12、Docker的网络--bridge

  1. 单机网络

    • Bridge Network
    • Host Network
    • None Network

  2. 多机网络

    • Overlay Network

1|012.1 网络命名空间

  启动一个容器

docker run -d --name test1 busybox /bin/sh -c "while true;do sleep 3600;done"

  进入容器

docker exec -it test1 /bin/sh

/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
166: eth0@if167: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
    link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

再启动一个容器

docker run -d --name test2 busybox /bin/sh -c "while true;do sleep 3600;done"

docker exec -it test2 ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
168: eth0@if169: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
    link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.4/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

  由此可见,docker在启动容器的时候会自动分配一个IP给容器,并且容器间的IP是不一样的,但是同一台服务器上的docker容器之间是可以ping通的。

docker exec -it test1 /bin/sh

/ # ping 172.17.0.4
PING 172.17.0.4 (172.17.0.4): 56 data bytes
64 bytes from 172.17.0.4: seq=0 ttl=64 time=0.121 ms
64 bytes from 172.17.0.4: seq=1 ttl=64 time=0.083 ms
64 bytes from 172.17.0.4: seq=2 ttl=64 time=0.078 ms
64 bytes from 172.17.0.4: seq=3 ttl=64 time=0.079 ms
^C
--- 172.17.0.4 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.078/0.090/0.121 ms

1|1linux上的网络命名空间

网络命名空间

  通过命令行实现两个网络命名空间互联:

# 添加两个网络命名空间test1和test2
ip netns add test1
ip netns add test2
# 添加一对veth的接口link
ip link add veth-test1 type veth peer name veth-test2
# 查看link
ip link

ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000
    link/ether 00:16:3e:00:68:40 brd ff:ff:ff:ff:ff:ff
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 02:42:0c:47:25:c2 brd ff:ff:ff:ff:ff:ff
147: veth1e50917@if146: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
    link/ether 22:74:d9:54:88:da brd ff:ff:ff:ff:ff:ff link-netnsid 0
167: veth2e7a7c3@if166: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
    link/ether 1e:83:e1:ee:e5:25 brd ff:ff:ff:ff:ff:ff link-netnsid 1
169: veth3391153@if168: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
    link/ether c2:33:b7:f4:d9:98 brd ff:ff:ff:ff:ff:ff link-netnsid 2
170: veth-test2@if171: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether 56:e7:51:26:cd:37 brd ff:ff:ff:ff:ff:ff link-netnsid 3
171: veth-test1@veth-test2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether 9a:b1:aa:6b:d3:80 brd ff:ff:ff:ff:ff:ff
    
# 将veth-test1添加到网络命名空间test1中
ip link set veth-test1 netns test1

# 查看test1的link
ip netns exec test1 ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
171: veth-test1@if170: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether 9a:b1:aa:6b:d3:80 brd ff:ff:ff:ff:ff:ff link-netnsid 0

# 查看本地link
ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000
    link/ether 00:16:3e:00:68:40 brd ff:ff:ff:ff:ff:ff
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 02:42:0c:47:25:c2 brd ff:ff:ff:ff:ff:ff
147: veth1e50917@if146: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
    link/ether 22:74:d9:54:88:da brd ff:ff:ff:ff:ff:ff link-netnsid 0
167: veth2e7a7c3@if166: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
    link/ether 1e:83:e1:ee:e5:25 brd ff:ff:ff:ff:ff:ff link-netnsid 1
169: veth3391153@if168: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
    link/ether c2:33:b7:f4:d9:98 brd ff:ff:ff:ff:ff:ff link-netnsid 2
170: veth-test2@if171: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether 56:e7:51:26:cd:37 brd ff:ff:ff:ff:ff:ff link-netnsid 3
# 可以发现veth-test1已经不见了

# 将veth-test2添加到网络命名空间test2中
ip link set veth-test2 netns test2

# 查看test1的link
ip netns exec test2 ip link

1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
170: veth-test2@if171: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether 56:e7:51:26:cd:37 brd ff:ff:ff:ff:ff:ff link-netnsid 0

