Docker第四回（容器虚拟化网络）

时间：2019-10-04 19:24:59 阅读：118 评论：0 收藏：0 [点我收藏+]

标签：dockerd 发送 def std nss from 交互模式规则 write

一、docker网络简介

网络作为docker容器化实现的6个名称空间的其中之一，是必不可少的。其在Linux内核2.6时已经被加载进内核支持了。网络名称空间主要用于实现网络设备和协议栈的隔离，列如；一个docker host有4块网卡，在创建容器的时候，将其中一块网卡分配给该名称空间，那么其他名称空间是看不到这块网卡的。且：一个设备只能属于一个名称空间。因为一个名称空间绑定一个物理网卡和外界通信，且一个物理网卡不能分配多个名称空间，这使得我们只能创建4个名称空间。如果要创建的名称空间多于我们的物理网卡数量，那该怎么办呢？

1、虚拟网络通信的三种方式

1.1、桥接网络：在kvm的虚拟网络中，我们使用的是虚拟网卡设备（用纯软件的方式来模拟一组设备来使用），而在docker中，也不例外。在Linux内核级，支持两种级别设备的模拟，分别是2层设备（工作在链路层能实现封装物理报文并在各网络设备中报文转发的组件）；而这个功能，是可以在Linux上利用内核中对二层虚拟设备的支持创建虚拟网卡接口的。而且，这种虚拟网卡接口非常独特，每一个网络接口设备是成对出现的，可以模拟一根网线的两端，其中，一端可以插在主机上，另一端可以插在交换机上。这就相当于让一个主机连接到一个交换机上了。而Linux内核原生支持二层虚拟网桥设备（用软件来构建一个交换机）。例如；我有两个名称空间，都分别使用虚拟网络创建一对网络接口，一头插在名称空间上，另一头插在虚拟网桥设备上，并且两个名称空间配置在同一个网段上，这样就实现了容器间的通信，但是这种桥接方式，如果用在有N多个容器的网络中，由于所有容器全部是桥接在同一块虚拟网桥设备上，会产生广播风暴，在隔离上也是极为不易的，因此在规模容器的场景中，使用桥接这种方式无疑是自讨苦吃，否则都不应该直接桥接的。

1.2、nat网络：如果不桥接，又能与外部通信，用的是nat技术。NAT（network address transfer）网络地址转换，就是替换IP报文头部的地址信息，通过将内部网络IP地址替换为出口的IP地址提供不同网段的通信。比如：两个容器都配置了不同的私网地址，并且为容器配置了虚拟网桥（虚拟交换机），把容器1的网关指向虚拟网桥的IP地址，而后在docker host上打开核心转发功能，这时，当容器1与容器2通信时，报文先送给各自的虚拟网桥经由内核，内核判定目的IP不是自己，会查询路由表，而后将报文送给对应的网卡，物理网卡收到报文之后报文的原地址替换成自己的IP（这个操作称为snat），再将报文发送给容器2的物理网卡，物理网卡收到报文后，会将报文的原IP替换为自己的IP（这个操作称作dnat）发送给虚拟交换机，最后在发送给容器2。容器2收到报文之后，同样的也要经过相同的操作，将回复报文经过改写原ip地址的操作（snat和dnat）送达给容器1的物理网卡，物理网卡收到报文之后在将报文转发给虚拟网桥送给容器1。在这种网络中，如果要跨物理主机，让两个容器通信，必须经过两次nat（snat和dnat），造成了通信效率的低下。在多容器的场景中也不适合。

1.3、Overlay Network

叠加网络，在这种网络中，不同主机的容器通信会借助于一个虚拟网桥，让当前主机的各个容器连接到这个虚拟网桥上来，随后，他们通信时，借助物理网络，来完成报文的隧道转发，从而可以实现容器可以直接看到不同主机的其他容器，进而互相通信。例如；容器1要和其他host上的容器2通信，容器1会把报文发送给虚拟网桥，虚拟网桥发现目的IP不在本地物理服务器上，于是这个报文会从物理网卡发送出去，在发出去之前不在做snat，而是在添加一层IP报头，原地址是容器1的物理网卡地址，目的地址是容器2所在主机的物理网卡地址。报文到达主机，主机拆完第一层数据报文，发现还有一层报头，并且IP地址是当前主机的容器地址，进而将报文发送给虚拟网桥，最后在发送给容器2。这种用一个IP来承载另外一个IP的方式叫做隧道。

2、docker支持的四种网络模型

2.1、Closed container：只有loop接口，就是null类型

2.2、Bridged container A：桥接式类型，容器网络接入到docker0网络上

2.3、joined container A：联盟式网络，让两个容器有一部分名称空间隔离（User、Mount、Pid），这样两个容器间就拥有同一个网络接口，网络协议栈

2.4、Open container：开放式网络：直接共享物理机的三个名称空间（UTS、IPC、Net），世界使用物理主机的网卡通信，赋予容器管理物理主机网络的特权

二、Docker网络的指定

1、bridge网络（NAT）

docker在安装完以后自动提供了3种网络，默认使用bridge（nat桥接）网络，如果启动容器时，不指定--network=string，就是用的bridge网络，使用docker network ls可以看到这三种网络类型

