Docker容器网络

ip命令可以手动操作网络名称空间

IP命令所属iptoute程序包

[root@localhost ~]# rpm -q iproute
iproute-3.10.0-87.el7.x86_64

添加网络名称空间

在网络名称空间中执行命令

创建虚拟网卡对

[将一个设备移到 一个名称空间](#将一个设备移到 一个名称空间)

将r1中的veth1.2改名为eth0

设置IP地址激活两半网卡，并互相通信

r1和r2两个名称空间可以实现通信

添加网络名称空间

ip netns add

[root@localhost ~]# ip netns add r1
[root@localhost ~]# ip netns add r2
[root@localhost ~]# ip netns list
r2
r1

在网络名称空间中执行命令

ip netns exec

[root@localhost ~]# ip netns exec r1 ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

创建虚拟网卡对

ip link add name veth1.1 type veth peer name veth1.2

add name veth1.1一半网卡叫什么

type veth类型叫啥，veth虚拟以太网网卡

peer name另一半网卡名字叫啥

[root@localhost ~]# ip link add name veth1.1 type veth peer name veth1.2
[root@localhost ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 08:00:27:72:1c:ca brd ff:ff:ff:ff:ff:ff
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT 
    link/ether 02:42:90:5b:af:47 brd ff:ff:ff:ff:ff:ff
4: veth1.2@veth1.1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether 96:8e:c2:e1:64:45 brd ff:ff:ff:ff:ff:ff
5: veth1.1@veth1.2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether ae:f5:21:c7:db:37 brd ff:ff:ff:ff:ff:ff

将一个设备移到 一个名称空间

[root@localhost ~]# ip link set dev veth1.2 netns r1
[root@localhost ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 08:00:27:72:1c:ca brd ff:ff:ff:ff:ff:ff
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT 
    link/ether 02:42:90:5b:af:47 brd ff:ff:ff:ff:ff:ff
5: veth1.1@if4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether ae:f5:21:c7:db:37 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    
[root@localhost ~]# ip netns exec r1 ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth1.2: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 96:8e:c2:e1:64:45  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

将r1中的veth1.2改名为eth0

[root@localhost ~]# ip netns exec r1 ip link set dev veth1.2 name eth0
[root@localhost ~]# ip netns exec r1 ifconfig -a
eth0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 96:8e:c2:e1:64:45  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

设置IP地址激活两半网卡，并互相通信

[root@localhost ~]# ifconfig veth1.1 10.1.0.1/24 up
[root@localhost ~]# ip netns exec r1 ifconfig eth0 10.1.0.2/24 up
[root@localhost ~]# ping 10.1.0.2
PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data.
64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=0.102 ms
64 bytes from 10.1.0.2: icmp_seq=2 ttl=64 time=1.69 ms

r1和r2两个名称空间可以实现通信

[root@localhost ~]# ip link set dev veth1.1 netns r2
[root@localhost ~]# ip netns exec r2 ifconfig veth1.1 10.1.0.3/24 up
[root@localhost ~]# ip netns exec r2 ping 10.1.0.2
PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data.
64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=0.049 ms
64 bytes from 10.1.0.2: icmp_seq=2 ttl=64 time=0.057 ms

docker容器网络设置

docker容器不设置网络设备使用none网络，实现封闭式容器

给容器设置主机名，其可以实现主机名解析

为容器指定指定dns

在外面给容器注入host文件解析结果

docker容器不设置网络设备使用none网络，实现封闭式容器)

[root@localhost ~]# docker run --name t1 -it  --network none --rm busybox:latest
/ # ifconfig
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

给容器设置主机名，其可以实现主机名解析

>

[root@localhost ~]# docker run --name t1 -it  --network bridge -h web1.keji.com --rm busybox:latest
/ # hostname
web1.keji.com

为容器指定指定dns

[root@localhost ~]# docker run --name t1 -it --network bridge -h web1.keji.com --dns 144.144.144.144 --rm busybox:latest
/ # cat /etc/resolv.conf 
nameserver 144.144.144.144

在外面给容器注入host文件解析结果

[root@localhost ~]# docker run --name t1 -it --network bridge -h web1.keji.com --dns 144.144.144.144 --add-host web1.keji.com:1.1.1.1 --rm busybox:latest
/ # cat /etc/hosts
127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
1.1.1.1	web1.keji.com

-p选项暴露容器端口

将指定的容器端口映射至主机所有地址的一个动态端口

将容器端口映射至指定的主机端口

指定容器映射的端口和IP地址

将指定的容器端口映射至主机所有地址的一个动态端口

动态端口范围是30000到32767之间的随机端口

坏处是别人访问时不知道端口是多少，好处是当容器有多个web时，可以映射到多个端口上

[root@localhost ~]# docker run --name myweb --rm -p 80 dockerhaoran/httpd:v0.2

容器已运行，在另外一个终端上打开内部访问

[root@localhost ~]# docker inspect myweb
    "IPAddress": "172.17.0.2",
[root@localhost ~]# curl 172.17.0.2

<h1>Busybox httpd server.</h1>

iptables查看生成的规则，被映射到宿主机的32769端口

[root@localhost ~]# iptables -t nat -vnl
Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:32769 to:172.17.0.2:80

页面访问http://10.192.45.116:32769/

Busybox httpd server.

