docker-bridge network
根据下面这图示,可以了解两个container之间是如何通信的
通过ip link 和 ip a可以看到本地有个docker0 link。
[root@localhost ~]# ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000 link/ether 00:0c:29:08:e1:eb brd ff:ff:ff:ff:ff:ff 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT qlen 1000 link/ether 52:54:00:10:5a:be brd ff:ff:ff:ff:ff:ff 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT qlen 1000 link/ether 52:54:00:10:5a:be brd ff:ff:ff:ff:ff:ff 5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT link/ether 02:42:e8:50:c7:6c brd ff:ff:ff:ff:ff:ff [root@localhost ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:08:e1:eb brd ff:ff:ff:ff:ff:ff inet 10.173.236.35/24 brd 10.173.236.255 scope global dynamic ens33 valid_lft 676660sec preferred_lft 676660sec inet6 fe80::1031:ec13:6b54:b6ea/64 scope link valid_lft forever preferred_lft forever 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000 link/ether 52:54:00:10:5a:be brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN qlen 1000 link/ether 52:54:00:10:5a:be brd ff:ff:ff:ff:ff:ff 5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN link/ether 02:42:e8:50:c7:6c brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:e8ff:fe50:c76c/64 scope link valid_lft forever preferred_lft forever [root@localhost ~]#
通过docker network inspect bridge可以查看bridge网络
[root@localhost ~]# docker network inspect bridge host none [root@localhost ~]# docker network inspect bridge [ { "Name": "bridge", "Id": "4e8172ef8e0169e74285225030d0b5f271494df46c4f7bc3ba38e9ca87a1c6f9", "Created": "2019-07-17T06:50:29.144315528-07:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16", "Gateway": "172.17.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": {}, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] [root@localhost ~]#
上面bridge里"Containers": {}, 原因是目前没有正在运行的container,下面我添加两个container在后台运行:
[root@localhost ~]# docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES [root@localhost ~]# docker run --name test1 -d busybox /bin/sh -c "while true;do sleep 3600;done" #-d 放后台运行 cba62587107007983d45a4383598dbec18a37d33e415f2325572e8f98f36a32a [root@localhost ~]# docker network inspect bridge [ { "Name": "bridge", "Id": "4e8172ef8e0169e74285225030d0b5f271494df46c4f7bc3ba38e9ca87a1c6f9", "Created": "2019-07-17T06:50:29.144315528-07:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16", "Gateway": "172.17.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "cba62587107007983d45a4383598dbec18a37d33e415f2325572e8f98f36a32a": { "Name": "test1", "EndpointID": "00bcbb182eaf78e390c842e5edc5af27b2df2db2c3905e76f816828d7a9eadc3", "MacAddress": "02:42:ac:11:00:02", "IPv4Address": "172.17.0.2/16", "IPv6Address": "" } }, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] [root@localhost ~]#
本地 ip link 多了一个19 link
[root@localhost ~]# ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000 link/ether 00:0c:29:08:e1:eb brd ff:ff:ff:ff:ff:ff 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT qlen 1000 link/ether 52:54:00:10:5a:be brd ff:ff:ff:ff:ff:ff 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT qlen 1000 link/ether 52:54:00:10:5a:be brd ff:ff:ff:ff:ff:ff 5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT link/ether 02:42:e8:50:c7:6c brd ff:ff:ff:ff:ff:ff 19: vethfdefc77@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT link/ether d2:1a:0d:9c:88:88 brd ff:ff:ff:ff:ff:ff link-netnsid 0
查看container test1 的link “eth0@if19“ 是和本地的“vethfdefc77@if18“ 构成一对的。
[root@localhost ~]# docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES cba625871070 busybox "/bin/sh -c 'while t…" 6 minutes ago Up 6 minutes test1 [root@localhost ~]# docker exec test1 ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 18: eth0@if19: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff [root@localhost ~]#
本地新增的link “vethfdefc77“ 是和docker0相连的,可以通过brctl show 查看