[root@bogon ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
ea9de27d788c        bridge              bridge              local
126249d6b177        host                host                local
4ad67e37d383        none                null                local

docker在安装完成后，会自动在本机创建一个软交换机（docker0），可以扮演二层的交换机设备，也可以扮演二层的网卡设备

[root@bogon ~]# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:2f:51:41:2d  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

当我们在创建容器时，docker会通过软件自动创建2个虚拟的网卡，一端接在容器上，另一端接在docker0交换机上，从而使得容器就好像连接在了交换机上。

这是我还没有启动容器之前本地host的网络信息

[root@bogon ~]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::42:2fff:fe51:412d  prefixlen 64  scopeid 0x20<link>
        ether 02:42:2f:51:41:2d  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14  bytes 1758 (1.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.31.186  netmask 255.255.255.0  broadcast 192.168.31.255
        inet6 fe80::a3fa:7451:4298:fe76  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:fb:f6:a1  txqueuelen 1000  (Ethernet)
        RX packets 2951  bytes 188252 (183.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 295  bytes 36370 (35.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 96  bytes 10896 (10.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 96  bytes 10896 (10.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:1a:be:ae  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@bogon ~]# 
[root@bogon ~]# 
[root@bogon ~]#

下面我启动两个容器，查看网络信息的变化，可以看到多出来两个vethf的虚拟网卡

这就是docker为容器启动创建的一对虚拟网卡中的一半

[root@bogon ~]# docker container run --name=nginx1 -d nginx:stable
11b031f93d019640b1cd636a48fb9448ed0a7fc6103aa509cd053cbbf8605e6e
[root@bogon ~]# docker container run --name=redis1 -d redis:4-alpine
fca571d7225f6ce94ccf6aa0d832bad9b8264624e41cdf9b18a4a8f72c9a0d33
[root@bogon ~]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::42:2fff:fe51:412d  prefixlen 64  scopeid 0x20<link>
        ether 02:42:2f:51:41:2d  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14  bytes 1758 (1.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.31.186  netmask 255.255.255.0  broadcast 192.168.31.255
        inet6 fe80::a3fa:7451:4298:fe76  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:fb:f6:a1  txqueuelen 1000  (Ethernet)
        RX packets 2951  bytes 188252 (183.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 295  bytes 36370 (35.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 96  bytes 10896 (10.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 96  bytes 10896 (10.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        
veth0a95d3a: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::cc12:e7ff:fe27:2c7f  prefixlen 64  scopeid 0x20<link>
        ether ce:12:e7:27:2c:7f  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 648 (648.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vethf618ec3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::882a:aeff:fe73:f6df  prefixlen 64  scopeid 0x20<link>
        ether 8a:2a:ae:73:f6:df  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 22  bytes 2406 (2.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:1a:be:ae  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@bogon ~]# 
[root@bogon ~]#

另一半在容器中

[root@bogon ~]# docker container ls
CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS               NAMES
fca571d7225f        redis:4-alpine      "docker-entrypoint.s??   About a minute ago   Up About a minute   6379/tcp            redis1
11b031f93d01        nginx:stable        "nginx -g ‘daemon of??   10 minutes ago       Up 10 minutes       80/tcp              nginx1

并且他们都被关联到了docker0虚拟交换机中，可以使用brctl和ip link show查看到

[root@bogon ~]# brctl show
bridge name	bridge id		STP enabled	interfaces
docker0		8000.02422f51412d	no		veth0a95d3a
							vethf618ec3

[root@bogon ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 00:0c:29:fb:f6:a1 brd ff:ff:ff:ff:ff:ff
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
    link/ether 52:54:00:1a:be:ae brd ff:ff:ff:ff:ff:ff
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT group default qlen 1000
    link/ether 52:54:00:1a:be:ae brd ff:ff:ff:ff:ff:ff
5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 02:42:2f:51:41:2d brd ff:ff:ff:ff:ff:ff
7: vethf618ec3@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default 
    link/ether 8a:2a:ae:73:f6:df brd ff:ff:ff:ff:ff:ff link-netnsid 0
9: veth0a95d3a@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default 
    link/ether ce:12:e7:27:2c:7f brd ff:ff:ff:ff:ff:ff link-netnsid 1

可以看到，vethf虚拟网卡后面还有一半“@if6和@if8”，这两个就是在容器中的虚拟网卡

bridge0是一个nat桥，因此docker在启动容器后，还会自动为容器生成一个iptables规则

[root@bogon ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 43 packets, 3185 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   53  4066 PREROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   53  4066 PREROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   53  4066 PREROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3 packets, 474 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   24  2277 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 3 packets, 474 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    2   267 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
    0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
    0     0 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
   22  2010 POSTROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   22  2010 POSTROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   22  2010 POSTROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   12   953 POST_public  all  --  *      ens33   0.0.0.0/0            0.0.0.0/0           [goto] 
   10  1057 POST_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain POSTROUTING_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   22  2010 POST_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   22  2010 POST_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   22  2010 POST_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POST_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PREROUTING_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   53  4066 PRE_public  all  --  ens33  *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 PRE_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain PREROUTING_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PREROUTING_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   53  4066 PRE_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   53  4066 PRE_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   53  4066 PRE_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain PRE_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination

其中在POSTROUTING的chain上，有一个“MASQUERADE”从任何地址进入，只要不从docker0出去，原地址是172.17网段，到任何地址去的数据，都将被地址转换，snat

