Docker 网络 bridge模式

Posted 2023-05-11

参考技术A

本文翻译自docker官网： https://docs.docker.com/network/bridge/

In terms of networking, a bridge network is a Link Layer device
which forwards traffic between network segments. A bridge can be a hardware
device or a software device running within a host machine\'s kernel.

In terms of Docker, a bridge network uses a software bridge which allows
containers connected to the same bridge network to communicate, while providing
isolation from containers which are not connected to that bridge network. The
Docker bridge driver automatically installs rules in the host machine so that
containers on different bridge networks cannot communicate directly with each
other.

Bridge networks apply to containers running on the same Docker daemon host.
For communication among containers running on different Docker daemon hosts, you
can either manage routing at the OS level, or you can use an
overlay network .

When you start Docker, a default bridge network (also
called bridge ) is created automatically, and newly-started containers connect
to it unless otherwise specified. You can also create user-defined custom bridge
networks. User-defined bridge networks are superior to the default bridge
network.

Containers connected to the same user-defined bridge network effectively expose all ports
to each other. For a port to be accessible to containers or non-Docker hosts on
different networks, that port must be published using the -p or --publish
flag.

Use the docker network create command to create a user-defined bridge
network.

You can specify the subnet, the IP address range, the gateway, and other
options. See the
docker network create
reference or the output of docker network create --help for details.

Use the docker network rm command to remove a user-defined bridge
network. If containers are currently connected to the network,
disconnect them
first.

When you create a new container, you can specify one or more --network flags.
This example connects a nginx container to the my-net network. It also
publishes port 80 in the container to port 8080 on the Docker host, so external
clients can access that port. Any other container connected to the my-net
network has access to all ports on the my-nginx container, and vice versa.

To connect a running container to an existing user-defined bridge, use the
docker network connect command. The following command connects an already-running
my-nginx container to an already-existing my-net network:

To disconnect a running container from a user-defined bridge, use the docker network disconnect command. The following command disconnects the my-nginx
container from the my-net network.

If you need IPv6 support for Docker containers, you need to
enable the option on the Docker daemon and reload its
configuration, before creating any IPv6 networks or assigning containers IPv6
addresses.

When you create your network, you can specify the --ipv6 flag to enable
IPv6. You can\'t selectively disable IPv6 support on the default bridge network.

By default, traffic from containers connected to the default bridge network is
not forwarded to the outside world. To enable forwarding, you need to change
two settings. These are not Docker commands and they affect the Docker host\'s
kernel.

These settings do not persist across a reboot, so you may need to add them to a
start-up script.

The default bridge network is considered a legacy detail of Docker and is not
recommended for production use. Configuring it is a manual operation, and it has
technical shortcomings .

If you do not specify a network using the --network flag, and you do specify a
network driver, your container is connected to the default bridge network by
default. Containers connected to the default bridge network can communicate,
but only by IP address, unless they are linked using the
legacy --link flag .

To configure the default bridge network, you specify options in daemon.json .
Here is an example daemon.json with several options specified. Only specify
the settings you need to customize.

Restart Docker for the changes to take effect.

If you configure Docker for IPv6 support (see Use IPv6 ), the
default bridge network is also configured for IPv6 automatically. Unlike
user-defined bridges, you can\'t selectively disable IPv6 on the default bridge.

Docker 网络:bridge模式

本文转自https://www.freeaihub.com/article/bridge-module-in-docker-network.html，该页可在线运行以下实例

在前两篇Docker 网络:host模式，Docker 网络:container模式中我们已经介绍Docker网络模型中的host模式与container模式。本节将对Docker网络模型中的bridge模型，即桥接模式进行理论介绍，再通过案例的实操，让您更好地去理解docker网络中的桥接模式。

bridge桥接模式

Docker安装时会创建一个名为docker0的虚拟网桥。除非我们进行另外的配置，新创建的容器都会自动连接到这个虚拟网桥提供的风格，bridge网络用于同一主机上的docker容器相互通信，连接到同一个网桥的docker容器可以相互通信。

docker network ls

bridge 对宿主机来讲相当于一个单独的网卡设备 对于运行在宿主机上的每个容器来说相当于一个交换机，所有容器的虚拟网线的一端都连接到docker0上。

容器通过本地主机进行上网，容器会创建名为veth的虚拟网卡，网卡一端连接到docker0网桥，另一端连接容器，容器就可以通过网桥通过分配的IP地址进行上网。

我们也可以自定义自己的bridge网络，docker文档建议使用自定义bridge网络，

bridge模式实例

导入容器并启动

docker load < /share/images/httpd.tar
docker run -d --name httpd -p 80:80 httpd

验证

docker exec -it httpd cat /etc/hosts

创建自定义网络

创建一个自定义网络, 可以指定子网、IP地址范围、网关等网络配置

docker network create --driver bridge --subnet 172.22.16.0/24 --gateway 172.22.16.1 mynet2

查看docker网络，是否创建成功。

docker network ls

查看自定义网络的细节

brctl show

ifconfig

docker network inspect mynet2

创建容器bb1,连接到自定义网络,并进入容器验证,可以看到该容器的ip地址为172.22.16.2

docker run --name bb1 -it --network mynet2 busybox:latest

ifconfig

验证后我们按Ctrl+P后,再按Ctrl+Q,从bb1容器退回到主机环境而不关闭容器bb1

再创建一个容器bb2，也连接到网络mynet2中

docker run --name bb2 --network mynet2 -it busybox:latest

进入容器,访问bb1容器的ip地址,进行验证

ping 172.22.16.2

会得到如下 类似回复

PING 172.22.16.2 (172.22.16.2): 56 data bytes
64 bytes from 172.22.16.2: seq=0 ttl=64 time=0.439 ms
64 bytes from 172.22.16.2: seq=1 ttl=64 time=0.140 ms
64 bytes from 172.22.16.2: seq=2 ttl=64 time=0.129 ms

总结

Docker网络bridge桥接模式，是创建和运行容器时默认模式。这种模式会为每个容器分配一个独立的网卡，桥接到默认或指定的bridge上，同一个Bridge下的容器下可以互相通信的。我们也可以创建自定义bridge以满足个性化的网络需求。