Docker网络
理解docker0
[root@localhost ~]# ip addr
# 本机回环地址
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:e5:08:5c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.128/24 brd 192.168.129.255 scope global noprefixroute dynamic ens33
valid_lft 1357sec preferred_lft 1357sec
inet6 fe80::7e5d:39f7:3d7a:13b3/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: bridge0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 02:78:77:86:6c:99 brd ff:ff:ff:ff:ff:ff
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:5e:88:8b brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:5e:88:8b brd ff:ff:ff:ff:ff:ff
# docker0 地址
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:53:7b:70:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
问题: docker 是如何处理容器网络访问的?
分别有两个容器:tomcat容器和mysql容器 tomcat里的项目如何访问mysql服务的?
# 测试
# 启动tomcat 容器
[root@localhost ~]# docker run -d -P --name tomcat01 tomcat
# 查看容器内部网络地址 docker exec -it 容器id/容器名 ip addr
[root@localhost ~]# docker exec -it tomcat01 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
# 发现docker启动一个容器的时候会得到一个 eth0@if8 ip地址 ,这个地址是docker分配的!
# linux ping 一下这个容器ip 发现可以 ping 通 docker 容器内部
[root@localhost ~]# ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.082 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.042 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.041 ms
原理
- 我们只要安装了docker,就会有一个网卡docker0;每启动一个docker容器, docker就会给docker容器分配一个ip
# 再次测试 ip addr
[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:e5:08:5c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.128/24 brd 192.168.129.255 scope global noprefixroute dynamic ens33
valid_lft 1355sec preferred_lft 1355sec
inet6 fe80::7e5d:39f7:3d7a:13b3/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: bridge0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 02:78:77:86:6c:99 brd ff:ff:ff:ff:ff:ff
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:5e:88:8b brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:5e:88:8b brd ff:ff:ff:ff:ff:ff
6: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:53:7b:70:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:53ff:fe7b:7002/64 scope link
valid_lft forever preferred_lft forever
8: veth8ee6b7e@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether e6:9b:b2:a0:27:ae brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::e49b:b2ff:fea0:27ae/64 scope link
valid_lft forever preferred_lft forever
# 发现 多出来一个 ip--》8: veth8ee6b7e@if7 ,这个ip 与 docker给tomcat容器分配的ip--》7: eth0@if8 及其相似
# 我们再次启动一个容器
[root@localhost ~]# docker run -d -P --name tomcat02 tomcat
7ffaff397ae1ad5ea86265b28796eadacc8814dae08de0c297b844df32dafb0f
# 查看 tomcat02 容器ip
[root@localhost ~]# docker exec -it tomcat02 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
9: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
# 再次查看 linux 中 ip
[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:e5:08:5c brd ff:ff:ff:ff:ff:ff
inet 192.168.129.128/24 brd 192.168.129.255 scope global noprefixroute dynamic ens33
valid_lft 1732sec preferred_lft 1732sec
inet6 fe80::7e5d:39f7:3d7a:13b3/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: bridge0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 02:78:77:86:6c:99 brd ff:ff:ff:ff:ff:ff
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:5e:88:8b brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:5e:88:8b brd ff:ff:ff:ff:ff:ff
6: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:53:7b:70:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:53ff:fe7b:7002/64 scope link
valid_lft forever preferred_lft forever
8: veth8ee6b7e@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether e6:9b:b2:a0:27:ae brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::e49b:b2ff:fea0:27ae/64 scope link
valid_lft forever preferred_lft forever
10: veth913a4fc@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 7a:6d:fa:f4:5a:31 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::786d:faff:fef4:5a31/64 scope link
valid_lft forever preferred_lft forever
# 再次测试 发现又多了一对网卡!
我们发现这个容器带来的网卡都是一对一对的
evth-pair 就是 一对的虚拟设备接口,他们都是成对出现的, 一段连着协议,一段彼此相连
正因为有这个特性,evth-pair 充当一个桥梁 连接各种虚拟网络设备的
OpenStac Docker 容器直接的连接 , ovs的连接 都是用的 evth-pair 技术
测试下tomcat02 和 comcat01 是否可以ping通!
[root@localhost ~]# docker exec -it tomcat02 ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.193 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.156 ms
# 结论: 容器直接是可以互相ping通的
# docker 中所以的网络接口都是虚拟的 虚拟的转发效率高!
# 容器一旦停止 对应的网桥就没有了
--link
思考一个场景:我们编写了一个微服务,在项目不重启的情况下 ip换掉了,我们怎么处理这个问题!可以通过名字访问服务--->实现高可用
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7ffaff397ae1 tomcat "catalina.sh run" About an hour ago Up About an hour 0.0.0.0:32769->8080/tcp tomcat02
17465fe4ff5f tomcat "catalina.sh run" About an hour ago Up 9 seconds 0.0.0.0:32770->8080/tcp tomcat01
# tomcat02 ping tomcat01 发现 ping 不通
[root@localhost ~]# docker exec -it tomcat02 ping tomcat01
ping: tomcat01: Temporary failure in name resolution
# 如何解决?
# 再次启动一个tomcat03 使用--link 指定tomcat02
[root@localhost ~]# docker run -d -P --name tomcat03 --link tomcat02 tomcat
b8302b88ece2db2d116ef48f066495dfac2249e024f82e5262551dc75beadafd
# 发现 tomcat03 可以 ping 通 tomcat02
[root@localhost ~]# docker exec -it tomcat03 ping tomcat02
PING tomcat02 (172.17.0.3) 56(84) bytes of data.