上面提到过，当docker使用nat网络时，仅仅只有当前docker host和当前docker host上的容器之间可以互相访问，那么不同主机的容器要进行通信，就必须要进行dnat（端口映射的方式），且同一个端口只能映射一个服务，那么在这个docker host中如果有多个web服务，就只能映射到一个80端口，其他的web服务就只能改默认端口，这也为我们带来了很大的局限性。

1.1、使用ip命令操作net名称空间

由于docker的Net、UTS以及IPC是可以被容器共享的，所以能够构建出一个此前在KVM的虚拟化网络中所谓的隔离式网络、桥接式网络、NET式网络、物理桥式网络初次之外所不具有的特殊网络模型，我们可以用ip命令手动去操作网络名称空间的，ip命令所能操作的众多对象当中包括netns

查询是否安装ip命令

[root@bogon ~]# rpm -q iproute
iproute-4.11.0-14.el7.x86_64

创建net名称空间

[root@bogon ~]# ip netns help
Usage: ip netns list
       ip netns add NAME
       ip netns set NAME NETNSID
       ip [-all] netns delete [NAME]
       ip netns identify [PID]
       ip netns pids NAME
       ip [-all] netns exec [NAME] cmd ...
       ip netns monitor
       ip netns list-id
[root@bogon ~]# ip netns add ns1
[root@bogon ~]# ip netns add ns2

如果没有单独为netns创建网卡接口的话，那么默认就只有一个loop网卡

[root@bogon ~]# ip netns exec ns1 ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@bogon ~]# ip netns exec ns2 ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

创建网卡接口对并放入net名称空间

[root@bogon ~]# ip link add name veth1.1 type veth peer name veth1.2
[root@bogon ~]# ip link show
...
...
7: veth1.2@veth1.1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 06:9d:b4:1f:96:88 brd ff:ff:ff:ff:ff:ff
8: veth1.1@veth1.2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 22:ac:45:de:61:5d brd ff:ff:ff:ff:ff:ff

[root@bogon ~]# ip netns exec ns1 ip link set dev veth1.1 name eth0
[root@bogon ~]# ip netns exec ns2 ip link set dev veth1.2 name eth0
[root@bogon ~]# ip netns exec ns1 ifconfig eth0 10.10.1.1/24 up
[root@bogon ~]# ip netns exec ns2 ifconfig eth0 10.10.1.2/24 up
[root@bogon ~]# ip netns exec ns1 ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.1.1  netmask 255.255.255.0  broadcast 10.10.1.255
        inet6 fe80::20ac:45ff:fede:615d  prefixlen 64  scopeid 0x20<link>
        ether 22:ac:45:de:61:5d  txqueuelen 1000  (Ethernet)
        RX packets 8  bytes 648 (648.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 648 (648.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@bogon ~]# ip netns exec ns2 ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.1.2  netmask 255.255.255.0  broadcast 10.10.1.255
        inet6 fe80::49d:b4ff:fe1f:9688  prefixlen 64  scopeid 0x20<link>
        ether 06:9d:b4:1f:96:88  txqueuelen 1000  (Ethernet)
        RX packets 8  bytes 648 (648.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 648 (648.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@bogon ~]# ip netns exec ns1 ping 10.10.1.2
PING 10.10.1.2 (10.10.1.2) 56(84) bytes of data.
64 bytes from 10.10.1.2: icmp_seq=1 ttl=64 time=0.261 ms
64 bytes from 10.10.1.2: icmp_seq=2 ttl=64 time=0.076 ms

这样就完成了ip命令创建netns并设置网卡接口的配置

2、Host网络

重新启动一个容器，指定--network为host网络

[root@bogon ~]# docker container run --name=myhttpd --network=host -d httpd:1.1
17e26c2869f88d8334ee98ea3b3d26e6abe9add5169d1812ffa0a4588935f769
[root@bogon ~]#
[root@bogon ~]# ip netns list
ns2
ns1

使用交互模式连接到容器内部，查看网络信息

可以看到，这个容器使用的网络和物理主机的一模一样。注意：在这个容器内部更改网络信息，就和改物理主机的网络信息是同等的。

[root@bogon ~]# docker container exec -it myhttpd /bin/sh
sh-4.1# 
sh-4.1# ifconfig
docker0   Link encap:Ethernet  HWaddr 02:42:2F:51:41:2D  
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
          inet6 addr: fe80::42:2fff:fe51:412d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:1758 (1.7 KiB)

ens33     Link encap:Ethernet  HWaddr 00:0C:29:FB:F6:A1  
          inet addr:192.168.31.186  Bcast:192.168.31.255  Mask:255.255.255.0
          inet6 addr: fe80::a3fa:7451:4298:fe76/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:30112 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2431 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1927060 (1.8 MiB)  TX bytes:299534 (292.5 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:96 errors:0 dropped:0 overruns:0 frame:0
          TX packets:96 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:10896 (10.6 KiB)  TX bytes:10896 (10.6 KiB)

veth0a95d3a Link encap:Ethernet  HWaddr CE:12:E7:27:2C:7F  
          inet6 addr: fe80::cc12:e7ff:fe27:2c7f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:648 (648.0 b)

virbr0    Link encap:Ethernet  HWaddr 52:54:00:1A:BE:AE  
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

sh-4.1# ping www.baidu.com
PING www.a.shifen.com (61.135.169.125) 56(84) bytes of data.
64 bytes from 61.135.169.125: icmp_seq=1 ttl=46 time=6.19 ms
64 bytes from 61.135.169.125: icmp_seq=2 ttl=46 time=6.17 ms
64 bytes from 61.135.169.125: icmp_seq=3 ttl=46 time=6.11 ms