将容器端口映射至指定的主机端口

[root@localhost ~]# docker port myweb
80/tcp -> 0.0.0.0:32769

容器的80端口映射到宿主机所有可用地址的32769端口上

[root@localhost ~]# docker kill myweb
myweb
[root@localhost ~]# docker run --name myweb --rm -p 10.192.45.116::80 dockerhaoran/httpd:v0.2

10.192.45.116::两个冒号表宿主机端口，为空表示随机端口

[root@localhost ~]# docker port myweb
80/tcp -> 10.192.45.116:32768

指定容器映射的端口和IP地址

[root@localhost ~]# docker run --name myweb --rm -p 10.192.45.116:8080:80 dockerhaoran/httpd:v0.2

80端口映射到宿主机10.192.45.116的8080端口

[root@localhost ~]# docker port myweb
80/tcp -> 10.192.45.116:8080

[root@localhost ~]# docker run --name myweb --rm -p 80:80 dockerhaoran/httpd:v0.2

80:80宿主地址不给表示地址随机

[root@localhost ~]# docker port myweb
80/tcp -> 0.0.0.0:80

共享指定容器网络（联盟式容器）

[root@localhost ~]# docker run --name b1 -it --rm busybox:latest
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
24: eth0@if25: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
       
[root@localhost ~]#  docker run --name b2 -it --network container:b1 --rm busybox:latest
/ #  ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
24: eth0@if25: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

在b2上开启httpd服务

/ # echo "hello world" > /tmp/index.html
/ # httpd -h /tmp/
/ # netstat -tul
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 :::80                   :::*                    LISTEN   

在b1上使用lo访问

/ # wget -O - -q 127.0.0.1
hello world

共享宿主机网络空间

[root@localhost ~]# docker run --name b1 -it  --network host --rm  busybox:latest
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 08:00:27:72:1c:ca brd ff:ff:ff:ff:ff:ff
    inet 10.192.45.116/21 brd 10.192.47.255 scope global dynamic enp0s3
       valid_lft 3413sec preferred_lft 3413sec
    inet6 fe80::a00:27ff:fe72:1cca/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 02:42:90:5b:af:47 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:90ff:fe5b:af47/64 scope link 
       valid_lft forever preferred_lft forever

启动一个httpd服务

/ # echo "hello worlk" > /tmp/index.html
/ # httpd -h /tmp/
/ # netstat -tunl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      
tcp        0      0 :::80                   :::*                    LISTEN 

表示监听在宿主机的80端口上

http://10.192.45.116/

hello world

自定义docker0桥的网络属性信息

需要修改配置文件/etc/docker/daemon.json文件

{

"bip": "10.0.0.1/16",

“default-gateway”:"10.20.1.1",

“dns”:["10.20.1.2","10.20.1.3"]

}

bip指docker0桥的IP地址，最主要的，只要指定好，别的值除了dns会自动计算得知

default-gateway指默认网关

dns指dns服务器地址，最多3个

[root@localhost ~]# systemctl stop docker
[root@localhost ~]# vi /etc/docker/daemon.json
{
  "registry-mirrors": ["https://qijo5n63.mirror.aliyuncs.com"],
  "bip": "10.0.0.1/16"
}
[root@localhost ~]# systemctl start docker
[root@localhost ~]# ip a
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN 
    link/ether 02:42:90:5b:af:47 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/16 brd 10.0.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:90ff:fe5b:af47/64 scope link 
       valid_lft forever preferred_lft forever

docker守护进程的c/s，其默认仅监听Unix Socket格式的地址，/var/run/docker.sock;如果使用TCP套接字，

/etc/docker/daemon.json:

"hosts": ["tcp://10.0.0.0:2375","unix:///var/run/docker.sock"]

也可向docker直接传递“-H|--host”选项；

[root@localhost ~]# systemctl stop docker
[root@localhost ~]# vi /etc/docker/daemon.json
{
  "registry-mirrors": ["https://qijo5n63.mirror.aliyuncs.com"],
  "bip": "10.0.0.1/16",
  "host": ["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"]
}
[root@localhost ~]# systemctl start docker

创建别的桥

[root@localhost ~]# docker network create -d bridge --subnet "172.26.0.0/16" --gateway "172.26.0.1" mybr0
c7cc44b020fd5fe2fe7435b7e19826f8d43576b7a9f86607034e44781ba1ca4a

docker network create创建桥

-d bridge指定桥的类型，bridge类型

--subnet "172.26.0.0/16"指定ipv4子网

--gateway "172.26.0.1"指定网关

[root@localhost ~]# ip a
26: br-c7cc44b020fd: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN 
    link/ether 02:42:60:51:fa:c0 brd ff:ff:ff:ff:ff:ff
    inet 172.26.0.1/16 brd 172.26.255.255 scope global br-c7cc44b020fd
       valid_lft forever preferred_lft forever

网络名叫mybr0，但是接口名不是mybr0，

[root@localhost ~]# ifconfig br-c7cc44b020fd down
[root@localhost ~]# ip link set dev br-c7cc44b020fd name docker1

先关闭这个接口，在该设备名