034、理解容器之间的连通性(2019-02-21 周四)
1、同一个网桥下的容器可以通
2、不同网桥下的容器不可以通
原因:路由转发已开启,但是iptables限制了不能跨网桥通信
如果想通,可以添加一块其他网桥的网卡(docker network connect my_net19 busybox01)
root@docker-lab:~# docker network ls # 查看docker默认网络
NETWORK ID NAME DRIVER SCOPE
b41bf72cd691 bridge bridge local
e5cb8d603efd host host local
f9dc6032baba none null local
root@docker-lab:~# docker network inspect bridge # 查看默认bridge详细信息
[
{
"Name": "bridge",
"Id": "b41bf72cd69194546142efd9b9512c4d7b7fe1b66b3ccb7be982f50ad9881010",
"Created": "2018-12-25T01:30:26.203579986+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
root@docker-lab:~# docker network create --driver bridge my_net18 # 创建一个自定义网络 my_net18
b6e24ecfdc6e6a3a5b407ae165677c494712747deb86722bc7a41db3a39a066c
root@docker-lab:~# docker network inspect my_net18 # 查看自定义网络 my_net18 详细信息
[
{
"Name": "my_net18",
"Id": "b6e24ecfdc6e6a3a5b407ae165677c494712747deb86722bc7a41db3a39a066c",
"Created": "2019-02-21T08:56:10.069359561+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.18.0.0/16",
"Gateway": "172.18.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]
root@docker-lab:~# docker network create --driver bridge --subnet 172.19.0.0/16 --gateway 172.19.0.1 my_net19 # 创建一个自定义网络 my_net19 ,手工指定 ip段和网关
82cd9f7684d7591638ec6daf26228456b119ca299ef32083f80a3d41d9d95f82
root@docker-lab:~# docker network inspect my_net19 # 查看自定义网络 my_net19 详细信息
[
{
"Name": "my_net19",
"Id": "82cd9f7684d7591638ec6daf26228456b119ca299ef32083f80a3d41d9d95f82",
"Created": "2019-02-21T08:56:54.304316372+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.19.0.0/16",
"Gateway": "172.19.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]
root@docker-lab:~# docker network ls # 网络列表中可以看到新创建的两个自定义网络
NETWORK ID NAME DRIVER SCOPE
b41bf72cd691 bridge bridge local
e5cb8d603efd host host local
b6e24ecfdc6e my_net18 bridge local
82cd9f7684d7 my_net19 bridge local
f9dc6032baba none null local
root@docker-lab:~# ip route # docker host 路由表,新建两个自定义网络的路由信息已经生成
default via 122.14.192.1 dev ens4 onlink
10.0.0.0/20 dev ens3 proto kernel scope link src 10.0.11.43
10.0.0.0/8 via 10.0.0.1 dev ens3
122.14.192.0/24 dev ens4 proto kernel scope link src 122.14.192.75
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
172.18.0.0/16 dev br-b6e24ecfdc6e proto kernel scope link src 172.18.0.1
172.19.0.0/16 dev br-82cd9f7684d7 proto kernel scope link src 172.19.0.1
root@docker-lab:~# sysctl net.ipv4.ip_forward # docker host 上路由转发功能已经开启
net.ipv4.ip_forward = 1
root@docker-lab:~# iptables-save | grep 'docker0' # 查看iptables策略只允许容器内部通信
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
root@docker-lab:~# iptables-save | grep 'br-82cd9f7684d7' # 查看iptables策略只允许容器内部通信
-A POSTROUTING -s 172.19.0.0/16 ! -o br-82cd9f7684d7 -j MASQUERADE
-A DOCKER -i br-82cd9f7684d7 -j RETURN
-A FORWARD -o br-82cd9f7684d7 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-82cd9f7684d7 -j DOCKER
-A FORWARD -i br-82cd9f7684d7 ! -o br-82cd9f7684d7 -j ACCEPT
-A FORWARD -i br-82cd9f7684d7 -o br-82cd9f7684d7 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-82cd9f7684d7 ! -o br-82cd9f7684d7 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-2 -o br-82cd9f7684d7 -j DROP
root@docker-lab:~# iptables-save | grep 'br-b6e24ecfdc6e' # 查看iptables策略只允许容器内部通信
-A POSTROUTING -s 172.18.0.0/16 ! -o br-b6e24ecfdc6e -j MASQUERADE
-A DOCKER -i br-b6e24ecfdc6e -j RETURN
-A FORWARD -o br-b6e24ecfdc6e -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-b6e24ecfdc6e -j DOCKER
-A FORWARD -i br-b6e24ecfdc6e ! -o br-b6e24ecfdc6e -j ACCEPT
-A FORWARD -i br-b6e24ecfdc6e -o br-b6e24ecfdc6e -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-b6e24ecfdc6e ! -o br-b6e24ecfdc6e -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-2 -o br-b6e24ecfdc6e -j DROP
root@docker-lab:~# docker run -it --name busybox01 --network my_net18 busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:12:00:02
inet addr:172.18.0.2 Bcast:172.18.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1016 (1016.0 B) TX bytes:0 (0.0 B)
/ # ping 172.18.0.1
PING 172.18.0.1 (172.18.0.1): 56 data bytes
64 bytes from 172.18.0.1: seq=0 ttl=64 time=0.121 ms
64 bytes from 172.18.0.1: seq=1 ttl=64 time=0.093 ms
^C
--- 172.18.0.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.093/0.107/0.121 ms
/ # ping 172.18.0.3
PING 172.18.0.3 (172.18.0.3): 56 data bytes
64 bytes from 172.18.0.3: seq=0 ttl=64 time=0.139 ms
64 bytes from 172.18.0.3: seq=1 ttl=64 time=0.099 ms
^C
--- 172.18.0.3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.099/0.119/0.139 ms
/ # ping 172.19.0.1
PING 172.19.0.1 (172.19.0.1): 56 data bytes
64 bytes from 172.19.0.1: seq=0 ttl=64 time=0.093 ms
64 bytes from 172.19.0.1: seq=1 ttl=64 time=0.099 ms
^C
--- 172.19.0.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.093/0.096/0.099 ms
/ # ping 172.19.0.2
PING 172.19.0.2 (172.19.0.2): 56 data bytes
^C
--- 172.19.0.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
root@docker-lab:~# docker run -it --name busybox02 --network my_net19 busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:13:00:02
inet addr:172.19.0.2 Bcast:172.19.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:508 (508.0 B) TX bytes:0 (0.0 B)
root@docker-lab:~# docker run -it --name busybox03 --network bridge busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:508 (508.0 B) TX bytes:0 (0.0 B)
root@docker-lab:~# docker run -it --name busybox04 --network my_net18 busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:12:00:03
inet addr:172.18.0.3 Bcast:172.18.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:508 (508.0 B) TX bytes:0 (0.0 B)
root@docker-lab:~# docker network connect my_net19 busybox01
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:12:00:02
inet addr:172.18.0.2 Bcast:172.18.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2094 (2.0 KiB) TX bytes:1092 (1.0 KiB)
eth1 Link encap:Ethernet HWaddr 02:42:AC:13:00:03
inet addr:172.19.0.3 Bcast:172.19.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:648 (648.0 B) TX bytes:0 (0.0 B)
/ # ping 172.19.0.2
PING 172.19.0.2 (172.19.0.2): 56 data bytes
64 bytes from 172.19.0.2: seq=0 ttl=64 time=0.160 ms
64 bytes from 172.19.0.2: seq=1 ttl=64 time=0.107 ms
^C
--- 172.19.0.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.107/0.133/0.160 ms
/ #