使用inspect也可以看到该容器的网络信息使用的是host

sh-4.1# exit
exit
[root@bogon ~]# docker container inspect myhttpd
[
    {
        "Id": "17e26c2869f88d8334ee98ea3b3d26e6abe9add5169d1812ffa0a4588935f769",
        "Created": "2018-11-03T13:29:08.34016135Z",
        "Path": "/usr/sbin/apachectl",
        "Args": [
            " -D",
            "FOREGROUND"
        ],
        "State": {
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 4015,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2018-11-03T13:29:08.528631643Z",
            "FinishedAt": "0001-01-01T00:00:00Z"
        },
        "Image": "sha256:bbffcf779dd42e070d52a4661dcd3eaba2bed898bed8bbfe41768506f063ad32",
        "ResolvConfPath": "/var/lib/docker/containers/17e26c2869f88d8334ee98ea3b3d26e6abe9add5169d1812ffa0a4588935f769/resolv.conf",
        "HostnamePath": "/var/lib/docker/containers/17e26c2869f88d8334ee98ea3b3d26e6abe9add5169d1812ffa0a4588935f769/hostname",
        "HostsPath": "/var/lib/docker/containers/17e26c2869f88d8334ee98ea3b3d26e6abe9add5169d1812ffa0a4588935f769/hosts",
        "LogPath": "/var/lib/docker/containers/17e26c2869f88d8334ee98ea3b3d26e6abe9add5169d1812ffa0a4588935f769/17e26c2869f88d8334ee98ea3b3d26e6abe9add5169d1812ffa0a4588935f769-json.log",
        "Name": "/myhttpd",
        "RestartCount": 0,
        "Driver": "overlay2",
        "Platform": "linux",
        "MountLabel": "",
        "ProcessLabel": "",
        "AppArmorProfile": "",
        "ExecIDs": null,
        "HostConfig": {
            "Binds": null,
            "ContainerIDFile": "",
            "LogConfig": {
                "Type": "json-file",
                "Config": {}
            },
            "NetworkMode": "host",
            "PortBindings": {},
            "RestartPolicy": {
                "Name": "no",
                "MaximumRetryCount": 0
            },
            "AutoRemove": false,
            "VolumeDriver": "",
            "VolumesFrom": null,
            "CapAdd": null,
            "CapDrop": null,
            "Dns": [],
            "DnsOptions": [],
            "DnsSearch": [],
            "ExtraHosts": null,
            "GroupAdd": null,
            "IpcMode": "shareable",
            "Cgroup": "",
            "Links": null,
            "OomScoreAdj": 0,
            "PidMode": "",
            "Privileged": false,
            "PublishAllPorts": false,
            "ReadonlyRootfs": false,
            "SecurityOpt": null,
            "UTSMode": "",
            "UsernsMode": "",
            "ShmSize": 67108864,
            "Runtime": "runc",
            "ConsoleSize": [
                0,
                0
            ],
            "Isolation": "",
            "CpuShares": 0,
            "Memory": 0,
            "NanoCpus": 0,
            "CgroupParent": "",
            "BlkioWeight": 0,
            "BlkioWeightDevice": [],
            "BlkioDeviceReadBps": null,
            "BlkioDeviceWriteBps": null,
            "BlkioDeviceReadIOps": null,
            "BlkioDeviceWriteIOps": null,
            "CpuPeriod": 0,
            "CpuQuota": 0,
            "CpuRealtimePeriod": 0,
            "CpuRealtimeRuntime": 0,
            "CpusetCpus": "",
            "CpusetMems": "",
            "Devices": [],
            "DeviceCgroupRules": null,
            "DiskQuota": 0,
            "KernelMemory": 0,
            "MemoryReservation": 0,
            "MemorySwap": 0,
            "MemorySwappiness": null,
            "OomKillDisable": false,
            "PidsLimit": 0,
            "Ulimits": null,
            "CpuCount": 0,
            "CpuPercent": 0,
            "IOMaximumIOps": 0,
            "IOMaximumBandwidth": 0,
            "MaskedPaths": [
                "/proc/acpi",
                "/proc/kcore",
                "/proc/keys",
                "/proc/latency_stats",
                "/proc/timer_list",
                "/proc/timer_stats",
                "/proc/sched_debug",
                "/proc/scsi",
                "/sys/firmware"
            ],
            "ReadonlyPaths": [
                "/proc/asound",
                "/proc/bus",
                "/proc/fs",
                "/proc/irq",
                "/proc/sys",
                "/proc/sysrq-trigger"
            ]
        },
        "GraphDriver": {
            "Data": {
                "LowerDir": "/var/lib/docker/overlay2/75fab11f1bf93cae37d9725ee9cbd167a0323379f383013241457220d62159fa-init/diff:/var/lib/docker/overlay2/619fd02d3390a6299f2bb3150762a765dd68bada7f432037769778a183d94817/diff:/var/lib/docker/overlay2/fd29d7fada3334bf5dd4dfa4f38db496b7fcbb3ec070e07fe21124a4f143b85a/diff",
                "MergedDir": "/var/lib/docker/overlay2/75fab11f1bf93cae37d9725ee9cbd167a0323379f383013241457220d62159fa/merged",
                "UpperDir": "/var/lib/docker/overlay2/75fab11f1bf93cae37d9725ee9cbd167a0323379f383013241457220d62159fa/diff",
                "WorkDir": "/var/lib/docker/overlay2/75fab11f1bf93cae37d9725ee9cbd167a0323379f383013241457220d62159fa/work"
            },
            "Name": "overlay2"
        },
        "Mounts": [],
        "Config": {
            "Hostname": "bogon",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "5000/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
            ],
            "Cmd": [
                "/usr/sbin/apachectl",
                " -D",
                "FOREGROUND"
            ],
            "ArgsEscaped": true,
            "Image": "httpd:1.1",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Labels": {}
        },
        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "91444230e357927973371cb315b9a247463320beffcde3b56248fa840bd24547",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {},
            "SandboxKey": "/var/run/docker/netns/default",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "",
            "Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "",
            "IPPrefixLen": 0,
            "IPv6Gateway": "",
            "MacAddress": "",
            "Networks": {
                "host": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": null,
                    "NetworkID": "126249d6b1771dc8aeab4aa3e75a2f3951cc765f6a43c4d0053d77c8e8f23685",
                    "EndpointID": "b87ae83df3424565b138c9d9490f503b9632d3369ed01036c05cd885e902f8ca",
                    "Gateway": "",
                    "IPAddress": "",
                    "IPPrefixLen": 0,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "",
                    "DriverOpts": null
                }
            }
        }
    }
]

