企业运维容器之 docker 网络
Posted 123坤
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了企业运维容器之 docker 网络相关的知识,希望对你有一定的参考价值。
企业运维容器之 docker 网络
1. Docker原生网络
-
docker的镜像是令人称道的地方,但网络功能还是相对薄弱的部分
-
docker安装后会自动创建3种网络:bridge、host、none.
-
可以使用以下命令查看:
docker network ls
[root@server2 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
ff3156699943 bridge bridge local
97d148277d30 host host local
d727708902c7 none null local
- docker 安装时会创建一个名为 docker0 的 Linux bridge,新建的容器会自动桥接到这个接口。
- bridge模式下容器没有一个公有ip,只有宿主机可以直接访问,外部主机是不可见的;容器通过宿主机的NAT规则后可以访问外网。
[root@server2 ~]# docker run -d --name demo nginx:latest
25a42f4bba1467ba6e5ea8599f262cd8f6d722c8f9f1cfb5952ceb4c6fb81203
[root@server2 ~]# docker inspect demo ##查看分配的IP和网关
"Gateway": "172.17.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "02:42:ac:11:00:02",
"Networks": {
[root@server2 ~]# docker rm -f demo
[root@server2 ~]# docker run -it --name demo1 busybox
/ # ip addr ##也可以在容器内部查看
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ #
[root@server2 ~]# curl 172.17.0.2 ##测试
[root@server2 ~]# bridge link ##可以看到docker 0 的接口
5: vethfc9471a state UP @(null): <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master docker0 state forwarding priority 32 cost 2
[root@server2 ~]# yum install bridge-utils.x86_64 -y
##网桥查看工具
[root@server2 ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242e47cfbb4 no vethfc9471a
- host 网络模式需要在容器创建时指定 --network=host
不使用桥接,直接使用和宿主机相同的网络位;
host 模式可以让容器共享宿主机网络栈,这样的好处是外部主机与容器直接通信,但是容器的网络缺少隔离性。
[root@server2 ~]# docker run -d --name demo --network host nginx:v1
7f7adfa815e0390b121084e36f4edf8c5d8de5c3d0edb910a956c0d5e7a9c67c
[root@server2 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7f7adfa815e0 nginx:v1 "/docker-entrypoint.…" 6 seconds ago Up 6 seconds demo
[root@server2 ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242e47cfbb4 no
[root@server2 ~]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:e9:26:22 brd ff:ff:ff:ff:ff:ff
inet 172.25.25.2/24 brd 172.25.25.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fee9:2622/64 scope link
valid_lft forever preferred_lft forever
[root@server2 ~]# docker run -it --rm --network host busybox
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 52:54:00:e9:26:22 brd ff:ff:ff:ff:ff:ff
inet 172.25.25.2/24 brd 172.25.25.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fee9:2622/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether 02:42:e4:7c:fb:b4 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:e4ff:fe7c:fbb4/64 scope link
valid_lft forever preferred_lft forever
- none模式是指禁用网络功能,只有lo接口,在容器创建时使用 --network=none指定。
使用该网络可以放一些不让别人访问的东西。
[root@server2 ~]# docker run -it --rm --network none busybox
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
/ #
2. Docker自定义网络
- 自定义网络模式,docker提供了三种自定义网络驱动:
bridge
overlay
macvlan
- bridge驱动类似默认的bridge网络模式,但增加了一些新的功能,
overlay和macvlan是用于创建跨主机网络。
建议使用自定义的网络来控制哪些容器可以相互通信,还可以自动DNS解析容器名称到IP地址。
创建自定义网桥:
自创的有解析,可以ping通;
[root@server2 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@server2 ~]# docker network create --help
[root@server2 ~]# docker network create mynet1
4dfb2e9905f89f9e3f1d5b6b896d41b0bc3de6e79b3fb375d3ca8aa1f3b1d116
[root@server2 ~]# docker inspect mynet1
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.18.0.0/16", ##子网
"Gateway": "172.18.0.1"
}
]
[root@server2 ~]# docker run -it --name demo1 --network mynet1 busybox
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
15: eth0@if16: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ # ping demo1
PING demo1 (172.18.0.2): 56 data bytes
64 bytes from 172.18.0.2: seq=0 ttl=64 time=0.053 ms
^C
--- demo1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.053/0.058/0.063 ms
/ # [root@server2 ~]# docker run -it --name demo2 --network mynet1 busybox
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
13: eth0@if14: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:12:00:03 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.3/16 brd 172.18.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ # ping demo1
PING demo1 (172.18.0.2): 56 data bytes
64 bytes from 172.18.0.2: seq=0 ttl=64 time=0.116 ms
^C
--- demo1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.116/0.116/0.116 ms
/ #
- 还可以自己定义网段,在创建时指定参数:–subnet 、–gateway
- 使用–ip参数可以指定容器ip地址,但必须是在自定义网桥上,默认的bridge模式不支持,同一网桥上的容器是可以互通的。
[root@server2 ~]# docker network rm mynet1
mynet1
[root@server2 ~]# docker container prune ##清除不用的容器
WARNING! This will remove all stopped containers.
Are you sure you want to continue? [y/N] y
Total reclaimed space: 0B
[root@server2 ~]# docker network create --subnet 172.20.0.0/24 --gateway 172.20.0.1 mynet1
9d28602f328756c9a41ce51f5dbbe685054a796268da4154565b6ed8476fe55e
[root@server2 ~]# docker network inspect mynet1
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.20.0.0/24",
"Gateway": "172.20.0.1"
}
]
以上指定之后,在运行容器时可以指定IP;
[root@server2 ~]# docker run -it --name demo1 --network mynet1 --ip 172.20.0.200 busybox
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
16: eth0@if17: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:14:00:c8 brd ff:ff:ff:ff:ff:ff
inet 172.20.0.200/24 brd 172.20.0.255 scope global eth0
valid_lft forever preferred_lft forever
/ # ping demo1
PING demo1 (172.20.0.200): 56 data bytes
64 bytes from 172.20.0.200: seq=0 ttl=64 time=0.045 ms
^C
--- demo1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.045/0.045/0.045 ms
/ #
- 桥接到不同网桥上的容器,彼此是不通信的。
docker在设计上就是要隔离不同network的。
[root@server2 ~]# docker run -it --name demo1 --network mynet1 --ip 172.20.0.200 busybox
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
16: eth0@if17: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:14:00:c8 brd ff:ff:ff:ff:ff:ff
inet 172.20.0.200/24 brd 172.20.0.255 scope global eth0
valid_lft forever preferred_lft forever
/ # [root@server2 ~]# docker run -it --name demo2 busybox
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
20: eth0@if21: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ # ping demo1
ping: bad address 'demo1'
- 使两个不同网桥的容器通信:
使用 docker network connect 命令为 vm1 添加一块 my_net2 的网卡。
/ # [root@server2 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5ce636af4ba1 busybox "sh" 2 minutes ago Up 2 minutes demo2
f69ac1f092a7 busybox "sh" 2 minutes ago Up 2 minutes demo1
[root@server2 ~]# docker network connect mynet1 demo2
[root@server2 ~]# brctl show
bridge name bridge id STP enabled interfaces
br-9d28602f3287 8000.02429c3fb2c7 no veth415e67c
vethb979bdb
docker0 8000.0242e47cfbb4 no veth26c176b
[root@server2 ~]# docker attach demo2
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
20: eth0@if21: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
22: eth1@if23: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:14:00:02 brd ff:ff:ff:ff:ff:ff
inet 1以上是关于企业运维容器之 docker 网络的主要内容,如果未能解决你的问题,请参考以下文章