64 bytes from tomcat02 (172.17.0.3): icmp_seq=1 ttl=64 time=0.140 ms
64 bytes from tomcat02 (172.17.0.3): icmp_seq=2 ttl=64 time=0.156 ms
64 bytes from tomcat02 (172.17.0.3): icmp_seq=3 ttl=64 time=0.061 ms
# 但是 tomcat02 不可以 ping 通 tomcat03
[root@localhost ~]# docker exec -it tomcat02 ping tomcat03
ping: tomcat03: Temporary failure in name resolution
################################ 探究 ##############################################
# 查看tomcat03的 /etc/hosts 文件, 发现了 tomcat02 的映射
[root@localhost ~]# docker exec -it tomcat03 cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.3 tomcat02 7ffaff397ae1
172.17.0.4 b8302b88ece2
# tomcat02 的 /etc/hosts 文件中 没有tomcat03的映射
[root@localhost ~]# docker exec -it tomcat02 cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.3 7ffaff397ae1
现在使用docker 不推荐使用--link的方式了
使用自定义网络,不使用docker0!
docker0问题:它不支持容器名连接
自定义网络
[root@localhost ~]# docker network --help
Usage: docker network COMMAND
Manage networks
Commands:
connect Connect a container to a network
create Create a network
disconnect Disconnect a container from a network
inspect Display detailed information on one or more networks
ls List networks
prune Remove all unused networks
rm Remove one or more networks
# 查看docker网络
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
4dfeab10f9bd bridge bridge local
3544ab1c8265 host host local
ba0aafb19089 none null local
网络模式
bridge: 桥接 docker(默认)
none: 不配置网络
host: 和宿主机共享网络
container: 容器网络连通(用的少!局限性很大)
测试
# 我们直接启动的命令 docker run -d -P --name tomcat01 tomcat 默认加了--net bridge,而这个--net bridge就是我们的docker0
docker run -d -P --name tomcat01 tomcat
docker run -d -P --name tomcat01 --net bridge tomcat
# docker0 特点:是默认的;域名不能访问的 --link可以打通连接
# 我们自定义一个网络
--driver bridge 桥接
--subnet 192.168.0.0/16 子网地址
--gateway 192.168.0.1 网关
[root@localhost ~]# docker network create --driver bridge --subnet 192.168.0.0/16 --gateway 192.168.0.1 mynet
b82de0e455b464239dd2cd70c0c409aee43cc3b6c5015b00d77e9ab2c4ce708e
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
4dfeab10f9bd bridge bridge local
3544ab1c8265 host host local
b82de0e455b4 mynet bridge local
ba0aafb19089 none null local
# 查看我们的自定义网络信息
[root@localhost ~]# docker network inspect mynet
[
{
"Name": "mynet",
"Id": "b82de0e455b464239dd2cd70c0c409aee43cc3b6c5015b00d77e9ab2c4ce708e",
"Created": "2020-08-16T13:54:31.417280908+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "192.168.0.0/16",
"Gateway": "192.168.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]
# 启动tomcat容器 走我们自定义的网络
[root@localhost ~]# docker run -d -P --name tomcat-net-01 --net mynet tomcat
b98cc4bf86e029feb61fbc1f73bb48760635d26238c79a50bb817a65689742a6
[root@localhost ~]# docker run -d -P --name tomcat-net-02 --net mynet tomcat
8536a22077f7f4676ff63ff7f6b60dbe86eac1fd51051725612a448de3886b84
[root@localhost ~]# docker exec -it tomcat-net-01 ping tomcat-net-02
PING tomcat-net-02 (192.168.0.3) 56(84) bytes of data.
64 bytes from tomcat-net-02.mynet (192.168.0.3): icmp_seq=1 ttl=64 time=0.064 ms
64 bytes from tomcat-net-02.mynet (192.168.0.3): icmp_seq=2 ttl=64 time=0.161 ms
64 bytes from tomcat-net-02.mynet (192.168.0.3): icmp_seq=3 ttl=64 time=0.055 ms
# 发现 tomcat-net-01 和 tomcat-net-02 容器 网络是互通的
# 再次查看 我们的自定义网络 mynet, 发现 Containers 里已经有了两个容器
[root@localhost ~]# docker network inspect mynet
[
{
"Name": "mynet",
"Id": "b82de0e455b464239dd2cd70c0c409aee43cc3b6c5015b00d77e9ab2c4ce708e",
"Created": "2020-08-16T13:54:31.417280908+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "192.168.0.0/16",
"Gateway": "192.168.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"8536a22077f7f4676ff63ff7f6b60dbe86eac1fd51051725612a448de3886b84": {
"Name": "tomcat-net-02",
"EndpointID": "59b045316d51b615e31c6ef2473c4cbd85da8da4a42619b25a14ddb431d20fd7",
"MacAddress": "02:42:c0:a8:00:03",
"IPv4Address": "192.168.0.3/16",
"IPv6Address": ""
},
"b98cc4bf86e029feb61fbc1f73bb48760635d26238c79a50bb817a65689742a6": {
"Name": "tomcat-net-01",
"EndpointID": "1778ebe20410bcedc65414b8b991624fe835843e378b2e19ada8a2394ba5eb47",
"MacAddress": "02:42:c0:a8:00:02",
"IPv4Address": "192.168.0.2/16",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {}
}
]
我们自定义的网络docker已经帮我们维护好了对应关系,推荐我们平时自定义网络使用!