# 查看本地link
ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000
    link/ether 00:16:3e:00:68:40 brd ff:ff:ff:ff:ff:ff
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 02:42:0c:47:25:c2 brd ff:ff:ff:ff:ff:ff
147: veth1e50917@if146: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
    link/ether 22:74:d9:54:88:da brd ff:ff:ff:ff:ff:ff link-netnsid 0
167: veth2e7a7c3@if166: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
    link/ether 1e:83:e1:ee:e5:25 brd ff:ff:ff:ff:ff:ff link-netnsid 1
169: veth3391153@if168: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
    link/ether c2:33:b7:f4:d9:98 brd ff:ff:ff:ff:ff:ff link-netnsid 2

  至此,之前创建的两个veth接口都已经消失了。但是test1和test2两个网络命名空间都只有一个Mac地址,并没有IP地址,而且状态都是down的。

  分别给这两个网络命名空间添加IP:

ip netns exec test1 ip addr add 192.168.1.1/24 dev veth-test1
ip netns exec test2 ip addr add 192.168.1.2/24 dev veth-test2

  启动这两个命名空间:

ip netns exec test1 ip link set dev veth-test1 up
ip netns exec test2 ip link set dev veth-test2 up

  检测两个命名空间的状态:

# 检查test1是否启动
ip netns exec test1 ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
171: veth-test1@if170: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT qlen 1000
    link/ether 9a:b1:aa:6b:d3:80 brd ff:ff:ff:ff:ff:ff link-netnsid 1
   
# 检查test2是否启动
ip netns exec test2 ip link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
170: veth-test2@if171: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT qlen 1000
    link/ether 56:e7:51:26:cd:37 brd ff:ff:ff:ff:ff:ff link-netnsid 0
   
# 检查test1是否有IP
ip netns exec test1 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
171: veth-test1@if170: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 9a:b1:aa:6b:d3:80 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet 192.168.1.1/24 scope global veth-test1
       valid_lft forever preferred_lft forever
    inet6 fe80::98b1:aaff:fe6b:d380/64 scope link
       valid_lft forever preferred_lft forever

# 检查test2是否有IP
ip netns exec test2 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
170: veth-test2@if171: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 56:e7:51:26:cd:37 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.1.2/24 scope global veth-test2
       valid_lft forever preferred_lft forever
    inet6 fe80::54e7:51ff:fe26:cd37/64 scope link
       valid_lft forever preferred_lft forever

  检查两个命名空间之间网络是否联通

ip netns exec test2 ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.049 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.038 ms
^C
--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.038/0.043/0.049/0.008 ms

ip netns exec test1 ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.090 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.043 ms
64 bytes from 192.168.1.2: icmp_seq=3 ttl=64 time=0.055 ms
^C
--- 192.168.1.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.043/0.062/0.090/0.021 ms

2|012.2 docker bridge0

2|1查看docker网络

 
[root@docker ~]# docker network ls

NETWORK ID          NAME                DRIVER              SCOPE
60e81719174c        bridge              bridge              local
67f0fa7f22b0        host                host                local
01f3c01c3ade        none                null                local
[root@docker ~]#

  查看bridge的网络信息:

[root@docker ~]# docker network inspect 60e81719174c
[
    {
        "Name": "bridge",
        "Id": "60e81719174cd81800981dba54d9dd97e0df639e128abb92605ca2828f4f3d06",
        "Created": "2018-05-31T16:47:33.917919725+07:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "a10b6f5afb766f59550650656e29cf9fc1dff2c63978ceae02bdd92b367f329a": {
                "Name": "test1",
                "EndpointID": "8e4b12841f72614d2df2d6b5b53da197847655e09f7bfa84c1e2ed78dd329759",
                "MacAddress": "02:42:ac:11:00:03",
                "IPv4Address": "172.17.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]
[root@docker ~]#

  其中有一部分:

"Containers": {
            "a10b6f5afb766f59550650656e29cf9fc1dff2c63978ceae02bdd92b367f329a": {
                "Name": "test1",
                "EndpointID": "8e4b12841f72614d2df2d6b5b53da197847655e09f7bfa84c1e2ed78dd329759",
                "MacAddress": "02:42:ac:11:00:03",
                "IPv4Address": "172.17.0.3/16",
                "IPv6Address": ""
            }
        },

