c95f50535fac3762000f58e82fb400073ead8fd75354538d90b",
        "Created": "2019-09-18T14:35:14.513136246+08:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Containers": {
            "dba09b79c2de4762174ab473e54fa817773227ddbb5e3753488f21c773179c2d": {
                "Name": "eloquent_spence",
                "EndpointID": "c6b11e0c020bb7af88a8ab5c3323d25ea4003e732e905cb663eeb1f49d40d09e",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

进到容器里面可以证实一下:

 docker exec -it dba09b79c2de bash 
[root@dba09b79c2de work]# ifconfig 
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02  
          inet addr:172.17.0.2  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:acff:fe11:2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12361 errors:0 dropped:0 overruns:0 frame:0
          TX packets:93235 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:519908 (507.7 KiB)  TX bytes:6504428 (6.2 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:100 (100.0 b)  TX bytes:100 (100.0 b)

里面的容器想要跟外网通信,必须开启ip forward

$ sysctl net.ipv4.conf.all.forwarding=1
 iptables -P FORWARD ACCEPT

否则是无法访问外网的,(当然你的机器首先要跟外界正常通信)。

# sysctl net.ipv4.conf.all.forwarding=0
net.ipv4.conf.all.forwarding = 0
[root@ecs-makemirror ~]# docker exec -it dba09b79c2de bash 
[root@dba09b79c2de work]# ping baidu.com
^C

除了docker network inspect以外,可以用brctl命令来观察网桥,不过要首先把

 yum install -y bridge-utils

安装好

brctl show 
bridge name bridge id       STP enabled interfaces
docker0     8000.02428440338d   no      vetha40e077
                                        vethc05faa3

可以看到有2个网桥,都桥接在docker0上面了。对于的2个容器

# docker ps 
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                  NAMES
2af123b40bc6        nginx               "nginx -g 'daemon ..."   10 minutes ago      Up 10 minutes       0.0.0.0:8888->80/tcp   web
dba09b79c2de        zpmds:20190926      "bash /etc/init.d/..."   8 days ago          Up 8 days                                  eloquent_spence

2. host模式

和主机共用一个网络,--net=host

docker run -d --name web2 --net=host  -p 9999 nginx

直接共用主机网络。这里的-p 9999是不起作用的,还是会在80端口监听!
brctl show可以看到没有创建veth,还是原来的2块网卡:

bridge name bridge id       STP enabled interfaces
docker0     8000.02428440338d   no      vetha40e077
                                      vethc05faa3

使用network inspect可以查看所以host模式的容器:

# docker network inspect f32b57484090
[
    {
        "Name": "host",
        "Id": "f32b57484090f87ea9338f55dc6ee8cb533dc77c2e1d2bed32870262ecd64a70",
        "Created": "2019-03-11T16:59:33.901409627+08:00",
        "Scope": "local",
        "Driver": "host",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": []
        },
        "Internal": false,
        "Attachable": false,
        "Containers": {
            "e87060c76d55d24e560cb79e43beaf671207f71719ab29675deae5bf5162e757": {
                "Name": "vigilant_gates",
                "EndpointID": "780ff7dc6374f213681e21b00822e69230bf2ae492aec354e364711175761455",
                "MacAddress": "",
                "IPv4Address": "",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]

使用host模式临时起一个容器测一下还是挺方便的。

3 none模式

就是不用docker的网络,网络由第三方提供,比如k8s,用的就是这种模式! 所以k8s的网络跟docker的完全不一样,他有flannel,calico等实现了大二层的网络。
k8s里面的网络实现还是挺复杂的,这里不展开了。

none模式如果你查看,类似下面的效果:

# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
cec66c136154        bridge              bridge              local
9ff7d7665fb8        host                host                local
a4a788f623c8        none                null                local
# docker network inspect a4a788f623c8
[
    {
        "Name": "none",cal
        "Id": "a4a788f623c8fdfc68c355e9d93b57c799df39b0a1417fdc5b185835fb7d5ce4",
        "Created": "2019-05-29T15:48:46.357228298+08:00",
        "Scope": "local",
        "Driver": "null",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": []
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "54ccd55daf19d85fac051e942fb27e6d77caf04d78a673729bcdae1fd2df7a08": {
                "Name": "k8s_POD_xxx-64797ff6-f7xtr_default_fa285459-e290-11e9-b717-fa163edad53f_0",
                "EndpointID": "1800b29d0a294d00add619dcfd7dc198cf413ab8cb07eb13dfefe49e4c00601b",
                "MacAddress": "",
                "IPv4Address": "",
                "IPv6Address": ""
            },
            "6738a6de28efe92e111d37b90165f65fd173c20c4cdecf66b1e401062d073e69": {
                "Name": "k8s_POD_xxxxzzz-64797ff6-bmxs5_default_e54dc291-e291-11e9-b717-fa163edad53f_0",
                "EndpointID": "b3a3f233731c7515a51ae16bad88b5ab6d9bc2d8c867d3a50c25c01b69ac59c0",
                "MacAddress": "",
                "IPv4Address": "",
                "IPv6Address": ""
            },

        },
        "Options": {},
        "Labels": {}
    }
]

这里做了一下脱敏处理,k8s的container这里有列出的,用的是docker里面的none模式。

posted @ 2019-10-05 15:29  过去的我  阅读(865)  评论(0编辑  收藏  举报