码迷,mamicode.com
首页 > 其他好文 > 详细

Docker-04-docker单机网络详解

时间:2019-03-31 12:16:05      阅读:138      评论:0      收藏:0      [点我收藏+]

标签:完全   val   show命令   mes   done   glob   运行   网络模式   内容   

一、docker的网络模式概述

1.1 单机模式

  • bridge

默认模式,此模式会为每一个容器分配、设置IP等,并将容器连接到一个docker0虚拟网桥,通过docker0网桥以及Iptables nat表配置与宿主机通信。

  • host

容器将不会虚拟出自己的网卡,配置自己的IP等,而是使用宿主机的IP和端口。

  • none

该模式关闭了容器的网络功能。

1.2 多机模式

  • overlay

2、Linux网络命名空间

2.1 查看namespace之间的隔离性

  • 第一步:运行一个busybox
docker run -d --name test1 busybox /bin/sh -c "while true;do sleep 3600;done"
  • 第二步:进入生成的容器
[root@docker01 ~]# docker exec -it test1 /bin/sh
/ #
  • 第三步:通过`ip a`命名查看容器和宿主机的网络命名空间,可以发现容器的网络namespace和主机是隔离的
#查看容器的网络namespace
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
#查看宿主机的网络namespace
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.38/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::90c6:d2ff:fe2d:4098/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:ccff:fea5:3e94/64 scope link 
       valid_lft forever preferred_lft forever
15: veth9b0a4fb@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP 
    link/ether 1a:3d:79:de:cd:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::183d:79ff:fede:cd28/64 scope link 
       valid_lft forever preferred_lft forever
  • 第四步:再生成另外一个容器,并查看两个容器的网络namespace。通过在两个容器中互ping,发现两个容器的网络namespace是可以互相连通的。
[root@docker01 ~]# docker run -d --name test2 busybox /bin/sh -c "while true;do sleep 3600;done"
e8a75ef22834a402a3a0f71460f8551a658a7bacd364937de9358d35abe960cb
[root@docker01 ~]# sudo docker exec test1 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
[root@docker01 ~]# sudo docker exec test2 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
16: eth0@if17: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

2.2 Linux网络namepace原理实验

实验:在两个namespace上面创建veth接口,并使两个namespace相通!

技术图片

在做实验之间,先来想象一下两台电脑如果需要连通所需的条件:

  1. 两台电脑都需要一个网口
  2. 两个网口之间需要连接一根网线
  3. 两台电脑需要配置一个同网段的地址

满足上述三个要求,那么两个主机就能实现网络互联。Linux网络namespace采用veth pair技术,过程基本一致,下面就来做下实验。

2.2.1 网络namspace的基本用法

实验之前先来看看基本的命令和用法:

  • 查看linxu主机的network namespace
[root@docker01 ~]# ip netns list
  • 创建network namespace
[root@docker01 ~]# ip netns add test1
[root@docker01 ~]# ip netns add test2
[root@docker01 ~]# ip netns list
test2
test1
  • 查看network namespace里面的ip地址
#可以看到一个新的network namespace里面只有一个回环口,并没有分配ip地址;并且状态为DOWN
[root@docker01 ~]# ip netns exec test1 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  • 启动namespace里面的网卡,例如lo
[root@docker01 ~]# ip netns exec test1 ip link set dev lo up
[root@docker01 ~]# ip netns exec test1 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever

2.2.2 实验过程

  • 第一步:在主机上添加一对link  veth-test1veth-test2,创建完成后状态为DOWN。(这一步联想做两个网卡,并用网线将两个网卡互连)
[root@docker01 ~]# ip link add veth-test1 type veth peer name veth-test2
[root@docker01 ~]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT qlen 1000
    link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT 
    link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff
15: veth9b0a4fb@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT 
    link/ether 1a:3d:79:de:cd:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0
17: veth8abdbae@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT 
    link/ether ae:b3:fa:8f:90:b5 brd ff:ff:ff:ff:ff:ff link-netnsid 1
18: veth-test2@veth-test1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether 36:ad:7c:f7:32:e7 brd ff:ff:ff:ff:ff:ff
19: veth-test1@veth-test2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether fa:27:f5:29:95:0b brd ff:ff:ff:ff:ff:ff
  • 第二步:为network namespace test1添加link veth-test1(这一步骤连想将一端网卡差到第一台电脑)