[root@localhost ~]# yum install bridge-utils Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: mirrors.njupt.edu.cn * extras: mirrors.tuna.tsinghua.edu.cn * updates: mirrors.tuna.tsinghua.edu.cn Package bridge-utils-1.5-9.el7.x86_64 already installed and latest version Nothing to do [root@localhost ~]# brctl Usage: brctl [commands] commands: addbr <bridge> add bridge delbr <bridge> delete bridge addif <bridge> <device> add interface to bridge delif <bridge> <device> delete interface from bridge hairpin <bridge> <port> {on|off} turn hairpin on/off setageing <bridge> <time> set ageing time setbridgeprio <bridge> <prio> set bridge priority setfd <bridge> <time> set bridge forward delay sethello <bridge> <time> set hello time setmaxage <bridge> <time> set max message age setpathcost <bridge> <port> <cost> set path cost setportprio <bridge> <port> <prio> set port priority show [ <bridge> ] show a list of bridges showmacs <bridge> show a list of mac addrs showstp <bridge> show bridge stp info stp <bridge> {on|off} turn stp on/off [root@localhost ~]# brctl show bridge name bridge id STP enabled interfaces docker0 8000.0242e850c76c no vethfdefc77 virbr0 8000.525400105abe yes virbr0-nic [root@localhost ~]#
接下来再运行一个container
[root@localhost ~]# docker run --name test2 -d busybox /bin/sh -c "while true;do sleep 3600;done" f81ab807503c0506d3e6a0375e2179eb0ddc0203162faf60117fc393187c59ac [root@localhost ~]# docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f81ab807503c busybox "/bin/sh -c 'while t…" 7 seconds ago Up 5 seconds test2 cba625871070 busybox "/bin/sh -c 'while t…" 20 minutes ago Up 20 minutes test1 [root@localhost ~]# docker network inspect bridge [ { "Name": "bridge", "Id": "4e8172ef8e0169e74285225030d0b5f271494df46c4f7bc3ba38e9ca87a1c6f9", "Created": "2019-07-17T06:50:29.144315528-07:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16", "Gateway": "172.17.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "cba62587107007983d45a4383598dbec18a37d33e415f2325572e8f98f36a32a": { "Name": "test1", "EndpointID": "00bcbb182eaf78e390c842e5edc5af27b2df2db2c3905e76f816828d7a9eadc3", "MacAddress": "02:42:ac:11:00:02", "IPv4Address": "172.17.0.2/16", "IPv6Address": "" }, "f81ab807503c0506d3e6a0375e2179eb0ddc0203162faf60117fc393187c59ac": { "Name": "test2", "EndpointID": "d80d942aad5ea4e0322be344756317d61ad850ad45ad1d3e086b6d2e43879ead", "MacAddress": "02:42:ac:11:00:03", "IPv4Address": "172.17.0.3/16", "IPv6Address": "" } }, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] [root@localhost ~]#
查看新增ip link,可以看到新增的link也是连接到docker0上
[root@localhost ~]# ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000 link/ether 00:0c:29:08:e1:eb brd ff:ff:ff:ff:ff:ff 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT qlen 1000 link/ether 52:54:00:10:5a:be brd ff:ff:ff:ff:ff:ff 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT qlen 1000 link/ether 52:54:00:10:5a:be brd ff:ff:ff:ff:ff:ff 5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT link/ether 02:42:e8:50:c7:6c brd ff:ff:ff:ff:ff:ff 19: vethfdefc77@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT link/ether d2:1a:0d:9c:88:88 brd ff:ff:ff:ff:ff:ff link-netnsid 0 21: veth39873ad@if20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT link/ether e6:e5:80:28:29:70 brd ff:ff:ff:ff:ff:ff link-netnsid 1 [root@localhost ~]# docker exec test2 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 20: eth0@if21: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever [root@localhost ~]# br brctl break bridge brltty brltty-config brltty-ctb brltty-install brltty-trtxt brltty-ttb [root@localhost ~]# brctl show bridge name bridge id STP enabled interfaces docker0 8000.0242e850c76c no veth39873ad vethfdefc77 virbr0 8000.525400105abe yes virbr0-nic [root@localhost ~]#
docker0 和网卡之间做了nat,如果网卡能连外网,则container也能连外网