3、none网络

[root@bogon ~]# docker container run --name=myhttpd2 --network=none -d httpd:1.1
3e7148946653a10f66158d2b1410ffb290657de81c3833efe971cad85174abc3
[root@bogon ~]# 
[root@bogon ~]# docker container exec -it myhttpd2 /bin/sh
sh-4.1# ifconfig
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

使用inspect查看详细信息，可以看到，网络信息变成了none。

sh-4.1# exit
exit
[root@bogon ~]# docker container inspect myhttpd2
[
    {
        "Id": "3e7148946653a10f66158d2b1410ffb290657de81c3833efe971cad85174abc3",
        "Created": "2018-11-03T13:37:53.153680433Z",
        "Path": "/usr/sbin/apachectl",
        "Args": [
            " -D",
            "FOREGROUND"
        ],
        "State": {
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 4350,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2018-11-03T13:37:53.563817908Z",
            "FinishedAt": "0001-01-01T00:00:00Z"
        },
        "Image": "sha256:bbffcf779dd42e070d52a4661dcd3eaba2bed898bed8bbfe41768506f063ad32",
        "ResolvConfPath": "/var/lib/docker/containers/3e7148946653a10f66158d2b1410ffb290657de81c3833efe971cad85174abc3/resolv.conf",
        "HostnamePath": "/var/lib/docker/containers/3e7148946653a10f66158d2b1410ffb290657de81c3833efe971cad85174abc3/hostname",
        "HostsPath": "/var/lib/docker/containers/3e7148946653a10f66158d2b1410ffb290657de81c3833efe971cad85174abc3/hosts",
        "LogPath": "/var/lib/docker/containers/3e7148946653a10f66158d2b1410ffb290657de81c3833efe971cad85174abc3/3e7148946653a10f66158d2b1410ffb290657de81c3833efe971cad85174abc3-json.log",
        "Name": "/myhttpd2",
        "RestartCount": 0,
        "Driver": "overlay2",
        "Platform": "linux",
        "MountLabel": "",
        "ProcessLabel": "",
        "AppArmorProfile": "",
        "ExecIDs": null,
        "HostConfig": {
            "Binds": null,
            "ContainerIDFile": "",
            "LogConfig": {
                "Type": "json-file",
                "Config": {}
            },
            "NetworkMode": "none",
            "PortBindings": {},
            "RestartPolicy": {
                "Name": "no",
                "MaximumRetryCount": 0
            },
            "AutoRemove": false,
            "VolumeDriver": "",
            "VolumesFrom": null,
            "CapAdd": null,
            "CapDrop": null,
            "Dns": [],
            "DnsOptions": [],
            "DnsSearch": [],
            "ExtraHosts": null,
            "GroupAdd": null,
            "IpcMode": "shareable",
            "Cgroup": "",
            "Links": null,
            "OomScoreAdj": 0,
            "PidMode": "",
            "Privileged": false,
            "PublishAllPorts": false,
            "ReadonlyRootfs": false,
            "SecurityOpt": null,
            "UTSMode": "",
            "UsernsMode": "",
            "ShmSize": 67108864,
            "Runtime": "runc",
            "ConsoleSize": [
                0,
                0
            ],
            "Isolation": "",
            "CpuShares": 0,
            "Memory": 0,
            "NanoCpus": 0,
            "CgroupParent": "",
            "BlkioWeight": 0,
            "BlkioWeightDevice": [],
            "BlkioDeviceReadBps": null,
            "BlkioDeviceWriteBps": null,
            "BlkioDeviceReadIOps": null,
            "BlkioDeviceWriteIOps": null,
            "CpuPeriod": 0,
            "CpuQuota": 0,
            "CpuRealtimePeriod": 0,
            "CpuRealtimeRuntime": 0,
            "CpusetCpus": "",
            "CpusetMems": "",
            "Devices": [],
            "DeviceCgroupRules": null,
            "DiskQuota": 0,
            "KernelMemory": 0,
            "MemoryReservation": 0,
            "MemorySwap": 0,
            "MemorySwappiness": null,
            "OomKillDisable": false,
            "PidsLimit": 0,
            "Ulimits": null,
            "CpuCount": 0,
            "CpuPercent": 0,
            "IOMaximumIOps": 0,
            "IOMaximumBandwidth": 0,
            "MaskedPaths": [
                "/proc/acpi",
                "/proc/kcore",
                "/proc/keys",
                "/proc/latency_stats",
                "/proc/timer_list",
                "/proc/timer_stats",
                "/proc/sched_debug",
                "/proc/scsi",
                "/sys/firmware"
