Docker ❀ 容器内部/外部通信端口映射网络模式自定义容器网络
Posted 国家级干饭型选手°
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Docker ❀ 容器内部/外部通信端口映射网络模式自定义容器网络相关的知识,希望对你有一定的参考价值。
文章目录
1、网络通讯
默认情况下,Docker服务默认使用172.17.0.0/16地址段作为部署IP地址池,使用物理机默认的DNS解析地址作为容器的DNS解析地址;
#查看docker0(默认桥接网卡)IP地址信息
[root@localhost ~]# ifconfig docker0
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:2eff:fe8b:ca95 prefixlen 64 scopeid 0x20<link>
ether 02:42:2e:8b:ca:95 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 35 bytes 4476 (4.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#创建容器
[root@localhost ~]# docker run --name test-001 -it -d centos
ffb47561cefdced48f188624e7b6ec92667ca74df34de76dc57d1a9e4c20760d
#查看容器IP地址信息
[root@localhost ~]# docker exec -it test-001 /bin/bash
[root@ffb47561cefd /]# ip a s eth0 | awk 'NR==3print($2)'
172.17.0.2/16
#查看容器DNS解析地址
[root@ffb47561cefd /]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 114.114.114.114
若是容器需要访问外网或被外网访问,则需要配置iptables/firewalld(CentOS/Redhat 7版本作为分界线,iptables运行在7版本以下系统,firewalld运行在7或7版本以上系统)
#容器访问外部网络
[root@localhost ~]# iptables -t nat -A POSTROUTING -s 172.17.0.0/16 -o docker0 -j MASQUERADE
#外部网络访问容器
[root@localhost ~]# docker run -d -p 8080:8080 tomcat
79d61ca43d1da6d70c9e36782fcfb80ff8080d703948b2979a8955d27375da07
[root@localhost ~]# iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[root@localhost ~]# iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.3:8080
#查看iptables
[root@localhost ~]# iptables -n -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- 0.0.0.0/0 0.0.0.0/0
DOCKER-ISOLATION-STAGE-1 all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
DOCKER all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.17.0.3 tcp dpt:8080
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
#清除iptables
[root@localhost ~]# iptables -F
命名空间类型
修改docker0网卡地址范围与默认容器网关、DNS(详见第一章第五节daemon.json配置文件修改)
[root@localhost ~]# cat /etc/docker/daemon.json
"insecure-registries": ["10.81.20.166"],
"registry-mirrors": ["https://sta7qavr.mirror.aliyuncs.com"],
"bip": "10.1.1.0/16",
"default-gateway": "10.1.1.1",
"dns": ["8.8.8.8"]
[root@Redhat8 ~]# ifconfig docker0 | awk 'NR==2print($2)'
10.1.1.0
[root@cb4f1de96a62 /]# ip a s eth0 | awk 'NR==3print($2)'
10.1.0.1/16
[root@cb4f1de96a62 /]# cat /etc/resolv.conf
nameserver 8.8.8.8
[root@cb4f1de96a62 /]# exit
exit
2、网络模式
#查看当前网络类型
[root@Redhat8 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
12930f8f3234 bridge bridge local
36bc694a9c97 host host local
630f41c63fe4 none null local
Docker服务默认存在四组网络模式
- bridge :网桥模式,默认网络模式,容器使用docker0网卡进行外部访问;
- host :主机模式,没有独立的网络,容器使用物理机的网卡与端口进行外部访问;
- none :无网络模式,只存在一个loopback接口;
- container :容器模式,将新部署的容器桥接到另一个容器上,使用桥接容器的网卡进行外部访问;
#bridge模式,容器默认使用docker0 172.17.0.0/16网段内IP地址;
[root@localhost ~]# docker run -it --name test-001 --network=bridge -d centos
e13d92b7991a7058203c249eb152dacccbb5e96c3efd9ab6ee2757efe84ea78c
[root@localhost ~]# docker exec -it test-001 /bin/bash
[root@e13d92b7991a /]# ip a s eth0
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@e13d92b7991a /]# exit
exit
#host模式,容器使用物理机IP地址;
[root@localhost ~]# docker run -it --name test-002 --network=host -d centos