添加前test1里面只有一个lo口,并且为DOWN状态

#将test1添加到veth-test1里面
[root@docker01 ~]# ip link set veth-test1 netns test1

#查看test1的ip地址
root@docker01 ~]# ip netns exec test1 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noqueue state DOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
19: veth-test1@if18: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether fa:27:f5:29:95:0b brd ff:ff:ff:ff:ff:ff link-netnsid 0

#并且发现本地的19口已经没有了(添加到了test1里面)
[root@docker01 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.38/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::90c6:d2ff:fe2d:4098/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:ccff:fea5:3e94/64 scope link 
       valid_lft forever preferred_lft forever
15: veth9b0a4fb@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP 
    link/ether 1a:3d:79:de:cd:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::183d:79ff:fede:cd28/64 scope link 
       valid_lft forever preferred_lft forever
17: veth8abdbae@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP 
    link/ether ae:b3:fa:8f:90:b5 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::acb3:faff:fe8f:90b5/64 scope link 
       valid_lft forever preferred_lft forever
18: veth-test2@if19: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 36:ad:7c:f7:32:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 2
  • 第三步:将network namespace test2添加link veth-test2(这一步骤连想将一端网卡差到第二台电脑)

添加前test2里面只有一个lo口,并且为DOWN状态

#将veth-test2添加到test2里
[root@docker01 ~]# ip link set veth-test2 netns test2

#查看添加之后test2包含的ip
[root@docker01 ~]# ip netns exec test2 ip link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
18: veth-test2@if19: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether 36:ad:7c:f7:32:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 0

#再次查看主机ip,发现本地的18口也没有了
[root@docker01 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.38/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::90c6:d2ff:fe2d:4098/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:ccff:fea5:3e94/64 scope link 
       valid_lft forever preferred_lft forever
15: veth9b0a4fb@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP 
    link/ether 1a:3d:79:de:cd:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::183d:79ff:fede:cd28/64 scope link 
       valid_lft forever preferred_lft forever
17: veth8abdbae@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP 
    link/ether ae:b3:fa:8f:90:b5 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::acb3:faff:fe8f:90b5/64 scope link 
       valid_lft forever preferred_lft forever
  • 第四步:分别给test1和test2分配IP地址
[root@docker01 ~]# ip netns exec test1 ip addr add 10.0.0.1/24 dev veth-test1
[root@docker01 ~]# ip netns exec test2 ip addr add 10.0.0.2/24 dev veth-test2
  • 第五步:分别启动两个namespace的veth网卡
[root@docker01 ~]# ip netns exec test1 ip link set dev veth-test1 up
[root@docker01 ~]# ip netns exec test2 ip link set dev veth-test2 up
  • 第六步:查看两个namespace的ip地址
[root@docker01 ~]# ip netns exec test1 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noqueue state DOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
19: veth-test1@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether fa:27:f5:29:95:0b brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet 10.0.0.1/24 scope global veth-test1
       valid_lft forever preferred_lft forever
    inet6 fe80::f827:f5ff:fe29:950b/64 scope link 
       valid_lft forever preferred_lft forever
[root@docker01 ~]# ip netns exec test2 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
18: veth-test2@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 36:ad:7c:f7:32:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.0.0.1/24 scope global veth-test2
       valid_lft forever preferred_lft forever
    inet6 fe80::34ad:7cff:fef7:32e7/64 scope link 
       valid_lft forever preferred_lft forever
  • 两个NameSpace互ping,能ping通则说明实验成功!!
[root@docker01 ~]# ip netns exec test1 ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.121 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.109 ms
^C
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.109/0.115/0.121/0.006 ms
[root@docker01 ~]# ip netns exec test2 ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.079 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.106 ms
^C
--- 10.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.079/0.092/0.106/0.016 ms

 Linux的网络namespace原理基本如上,docker容器的网络也类似于此!!

