docker网络管理

一.系统环境

服务器版本 docker软件版本 CPU架构
CentOS Linux release 7.4.1708 (Core) Docker version 20.10.12 x86_64

二.docker网络

2.1 Docker 网络概述

Docker 容器和服务如此强大的原因之一是您可以将它们连接在一起,或者将它们连接到非 Docker 工作负载。Docker 容器和服务甚至不需要知道它们部署在 Docker 上,或者它们的对等点是否也是 Docker 工作负载。无论您的 Docker 主机运行 Linux、Windows 还是两者的混合,您都可以使用 Docker 以与平台无关的方式管理它们。

2.2 docker 网络类型

Docker 的网络子系统是可插拔的,使用驱动程序。默认情况下存在几个驱动程序,并提供核心网络功能:

  • bridge:默认网络驱动程序。如果您未指定驱动程序,则这是您正在创建的网络类型。当您的应用程序在需要通信的独立容器中运行时,通常会使用桥接网络。

  • host:对于独立容器,去掉容器与 Docker 主机之间的网络隔离,直接使用主机的网络。

  • overlay: Overlay 网络将多个 Docker 守护进程连接在一起,使 swarm 服务能够相互通信。您还可以使用覆盖网络来促进 swarm 服务和独立容器之间的通信,或者不同 Docker 守护程序上的两个独立容器之间的通信。这种策略消除了在这些容器之间进行操作系统级路由的需要。

  • ipvlan:IPvlan 网络使用户可以完全控制 IPv4 和 IPv6 寻址。VLAN 驱动程序建立在此之上,为对底层网络集成感兴趣的用户提供了对第 2 层 VLAN 标记甚至 IPvlan L3 路由的完全控制。

  • macvlan:Macvlan 网络允许您将 MAC 地址分配给容器,使其在您的网络上显示为物理设备。Docker 守护进程通过它们的 MAC 地址将流量路由到容器。macvlan 在处理期望直接连接到物理网络而不是通过 Docker 主机的网络堆栈路由的遗留应用程序时,使用驱动程序有时是最佳选择。

  • none:对于这个容器,禁用所有网络。通常与自定义网络驱动程序一起使用。none不适用于 swarm 服务。请参阅 禁用容器网络。

  • 网络插件:您可以通过 Docker 安装和使用第三方网络插件。这些插件可从 Docker Hub 或第三方供应商处获得。

网络驱动总结:

  • 当您需要多个容器在同一个 Docker 主机上进行通信时,用户定义的桥接网络是最佳选择。
  • 当网络堆栈不应该与 Docker 主机隔离时,主机网络是最好的,但您希望容器的其他方面被隔离。
  • 当您需要在不同 Docker 主机上运行的容器进行通信时,或者当多个应用程序使用 swarm 服务一起工作时,覆盖网络是最佳选择。
  • 当您从 VM 设置迁移或需要容器看起来像网络上的物理主机时,Macvlan 网络是最佳选择,每个主机都有唯一的 MAC 地址。
  • 第三方网络插件允许您将 Docker 与专门的网络堆栈集成。

三.docker网络管理常用命令

docker network connect 将某个容器连接到一个docker网络
docker network create 创建一个docker局域网络
docker network disconnect 将某个容器退出某个局域网络
docker network inspect 显示某个局域网络信息
docker network ls 显示所有docker局域网络
docker network prune 删除所有未引用的docker局域网络
docker network rm 删除docker网络

查看docker支持的网络

[root@k8smaster ~]# docker network list
NETWORK ID     NAME      DRIVER    SCOPE
7e5d5c751c19   bridge    bridge    local
d6114fdf8604   host      host      local
d37b373ceadd   none      null      local

查看bridge(桥接)网络的属性

[root@k8smaster ~]# docker network inspect bridge
[
    {
        "Name": "bridge",
        "Id": "7e5d5c751c19179bd28704782956624fb6e1e51bbf1dec148a6a2857361c999f",
        "Created": "2021-12-28T14:43:30.751950569+08:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "1edbf56b01ee2f851bfb3dce9e955df18077e889c5254a8ac1dc24c4c343e5c5": {
                "Name": "redhat7.2",
                "EndpointID": "138e81107ffaca48a84d46c99a379245d02f031884567a214111f21833914a4e",
                "MacAddress": "02:42:ac:11:00:03",
                "IPv4Address": "172.17.0.3/16",
                "IPv6Address": ""
            },
            "c2d01513585bca0ceb67841e8307119e51ab9d6001cca76c147cc0f7ec441c63": {
                "Name": "redhat",
                "EndpointID": "9f0368fb571e73565af237a2d259f513063f83a7c18611b23ec4f11fe64e7bd5",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

四.使用docker创建不同的网络类型

4.1 创建一个bridge桥接网络并使用

创建一张网卡brnet:类型为bridge,子网IP为:172.28.0.0/16

[root@k8smaster ~]# docker network create --driver=bridge --subnet=172.28.0.0/16 brnet
50007eb84ee90f225233b873bfc395a0f0da680bd22b8ac1d45add39d45f527b

查看brnet网卡属性

[root@k8smaster ~]# docker network inspect brnet
[
    {
        "Name": "brnet",
        "Id": "50007eb84ee90f225233b873bfc395a0f0da680bd22b8ac1d45add39d45f527b",
        "Created": "2021-12-29T15:53:20.641824413+08:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.28.0.0/16"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {},
        "Options": {},
        "Labels": {}
    }
]

查看docker网络,发现多了brnet

[root@k8smaster ~]# docker network list
NETWORK ID     NAME      DRIVER    SCOPE
7e5d5c751c19   bridge    bridge    local
50007eb84ee9   brnet     bridge    local
d6114fdf8604   host      host      local
d37b373ceadd   none      null      local