            ],
            "ReadonlyPaths": [
                "/proc/asound",
                "/proc/bus",
                "/proc/fs",
                "/proc/irq",
                "/proc/sys",
                "/proc/sysrq-trigger"
            ]
        },
        "GraphDriver": {
            "Data": {
                "LowerDir": "/var/lib/docker/overlay2/ce58a73cd982d40a80723180c4e09ca16d74471a1eb3888c05da9eec6a2f4ac0-init/diff:/var/lib/docker/overlay2/619fd02d3390a6299f2bb3150762a765dd68bada7f432037769778a183d94817/diff:/var/lib/docker/overlay2/fd29d7fada3334bf5dd4dfa4f38db496b7fcbb3ec070e07fe21124a4f143b85a/diff",
                "MergedDir": "/var/lib/docker/overlay2/ce58a73cd982d40a80723180c4e09ca16d74471a1eb3888c05da9eec6a2f4ac0/merged",
                "UpperDir": "/var/lib/docker/overlay2/ce58a73cd982d40a80723180c4e09ca16d74471a1eb3888c05da9eec6a2f4ac0/diff",
                "WorkDir": "/var/lib/docker/overlay2/ce58a73cd982d40a80723180c4e09ca16d74471a1eb3888c05da9eec6a2f4ac0/work"
            },
            "Name": "overlay2"
        },
        "Mounts": [],
        "Config": {
            "Hostname": "3e7148946653",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "5000/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
            ],
            "Cmd": [
                "/usr/sbin/apachectl",
                " -D",
                "FOREGROUND"
            ],
            "ArgsEscaped": true,
            "Image": "httpd:1.1",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Labels": {}
        },
        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "f9402b5b2dbb95c2736f25626704dec79f75800c33c0905c362e79af3810234d",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {},
            "SandboxKey": "/var/run/docker/netns/f9402b5b2dbb",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "",
            "Gateway": "",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "",
            "IPPrefixLen": 0,
            "IPv6Gateway": "",
            "MacAddress": "",
            "Networks": {
                "none": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": null,
                    "NetworkID": "4ad67e37d38389253ca55c39ad8d615cef40c6bb9b535051679b2d1ed6cb01e8",
                    "EndpointID": "83913b6eaeed3775fbbcbb9375491dd45e527d81837048cffa63b3064ad6e7e3",
                    "Gateway": "",
                    "IPAddress": "",
                    "IPPrefixLen": 0,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "",
                    "DriverOpts": null
                }
            }
        }
    }
]

4、Joined 网络

joined网络是联合其他容器启动，使用共同的NET、UTS和IPC名称空间，但是其余名称空间是不共享的

启动两个容器，并且第二个容器使用第一个容器的网络名称空间

[root@bogon ~]# docker container run --name myhttpd -d httpd:1.1
7053b88aacb35d859e00d47133c084ebb9288ce3fb47b6c588153a5e6c6dd5f0
[root@bogon ~]# docker container run --name myhttpd1 -d --network container:myhttpd redis:4-alpine
99191b8fc853f546f3b381d36cc2f86bc7f31af31daf0e19747411d2f1a10686
[root@bogon ~]# docker container ls -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
99191b8fc853        redis:4-alpine      "docker-entrypoint.s??   5 seconds ago       Up 3 seconds                            myhttpd1
7053b88aacb3        httpd:1.1           "/usr/sbin/apachectl??   3 minutes ago       Up 3 minutes        5000/tcp            myhttpd
[root@bogon ~]#

登录第一个容器开始验证

[root@bogon ~]# docker container exec -it myhttpd /bin/sh
sh-4.1# 
sh-4.1# 
sh-4.1# ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02  
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:648 (648.0 b)  TX bytes:0 (0.0 b)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          
sh-4.1# ps -ef |grep httpd
root         7     1  0 08:15 ?        00:00:00 /usr/sbin/httpd -D FOREGROUND
apache       8     7  0 08:15 ?        00:00:00 /usr/sbin/httpd -D FOREGROUND
apache       9     7  0 08:15 ?        00:00:00 /usr/sbin/httpd -D FOREGROUND

sh-4.1# mkdir /tmp/testdir     
sh-4.1# 
sh-4.1# ls /tmp/
testdir

登录第二个容器验证

[root@bogon ~]# docker container exec -it myhttpd1 /bin/sh
/data # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02  
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:648 (648.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
      