三、Docker Bridge网络

3.1 docker network命令

  • 查看docker主机的网络模式
[root@docker01 ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
afba28b63ba9        bridge              bridge              local
d12ebb4b73d8        host                host                local
c2fb11041077        none                null                local
  • 查看network的详细信息

在输出结果中可以看到有一项为container,并且有test1这个容器的信息,说明test1的网络加入到了这个bridge

[root@docker01 ~]# docker network inspect afba28b63ba9
[
    {
        "Name": "bridge",
        "Id": "afba28b63ba9369a0068985cc75f93c309c3e802bee19ad616d2961f45df310a",
        "Created": "2019-03-30T10:45:07.636737489+08:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "8e8f15985b86f0d0811332bd5d963342e8d1f3e9a060de55237db9a3e084b0a6": {
                "Name": "test1",
                "EndpointID": "47e99078d905b7c11fe0b4cd6279470746f4c0d85fcec8a6e40d536987163ddb",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

3.2 容器网络通信原理

3.2.1 容器之间互相访问原理

容器首先都连接到docekr0设备,然后实现网络的互通!

技术图片

3.2.2 实验过程

首先,我们通过ip a命令来看宿主机的网络namespace,除了lo网卡和eth0网卡外,还有另外两个网卡!

  • docker0:本机桥接网络的一个network namespace,即上图的docker0设备
  • veth9b0a4fb@if14:负责连到docker0上面的veth pair的一个端口,另一端连接到容器上!
[root@docker01 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.38/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::90c6:d2ff:fe2d:4098/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:ccff:fea5:3e94/64 scope link 
       valid_lft forever preferred_lft forever
15: veth9b0a4fb@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP 
    link/ether 1a:3d:79:de:cd:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::183d:79ff:fede:cd28/64 scope link 
       valid_lft forever preferred_lft forever
  • 第二步:查看test1容器的网络

发现有一个eth0@if15的网卡设备,这个设备和宿主机的veth9b0a4fb@if14是一对!

[root@docker01 ~]# docker exec test1 ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
  • 第三步:验证veth9b0a4fb是连接到docker0上面的:
#安装bridge-utils工具
[root@docker01 ~]# yum -y install bridge-utils

#使用brctl show命令来验证interface
[root@docker01 ~]# brctl show
bridge name    bridge id        STP enabled    interfaces
docker0        8000.0242cca53e94    no        veth9b0a4fb

此外,还可以再添加一个容器来验证此结果! 

3.2.2 容器访问外网原理

首先,容器通过veth pari连接到docker0,然后docker0通过NAT技术实现外网的访问!

NAT是通过防火墙实现!!

技术图片

3.3 管理bridge网络

  • 通过network create创建一个bridge网络
#通过docker network命令创建一个bridge网络
[root@docker01 ~]# docker network create -d bridge my-bridge

#查看本机网络详情
[root@docker01 ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
afba28b63ba9        bridge              bridge              local
d12ebb4b73d8        host                host                local
b18aced3f3e8        my-bridge           bridge              local
c2fb11041077        none                null                local