好处:
1. redis--->不同的集群使用不同的网络,保证集群是安全和健康的
网络连通
我们自定义的网络,各个网络直接是不通的
tomcat镜像启动使用的是net01网络,mysql镜像使用的是net02网络,这两个容器直接的网络是不通的,如何打通呢?
# 查看network的帮助命令
[root@localhost ~]# docker network --help
Usage: docker network COMMAND
Manage networks
Commands:
connect Connect a container to a network # 连接一个容器到一个网络
create Create a network # 创建一个网络
disconnect Disconnect a container from a network # 断开一个容器到一个网络
inspect Display detailed information on one or more networks
ls List networks
prune Remove all unused networks
rm Remove one or more networks
Run 'docker network COMMAND --help' for more information on a command.
# 查看network connect的帮助命令
[root@localhost ~]# docker network connect --help
Usage: docker network connect [OPTIONS] NETWORK CONTAINER
Connect a container to a network
Options:
--alias strings Add network-scoped alias for the container
--driver-opt strings driver options for the network
--ip string IPv4 address (e.g., 172.30.100.104)
--ip6 string IPv6 address (e.g., 2001:db8::33)
--link list Add link to another container
--link-local-ip strings Add a link-local address for the container
# 测试
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f5a5a058908c tomcat "catalina.sh run" 3 seconds ago Up 2 seconds 0.0.0.0:32775->8080/tcp tomcat-03
72ffc620842e tomcat "catalina.sh run" 7 seconds ago Up 6 seconds 0.0.0.0:32774->8080/tcp tomcat-01
8536a22077f7 tomcat "catalina.sh run" 52 minutes ago Up 52 minutes 0.0.0.0:32773->8080/tcp tomcat-net-02
b98cc4bf86e0 tomcat "catalina.sh run" 52 minutes ago Up 52 minutes 0.0.0.0:32772->8080/tcp tomcat-net-01
# 打通tomcat-01 ---- mynet
[root@localhost ~]# docker network connect mynet tomcat-01
# 打通后 使用tomcat-01 ping mynet 下的 tomcat-net-01,发现可以ping通
[root@localhost ~]# docker exec -it tomcat-01 ping tomcat-net-01
PING tomcat-net-01 (192.168.0.2) 56(84) bytes of data.
64 bytes from tomcat-net-01.mynet (192.168.0.2): icmp_seq=1 ttl=64 time=0.165 ms
64 bytes from tomcat-net-01.mynet (192.168.0.2): icmp_seq=2 ttl=64 time=0.053 ms
# 查看 mynet 网络信息 容器内多了 tomcat-01
[root@localhost ~]# docker network inspect mynet
[
{
"Name": "mynet",
"Id": "b82de0e455b464239dd2cd70c0c409aee43cc3b6c5015b00d77e9ab2c4ce708e",
"Created": "2020-08-16T13:54:31.417280908+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "192.168.0.0/16",
"Gateway": "192.168.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"72ffc620842e842ef2f59161f9c66a2c4c27c49a5cf5bbe20634eb34e2dff651": {
"Name": "tomcat-01",
"EndpointID": "d2f3c68a0b2b75d5a7b36fc738450f9069cc27b602a3dcdb648618f87b645762",
"MacAddress": "02:42:c0:a8:00:04",
"IPv4Address": "192.168.0.4/16",
"IPv6Address": ""
},
"8536a22077f7f4676ff63ff7f6b60dbe86eac1fd51051725612a448de3886b84": {
"Name": "tomcat-net-02",
"EndpointID": "59b045316d51b615e31c6ef2473c4cbd85da8da4a42619b25a14ddb431d20fd7",
"MacAddress": "02:42:c0:a8:00:03",
"IPv4Address": "192.168.0.3/16",
"IPv6Address": ""
},
"b98cc4bf86e029feb61fbc1f73bb48760635d26238c79a50bb817a65689742a6": {
"Name": "tomcat-net-01",
"EndpointID": "1778ebe20410bcedc65414b8b991624fe835843e378b2e19ada8a2394ba5eb47",
"MacAddress": "02:42:c0:a8:00:02",
"IPv4Address": "192.168.0.2/16",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {}
}
]
结论:假设要跨网络操作别人,就需要使用docker network connect 连通!