6e73789654ed0a17b3af2dfe9418596a57f471a5188357d317e265562cf9205e
[root@localhost ~]# docker exec -it test-002 /bin/bash
[root@localhost /]# ip a s ens192
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:4f:69:f7 brd ff:ff:ff:ff:ff:ff
inet 10.81.20.166/24 brd 10.81.20.255 scope global noprefixroute ens192
valid_lft forever preferred_lft forever
inet6 fe80::160a:f93d:9f22:317e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@localhost /]# exit
exit
#none模式,容器不能访问外网,只存在127.0.0.1/8环回地址;
[root@localhost ~]# docker run -it --name test-003 --network=none -d centos
bdbf5dd51cb5c12ceef5f034c3fb318855f6681d3e5fdc060c8225488f2fd92c
[root@localhost ~]# docker exec -it test-003 /bin/bash
[root@bdbf5dd51cb5 /]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
[root@bdbf5dd51cb5 /]# exit
exit
#查看运行中的容器
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bdbf5dd51cb5 centos "/bin/bash" 35 seconds ago Up 34 seconds test-003
6e73789654ed centos "/bin/bash" 2 minutes ago Up 2 minutes test-002
e13d92b7991a centos "/bin/bash" 4 minutes ago Up 4 minutes test-001
#停止所有正在运行的docker
[root@Redhat8 ~]# docker stop $(docker ps -q)
#删除所有创建过的docker(需要谨慎操作)
[root@Redhat8 ~]# docker rm -f $(docker ps -a -q)
3、端口映射
-p : 容器指定端口映射为本地随机端口;
[root@localhost ~]# docker run --name tomcat-001 -it -p :8080 -d tomcat
3871b4edc6e10024f0fbaa4f9dc47ff4d7dfb105e6b61525d37d4ba403ae3e5f
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3871b4edc6e1 tomcat "catalina.sh run" 4 seconds ago Up 3 seconds 0.0.0.0:49153->8080/tcp, :::49153->8080/tcp tomcat-001
-p : 容器指定端口映射为本地指定端口;
[root@localhost ~]# docker run --name tomcat-002 -it -p 8081:8080 -d tomcat
935a92d9f629e73120244108513250692e13c6db50a5bcad48b911abc75fbb4a
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
935a92d9f629 tomcat "catalina.sh run" 4 seconds ago Up 3 seconds 0.0.0.0:8081->8080/tcp, :::8081->8080/tcp tomcat-002
3871b4edc6e1 tomcat "catalina.sh run" About a minute ago Up About a minute 0.0.0.0:49153->8080/tcp, :::49153->8080/tcp tomcat-001
-p :: 容器指定端口映射为本地指定IP地址的随机端口;
[root@localhost ~]# docker run --name tomcat-003 -it -p 10.81.20.166::8080 -d tomcat
be8ac8211999d411c741d6e49c5c60ea05d1333f0cbe50e6ef328ff6a123d9ad
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
be8ac8211999 tomcat "catalina.sh run" 5 seconds ago Up 4 seconds 10.81.20.166:49154->8080/tcp tomcat-003
935a92d9f629 tomcat "catalina.sh run" 47 seconds ago Up 46 seconds 0.0.0.0:8081->8080/tcp, :::8081->8080/tcp tomcat-002
3871b4edc6e1 tomcat "catalina.sh run" About a minute ago Up About a minute 0.0.0.0:49153->8080/tcp, :::49153->8080/tcp tomcat-001
-p :: 容器指定端口映射为本地指定IP地址的指定端口;
[root@localhost ~]# docker run --name tomcat-004 -it -p 10.81.20.166:8082:8080 -d tomcat
ba6ce46728865dbbdb007f0e55330173804db2d6f526abe32b65ea8da8b7edaa
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ba6ce4672886 tomcat "catalina.sh run" 3 seconds ago Up 2 seconds 10.81.20.166:8082->8080/tcp tomcat-004
be8ac8211999 tomcat "catalina.sh run" 41 seconds ago Up 40 seconds 10.81.20.166:49154->8080/tcp tomcat-003
935a92d9f629 tomcat "catalina.sh run" About a minute ago Up About a minute 0.0.0.0:8081->8080/tcp, :::8081->8080/tcp tomcat-002