/data # ps -ef |grep redis
    1 redis     0:00 redis-server
    
/data # ls /tmp/
/data #

可以看到，在容器httpd上创建了一个目录，但是容器httpd1上并没有，使用的ip地址也是同一个。由此看出，joined网络是隔离mount、user以及pid名称空间但是共享同一组net、ipc和uts名称空间的

三、启动容器并设置网络相关配置

3.1、指定容器的HOSTNAME

容器启动后默认使用的是容器ID作为hostname，需要指定hostname需要在容器启动时加上参数

hostname参数会为容器设置指定的hostname，并且会自动在hosts文件中添加本地解析

[root@bogon ~]# docker container run --name mycentos -it centos:6.6 /bin/sh
sh-4.1# hostname
02f68247b097
[root@bogon ~]# docker container ls -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                     PORTS               NAMES
02f68247b097        centos:6.6          "/bin/sh"           15 seconds ago      Exited (0) 7 seconds ago                       mycentos
[root@bogon ~]# docker container run --name mycentos --hostname centos1.local -it centos:6.6 /bin/sh
sh-4.1# 
sh-4.1# hostname
centos1.local

sh-4.1# cat /etc/hosts
127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
ff00::0	ip6-mcastprefix
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
172.17.0.2	centos1.local centos1

3.2、指定容器的DNS

如果不指定DNS容器启动默认使用的是宿主机配置的DNS地址

[root@bogon ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 202.106.196.115
[root@bogon ~]# docker container run --name mycentos -it centos:6.6 /bin/sh
sh-4.1# cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 202.106.196.115

[root@bogon ~]# docker container run --name mycentos --dns 114.114.114.114 -it --rm  centos:6.6 /bin/sh
sh-4.1# 
sh-4.1# cat /etc/resolv.conf 
nameserver 114.114.114.114

3.3、手动添加hosts本地解析

[root@bogon ~]# docker container run --name mycentos --rm --add-host bogon:192.168.31.186 --add-host www.baidu.com:1.1.1.1 -it centos:6.6 /bin/sh
sh-4.1# 
sh-4.1# cat /etc/hosts
127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
ff00::0	ip6-mcastprefix
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
192.168.31.186	bogon
1.1.1.1	www.baidu.com
172.17.0.2	ea40852f5871

3.4、容器的端口暴漏

如果容器使用的网络是bridge，并且容器内部的服务需要让外部客户端访问。那么就需要做容器内端口暴漏

1、动态暴漏（将指定容器内的端口映射至物理主机的所有地址中的一个动态端口）

[root@bogon ~]# docker container run --name myhttpd --rm -d -p 80 httpd:1.1 
54c1b69f4a8b28abc8d65d836d3ed1ae916d982947800da5bace2fa41d2a0ce5
[root@bogon ~]# 

[root@bogon ~]# curl 172.17.0.2
<h1>Welcom To My Httpd</h1>

[root@bogon ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 17 packets, 1582 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   34  3134 PREROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   34  3134 PREROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   34  3134 PREROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1    52 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3 packets, 310 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   28  2424 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 3 packets, 310 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    2   267 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
    0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
    0     0 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
   26  2157 POSTROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   26  2157 POSTROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   26  2157 POSTROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:32768 to:172.17.0.2:80
    
[root@bogon ~]# docker port myhttpd
80/tcp -> 0.0.0.0:32768

可以看到，启动容器指定了端口暴漏会自动在docker host上创建一个iptables的nat规则，主机的所有地址32768端口映射到了容器的80端口上

在另一台主机上访问容器的httpd服务

[root@centos7-node2 ~]# curl 192.168.31.186:32768
<h1>Welcom To My Httpd</h1>
[root@centos7-node2 ~]#

2、静态暴漏（如果想映射主机的指定地址）

2.1、暴漏到物理主机指定地址的随机端口上

如果不指定物理主机端口，使用两个冒号分隔，主机地址::容器端口

[root@bogon ~]# docker container run --name myhttpd -d -p 192.168.31.186::80 httpd:1.1
50f3788eefe1016b9df2a3f2fcc1bfa19a2110675396daed075d1d4d0e69798b
[root@bogon ~]# docker port myhttpd
80/tcp -> 192.168.31.186:32768
[root@bogon ~]# 
[root@centos7-node2 ~]# curl 192.168.31.186:32768
<h1>Welcom To My Httpd</h1>

2.2、暴漏到物理主机所有地址的指定端口上

如果不指定地址，可以将地址省略，主机端口:容器端口

[root@bogon ~]# docker container run --name myhttpd --rm -d -p 80:80 httpd:1.1
2fde0e49c3545fb28624b01b737b22650ba98dfa09674e8ccb3b6722c7dcd257
[root@bogon ~]# docker port myhttpd
80/tcp -> 0.0.0.0:80

2.3、暴漏到物理主机指定地址的指定端口

[root@bogon ~]# docker container run --name myhttpd --rm -d -p 192.168.31.186:8080:80 httpd:1.1
a9152173fafc650c47c6a35040e0c50876f841756529334cb509fdff53ce60c7
[root@bogon ~]# 
[root@bogon ~]# docker port myhttpd
80/tcp -> 192.168.31.186:8080