使用centos镜像创建一个容器centos7,网卡绑定为brnet

[root@k8smaster ~]# docker run -dit --restart=always --name=centos7 --network=brnet hub.c.163.com/library/centos:latest
2de5574af1c392524a9476bd76e96e90a0035a789e02f102a47e464ea53ac502

#centos7容器的地址为:172.28.0.2
[root@k8smaster ~]# docker inspect centos7 | grep -i ipaddress
            "SecondaryIPAddresses": null,
            "IPAddress": "",
                    "IPAddress": "172.28.0.2",

查看brnet网络的属性

[root@k8smaster ~]# docker network inspect brnet
[
    {
        "Name": "brnet",
        "Id": "50007eb84ee90f225233b873bfc395a0f0da680bd22b8ac1d45add39d45f527b",
        "Created": "2021-12-29T15:53:20.641824413+08:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.28.0.0/16"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "2de5574af1c392524a9476bd76e96e90a0035a789e02f102a47e464ea53ac502": {
                "Name": "centos7",
                "EndpointID": "27a8ff58525ec91f956a4f2aa0bdeaf2c042080efc3b2f443d0f2f8fd34084b9",
                "MacAddress": "02:42:ac:1c:00:02",
                "IPv4Address": "172.28.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]

4.2 busybox容器使用host网络

拉取busybox镜像

[root@k8smaster ~]# docker pull hub.c.163.com/library/busybox:latest
latest: Pulling from library/busybox
aab39f0bc16d: Pull complete 
Digest: sha256:662af1d642674367b721645652de96f9c147417c2efb708eee4e9b7212697762
Status: Downloaded newer image for hub.c.163.com/library/busybox:latest
hub.c.163.com/library/busybox:latest

创建一个busybox容器,网络类型为host类型

[root@k8smaster ~]# docker run -dit --restart=always --name=busybox --network=host hub.c.163.com/library/busybox:latest
0a02f83b685c2bf120f9b6de5be9f0c3fe3fb5730134b00995aaa8cc849613e3

进入busybox容器,发现容器里的网络就是物理机的网络

[root@k8smaster ~]# docker attach busybox
/ # ifconfig 
br-50007eb84ee9 Link encap:Ethernet  HWaddr 02:42:1E:A8:31:1C  
          inet addr:172.28.0.1  Bcast:172.28.255.255  Mask:255.255.0.0
          inet6 addr: fe80::42:1eff:fea8:311c/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:438 (438.0 B)
......

ens32     Link encap:Ethernet  HWaddr 00:0C:29:BF:50:D8  
          inet addr:192.168.110.137  Bcast:192.168.110.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:febf:50d8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:604560 errors:0 dropped:0 overruns:0 frame:0
          TX packets:424501 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:460937108 (439.5 MiB)  TX bytes:212554025 (202.7 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:7464831 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7464831 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:1397878730 (1.3 GiB)  TX bytes:1397878730 (1.3 GiB)
......

/ # exit
[root@k8smaster ~]# 

查看host网络属性

[root@k8smaster ~]# docker network inspect host
[
    {
        "Name": "host",
        "Id": "d6114fdf860416d813aa5b250fb03b6be128dd90ad873a08179c6138ba15dee6",
        "Created": "2021-06-30T17:50:40.360664894+08:00",
        "Scope": "local",
        "Driver": "host",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": []
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "0a02f83b685c2bf120f9b6de5be9f0c3fe3fb5730134b00995aaa8cc849613e3": {
                "Name": "busybox",
                "EndpointID": "864e7899e2bae367c7fbc60d423c09efe84da7afe43004e783785589ff40588f",
                "MacAddress": "",
                "IPv4Address": "",
                "IPv6Address": ""
            },
            "6eb6f15dfc84b118f9da5d6294c857c169378dc2668f660ebb3a769cbabab7f3": {
                "Name": "k8s_POD_etcd-k8smaster_kube-system_1dcb59df47c677756cdf25f28d920325_16",
                "EndpointID": "f8bb0f0e910e8fc1888087270946f659bbb85c3391ded29c706644134f02ad8f",
                "MacAddress": "",
                "IPv4Address": "",
                "IPv6Address": ""
            },
            .......
            "fc4069583b9570defd3e486e7eb56d241561f926cc1ce79fde8db43770038d99": {
                "Name": "k8s_POD_kube-proxy-7sxwx_kube-system_8e5ffc39-9f10-4fd0-ac80-61779b806d6a_16",
                "EndpointID": "85f62759a1916873b333aadfb8b7a6aa782f3245a966ed2da448287a70eda18f",
                "MacAddress": "",
                "IPv4Address": "",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]

4.3 nginx容器使用host网络

nginx容器的网络类型为host

[root@k8smaster ~]# docker run -dit --restart=always --name=nginx --network=host hub.c.163.com/library/nginx:latest
2972a5284ef43036f6eaf288ee6c2bb361f24ab99368ceda877077e6d9b8334b

直接访问物理机的ip即可访问容器里的nginx

[root@k8smaster ~]# curl 192.168.110.137
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

4.4 busybox容器使用none网络

none类型的网络一般用来做测试,none类型创建的容器,里面的的网络只有127.0.0.1

[root@k8smaster ~]# docker run -it --restart=always --name=busybox-test --network=none hub.c.163.com/library/busybox:latest
/ # ifconfig 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

/ # exit
posted @ 2022-08-30 16:25  人生的哲理  阅读(294)  评论(1编辑  收藏  举报