#查看本地的网卡依赖关系
[root@docker01 ~]# brctl show
bridge name    bridge id        STP enabled    interfaces
br-b18aced3f3e8        8000.024297dc79ce    no        
docker0        8000.0242cca53e94    no        veth9b0a4fb
  • 在创建network时,指定网关等详细信息
#创建一个指定网段的网络
docker network create --driver bridge --subnet 172.22.16.0/24 --gateway 172.22.16.1 my-test
  • 删除一个存在的网络
#删除一个自定义的网络,删除前应该先移除该网络上的所有容器
docker network rm my-test
  • 创建容器时,通过--network参数将容器加入到新建的网络
[root@docker01 ~]# docker run -d --name test3 --network my-bridge busybox /bin/sh -c "while true;do sleep 3600;done"
d0d8d5b85eedde27d771976693fccf099010a64d9e28d630059bde3764549f82
  • 已存在容器通过connect连接到新建网络
[root@docker01 ~]# docker network connect my-bridge test1
[root@docker01 ~]# brctl show
bridge name    bridge id        STP enabled    interfaces
br-b18aced3f3e8        8000.024297dc79ce    no        veth11267b8
                            veth2cbc898
docker0        8000.0242cca53e94    no        veth9b0a4fb
  • 将容器从网络里移除
[root@docker01 ~]# docker network disconnect my-bridge test1

注:1、连接到docker0上面的容器无法互相ping通主机名;

        2、连接到自定义的网络里面的容器可以ping通主机名,因为连接的时候默认会做--link的操作

 三、None和Host网络

3.1 Docker None网络

加入到None网络的容器的网络namespace是孤立的,只能通过exec连接容器,一般不会使用。

验证过程:

  • 第一步:创建一个容器,并将其加入到None网络中
[root@docker01 ~]# docker run -d --name test4 --network none busybox /bin/sh -c "while true;do sleep 3600;done"
cc801ac03ff8ccf81ed6c168dda6a39a217066c37356792c0f5ddd1334852b40
  • 第二步:查看None网络的详细信息,发现新建的容器并没有ip地址和mac地址等内容
[root@docker01 ~]# docker network inspect none
[
    {
        "Name": "none",
        "Id": "c2fb11041077b5d87b48aa97b90983beadb78b7931e121ff4af592cc4bf737f9",
        "Created": "2019-03-30T10:45:07.569241552+08:00",
        "Scope": "local",
        "Driver": "null",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": []
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "cc801ac03ff8ccf81ed6c168dda6a39a217066c37356792c0f5ddd1334852b40": {
                "Name": "test4",
                "EndpointID": "0c4ba07e746316b4b633b139b3ec1cf42a92297776214d25b2609d331e1356ad",
                "MacAddress": "",
                "IPv4Address": "",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]
  • 第三步:进入新建的容器里,发现也没有任何的网络信息
[root@docker01 ~]# docker exec -it test4 /bin/sh
/ # ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
/ #

3.2 Docker Host网络

在host网络模式下,docker容器没有独立的网络namespace,而是和宿主机共用一套namespace,此种网络模式也很少用。

验证过程:

  • 第一步:创建一个容器,并指定其网络模式为Host
[root@docker01 ~]# docker run -d --name test5 --network host busybox /bin/sh -c "while true;do sleep 3600;done"
62bba657c8ac97a27314c3a492fcf2e1d4faff6c3adec331ebf37ebbf25509c1
  • 第二步:查看主机网络信息
[root@docker01 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.38/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::90c6:d2ff:fe2d:4098/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN 
    link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:ccff:fea5:3e94/64 scope link 
       valid_lft forever preferred_lft forever
  • 第三步:进入容器,查看容器网络信息。(可以发现两者完全一致)
[root@docker01 ~]# docker exec -it test5 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq qlen 1000
    link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.38/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::90c6:d2ff:fe2d:4098/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:ccff:fea5:3e94/64 scope link 
       valid_lft forever preferred_lft forever

单机容器网路介绍到此结束!

Docker-04-docker单机网络详解

标签:完全   val   show命令   mes   done   glob   运行   网络模式   内容   

原文地址:https://www.cnblogs.com/liuguangjiji/p/10627382.html
(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
分享档案
更多>
2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)
周排行
mamicode.com排行更多图片
更多
友情链接
兰亭集智   国之画   百度统计   站长统计   阿里云   chrome插件   新版天听网
关于我们 - 联系我们 - 留言反馈
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!