四、自定义docker配置文件

1、可以通过修改docker的配置文件修改默认的docker0网桥地址信息

[root@bogon ~]# vim /etc/docker/daemon.json

{
        "registry-mirrors": ["https://registry.docker-cn.com"],
        "bip": "10.10.1.2/16"
}

[root@bogon ~]# systemctl restart docker.service
[root@bogon ~]# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 10.10.1.2  netmask 255.255.0.0  broadcast 10.10.255.255
        inet6 fe80::42:cdff:fef5:e3ba  prefixlen 64  scopeid 0x20<link>
        ether 02:42:cd:f5:e3:ba  txqueuelen 0  (Ethernet)
        RX packets 38  bytes 3672 (3.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 53  bytes 5152 (5.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

配置文件中只需要加入bip即可，网关等信息docker会自动算出来。可以看到，docker0的ip地址已经变成了刚才我们改的网段

2、修改docker监听方式

docker默认只监听在socket文件上，如果要监听tcp，需要更改配置文件

[root@bogon ~]# vim /etc/docker/daemon.json
{
        "registry-mirrors": ["https://registry.docker-cn.com"],
        "bip": "10.10.1.2/16",
        "hosts": ["tcp://0.0.0.0:33333", "unix:///var/run/docker.sock"]
}
[root@bogon ~]# systemctl restart docker.service
[root@bogon ~]# netstat -tlunp |grep 33333
tcp6       0      0 :::33333                :::*                    LISTEN      6621/dockerd        
[root@bogon ~]#

修改后，就可以从其他安装了docker的主机上远程访问这台docker服务器了

[root@centos7-node2 ~]# docker -H 192.168.31.186:33333 image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
httpd               1.1                 bbffcf779dd4        4 days ago          264MB
nginx               stable              ecc98fc2f376        3 weeks ago         109MB
centos              6.6                 4e1ad2ce7f78        3 weeks ago         203MB
redis               4-alpine            05097a3a0549        4 weeks ago         30MB

[root@centos7-node2 ~]# docker -H 192.168.31.186:33333 container ls -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                        PORTS               NAMES
a8409019e310        redis:4-alpine      "docker-entrypoint.s??   2 hours ago         Exited (0) 29 minutes ago                         redis2
99191b8fc853        redis:4-alpine      "docker-entrypoint.s??   3 hours ago         Exited (0) 29 minutes ago                         myhttpd1
7053b88aacb3        httpd:1.1           "/usr/sbin/apachectl??   3 hours ago         Exited (137) 28 minutes ago                       myhttpd
[root@centos7-node2 ~]#

3、为docker创建网络

docker支持的网络模型有bridge、none、host、macvlan、overlay，创建时不指定默认创建bridge网桥

[root@bogon ~]# docker info
Containers: 3
 Running: 0
 Paused: 0
 Stopped: 3
Images: 4
Server Version: 18.06.1-ce
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay

创建自定义网络

[root@bogon ~]# docker network create --driver bridge --subnet 192.168.30.0/24 --gateway 192.168.30.1 mybridge0
859e5a2975979740575d6365de326e18991db7b70188b7a50f6f842ca21e1d3d
[root@bogon ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
f23c1f889968        bridge              bridge              local
126249d6b177        host                host                local
859e5a297597        mybridge0           bridge              local
4ad67e37d383        none                null                local

[root@bogon ~]# ifconfig
br-859e5a297597: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.30.1  netmask 255.255.255.0  broadcast 192.168.30.255
        inet6 fe80::42:f4ff:feeb:6a16  prefixlen 64  scopeid 0x20<link>
        ether 02:42:f4:eb:6a:16  txqueuelen 0  (Ethernet)
        RX packets 5  bytes 365 (365.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 29  bytes 3002 (2.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 10.10.1.2  netmask 255.255.0.0  broadcast 10.10.255.255
        inet6 fe80::42:cdff:fef5:e3ba  prefixlen 64  scopeid 0x20<link>
        ether 02:42:cd:f5:e3:ba  txqueuelen 0  (Ethernet)
        RX packets 38  bytes 3672 (3.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 53  bytes 5152 (5.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

启动容器加入mybridge0网络

[root@bogon ~]# docker container run --name redis1 --network mybridge0 -d redis:4-alpine
6d6d11266e3208e45896c40e71c6e3cecd9f7710f2f3c39b401d9f285f28c2f7
[root@bogon ~]# docker container exec -it redis1 /bin/sh
/data # 
/data # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:C0:A8:1E:02  
          inet addr:192.168.30.2  Bcast:192.168.30.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2618 (2.5 KiB)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

4、删除自定义docker网络

删除之前要先关闭正在运行在此网络上的容器

[root@bogon ~]# docker network rm mybridge
[root@bogon ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
f23c1f889968        bridge              bridge              local
126249d6b177        host                host                local
4ad67e37d383        none                null                local

Docker第四回（容器虚拟化网络）

标签：dockerd 发送 def std nss from 交互模式规则 write

原文地址：https://www.cnblogs.com/baomaggie/p/11622648.html

踩

(0)

评论一句话评论（0）

分享档案

更多>

2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)

周排行