  可以看出容器test1连接到的是个bridge的网络。test1容器内有一个veth的接口eth0@if167,宿主机也有一个veth的接口veth2e7a7c3@if166,所以这两个接口是一对。

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:16:3e:00:68:40 brd ff:ff:ff:ff:ff:ff
    inet 172.21.168.103/20 brd 172.21.175.255 scope global dynamic eth0
       valid_lft 308698339sec preferred_lft 308698339sec
# docker0是docker在宿主机上的一个bridge网卡
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 02:42:0c:47:25:c2 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
167: veth2e7a7c3@if166: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
    link/ether 1e:83:e1:ee:e5:25 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    
    
docker exec -it test1 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
166: eth0@if167: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
    link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

  test1中的eth0@if167和本地的veth2e7a7c3@if166是一对veth pair,最终它们还是连接到docker0的:

[root@docker ~]# yum install -y bridge-utils
[root@docker ~]# brctl show
bridge name	bridge id		STP enabled	interfaces
docker0		8000.02420c4725c2	no		veth2e7a7c3
[root@docker ~]# ip a|grep veth2e7a7c3
167: veth2e7a7c3@if166: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
[root@docker ~]#

  再创建一个容器test2验证一下:

[root@docker ~]# docker run -d --name test2 busybox /bin/sh -c "while true;do sleep 3600;done"

  再次查看docker bridge网络信息:

[root@docker ~]# docker network inspect 60e81719174c
[
    {
        "Name": "bridge",
        "Id": "60e81719174cd81800981dba54d9dd97e0df639e128abb92605ca2828f4f3d06",
        "Created": "2018-05-31T16:47:33.917919725+07:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "47ad250ba92e0ece87c65df825e701a3691c952a65180888da580664b647b298": {
                "Name": "test2",
                "EndpointID": "d62db8de4e451bd89cc2afbadfb0c803528ca34b8110ae18f997b83980e1e2da",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": ""
            },
            "a10b6f5afb766f59550650656e29cf9fc1dff2c63978ceae02bdd92b367f329a": {
                "Name": "test1",
                "EndpointID": "8e4b12841f72614d2df2d6b5b53da197847655e09f7bfa84c1e2ed78dd329759",
                "MacAddress": "02:42:ac:11:00:03",
                "IPv4Address": "172.17.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]
[root@docker ~]#

  可以看到container中多了一个test2的容器信息。可以确定tes2容器也是使用的bridge网络。

ip a 

......

177: veth0171814@if176: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
    link/ether 4a:33:a7:59:ca:98 brd ff:ff:ff:ff:ff:ff link-netnsid 0

docker exec -it test2 ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
176: eth0@if177: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

brctl show 

bridge name	bridge id		STP enabled	interfaces
docker0		8000.02420c4725c2	no		veth0171814
							            veth2e7a7c3

  可以看到多了一个veth0171814

ip a|grep veth0171814
177: veth0171814@if176: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP

2|2单机docker容器之间网络互联

单机docker容器之间网络互联

2|3docker单个容器怎么连上互联网

  容器通过类似NAT网络地址转换(通过iptables实现),转换成eth0的地址,然后通过eth0连接外网。

docker单个容器怎么连上互联网


__EOF__

本文作者StaryJie
本文链接https://www.cnblogs.com/jie-fang/p/10279739.html
关于博主:评论和私信会在第一时间回复。或者直接私信我。
版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
声援博主:如果您觉得文章对您有帮助,可以点击文章右下角推荐一下。您的鼓励是博主的最大动力!
posted @   StaryJie  阅读(882)  评论(0编辑  收藏  举报
编辑推荐:
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 基于Microsoft.Extensions.AI核心库实现RAG应用
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
阅读排行:
· 震惊!C++程序真的从main开始吗?99%的程序员都答错了
· 单元测试从入门到精通
· 【硬核科普】Trae如何「偷看」你的代码?零基础破解AI编程运行原理
· 上周热点回顾(3.3-3.9)
· winform 绘制太阳,地球,月球 运作规律
点击右上角即可分享
微信分享提示
AI IDE Trae