3871b4edc6e1 tomcat "catalina.sh run" 2 minutes ago Up 2 minutes 0.0.0.0:49153->8080/tcp, :::49153->8080/tcp tomcat-001
-P 容器暴露所有需要的端口
[root@localhost ~]# docker run --name tomcat-005 -it -P -d tomcat
ea10cb8c7a8dead5a826a1e32a8f1e44da3aa5c8d95ba7346702fb994a77ad6d
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ea10cb8c7a8d tomcat "catalina.sh run" 2 seconds ago Up 1 second 0.0.0.0:49155->8080/tcp, :::49154->8080/tcp tomcat-005
ba6ce4672886 tomcat "catalina.sh run" 26 seconds ago Up 24 seconds 10.81.20.166:8082->8080/tcp tomcat-004
be8ac8211999 tomcat "catalina.sh run" About a minute ago Up About a minute 10.81.20.166:49154->8080/tcp tomcat-003
935a92d9f629 tomcat "catalina.sh run" About a minute ago Up About a minute 0.0.0.0:8081->8080/tcp, :::8081->8080/tcp tomcat-002
3871b4edc6e1 tomcat "catalina.sh run" 2 minutes ago Up 2 minutes 0.0.0.0:49153->8080/tcp, :::49153->8080/tcp tomcat-001
#查看某个容器的端口映射信息
[root@localhost ~]# docker port tomcat-005
8080/tcp -> 0.0.0.0:49155
8080/tcp -> :::49154
4、网络类型
#查看当前网络模式
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
edad5cd6d9c6 bridge bridge local /桥接网卡;
36bc694a9c97 host host local /本地主机;
630f41c63fe4 none null local /无连接;
网络模式命令支持操作
[root@Redhat8 ~]# docker network
connect /连接;
create /创建;
disconnect /断开连接;
inspect /检查;
ls /列表;
prune /修剪;
rm /删除;
创建新的网络模式
[root@localhost ~]# docker network create --help
Usage: docker network create [OPTIONS] NETWORK
Create a network
Options:
--attachable Enable manual container attachment
--aux-address map Auxiliary IPv4 or IPv6 addresses used by Network driver (default map[])
--config-from string The network from which to copy the configuration
--config-only Create a configuration only network
-d, --driver string Driver to manage the Network (default "bridge")
--gateway strings IPv4 or IPv6 Gateway for the master subnet
--ingress Create swarm routing-mesh network
--internal Restrict external access to the network
--ip-range strings Allocate container ip from a sub-range
--ipam-driver string IP Address Management Driver (default "default")
--ipam-opt map Set IPAM driver specific options (default map[])
--ipv6 Enable IPv6 networking
--label list Set metadata on a network
-o, --opt map Set driver specific options (default map[])
--scope string Control the network's scope
--subnet strings Subnet in CIDR format that represents a network segment
演示案例
#创建一个新的桥接网络模式
[root@localhost ~]# docker network create -d bridge bridge-test-001
6a2806ba56a9ea2751677d79093c32aba5478041bc061a4f708ba7da371df2ae
#查看新创建的桥接网络模式
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
edad5cd6d9c6 bridge bridge local
6a2806ba56a9 bridge-test-001 bridge local
36bc694a9c97 host host local
630f41c63fe4 none null local
#检查新创建的桥接网络模式
[root@localhost ~]# docker network inspect bridge-test-001
[
"Name": "bridge-test-001",
"Id": "6a2806ba56a9ea2751677d79093c32aba5478041bc061a4f708ba7da371df2ae",
"Created": "2021-11-16T22:21:41.545116549+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM":
"Driver": "default",
"Options": ,
"Config": [
"Subnet": "172.18.0.0/16",
"Gateway": "172.18.0.1"
]
云计算-10-Docker网络使用