Docker容器的网络管理和网络隔离

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Docker容器的网络管理和网络隔离相关的知识,希望对你有一定的参考价值。

一、Docker网络的管理

1、Docker容器的方式

1)Docker访问外网

Docker容器连接到宿主机的Docker0网桥访问外网;默认自动将docker0网桥添加到docker容器中。

2)容器和容器之间通信

需要管理员创建网桥;将不同的容器连接到网桥上实现容器和容器之间相互访问。

3)外部网络访问容器

通过端口映射或者同步docker宿主机网络配置实现通信。

2、Docker容器网络通信的模式

1)bridge

默认容器访问外网通信使用;依赖docker0网桥。

2)none

需要给容器创建独立的网络命名空间;不会给创建的容器配置TCP/IP信息。

3)container

容器和容器通信使用;容器需要共享容器名称空间,通过共享容器名称空间实现不同容器通信。

4)host

容器内部网络和宿主机保持同步。

3、配置bridge网络通信模式

[root@centos01 yum.repos.d]# wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo  
              <!--安装centos7源-->
[root@centos01 ~]# yum -y install docker     <!--安装docker-->
[root@centos01 ~]# systemctl start docker        <!--启动docker-->
[root@centos01 ~]# systemctl enable docker      <!--设置docker开机自动启动-->
[root@centos01 ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf   <!--开启路由功能-->
[root@centos01 ~]# sysctl -p  <!--刷新配置-->
net.ipv4.ip_forward = 1
[root@centos01 ~]# docker pull hub.c.163.com/public/centos:7.2-tools  <!--下载镜像-->
[root@centos01 ~]# docker images  <!--查看镜像-->
REPOSITORY                    TAG                 IMAGE ID            CREATED             SIZE
hub.c.163.com/public/centos   7.2-tools           4a4618db62b9        3 years ago         515 MB
[root@centos01 ~]# docker run -d --net=bridge --name centos7.201 hub.c.163.com/public/centos:7.2-tools   
           <!--配置创建的容器桥接网络通信,容器访问互联网使用-->
b308fb5c097fd455073f2f4a280d2660e6943fe1a62d6409e8ebcd3b86469438
[root@centos01 ~]# docker ps  <!--查看运行的容器-->
CONTAINER ID        IMAGE                                   COMMAND                  CREATED             STATUS              PORTS               NAMES
b308fb5c097f        hub.c.163.com/public/centos:7.2-tools   "/usr/bin/supervisord"   20 seconds ago      Up 19 seconds       22/tcp              centos7.201
[root@centos01 ~]# ifconfig   <!--查看Docker宿主机IP地址信息-->
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 0.0.0.0
[root@centos01 ~]# docker exec -it centos7.201 /bin/bash  <!--登录centos7.201容器-->
[root@b308fb5c097f /]# ifconfig    <!--查看IP地址-->
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.2  netmask 255.255.0.0  broadcast 0.0.0.0
[root@b308fb5c097f /]# ping www.baidu.com  <!--centos7.201容器ping公网测试-->
PING www.a.shifen.com (39.156.66.18) 56(84) bytes of data.
64 bytes from 39.156.66.18: icmp_seq=1 ttl=50 time=18.4 ms
64 bytes from 39.156.66.18: icmp_seq=2 ttl=50 time=18.3 ms
64 bytes from 39.156.66.18: icmp_seq=3 ttl=50 time=16.9 ms
[root@b308fb5c097f /]# ping 192.168.100.10   <!--ping宿主机IP测试 -->
PING 192.168.100.10 (192.168.100.10) 56(84) bytes of data.
64 bytes from 192.168.100.10: icmp_seq=1 ttl=64 time=0.043 ms
64 bytes from 192.168.100.10: icmp_seq=2 ttl=64 time=0.086 ms
64 bytes from 192.168.100.10: icmp_seq=3 ttl=64 time=0.150 ms

4、配置none网络通信模式

[root@centos01 ~]# docker run -d --net=none --name centos7.202 hub.c.163.com/public/centos:7.2-tools   
            <!--配置docker容器不需要连接到网络,容器无法通信-->
e2c4837d67818e7ef4d7cedf964db21d98cabb594d12091d7f69da4e8fb3f30f
[root@centos01 ~]# docker ps  <!--查看运行的容器-->
CONTAINER ID        IMAGE                                   COMMAND                  CREATED             STATUS              PORTS               NAMES
e2c4837d6781        hub.c.163.com/public/centos:7.2-tools   "/usr/bin/supervisord"   57 seconds ago      Up 56 seconds                           centos7.202
b308fb5c097f        hub.c.163.com/public/centos:7.2-tools   "/usr/bin/supervisord"   7 minutes ago       Up 7 minutes        22/tcp              centos7.201
[root@centos01 ~]# docker exec -it centos7.202 /bin/bash  <!--登录centos7.202容器-->
[root@e2c4837d6781 /]# ifconfig    <!--查看IP地址-->
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
[root@e2c4837d6781 /]# ping www.baidu.com  <!--ping公网发现是不通的-->
ping: unknown host www.baidu.com
[root@e2c4837d6781 /]# 
[root@e2c4837d6781 /]# ping 192.168.100.10  <!--ping宿主机IP地址发现是不通的-->
connect: Network is unreachable

5、配置host网络通信模式

[root@centos01 ~]# docker run -d --net=host --name centos7.203 -v /data1 hub.c.163.com/public/centos:7.2-tools   
       <!--配置运行的容器和宿主机网络保持同步-->
2911358be486720c4ee93c8de22cd77301236f48c5baf22ea63bb3c54450032e
[root@centos01 ~]# ls /var/lib/docker/volumes/  <!--查看创建的数据卷-->
dc755f3b6036f167471435629918d06264e1c2c6a8b175426fa80da36143a87e  metadata.db
[root@centos01 ~]# docker ps  <!--查看运行的容器-->
CONTAINER ID        IMAGE                                   COMMAND                  CREATED              STATUS              PORTS               NAMES
2911358be486        hub.c.163.com/public/centos:7.2-tools   "/usr/bin/supervisord"   About a minute ago   Up About a minute                       centos7.203
e2c4837d6781        hub.c.163.com/public/centos:7.2-tools   "/usr/bin/supervisord"   15 minutes ago       Up 15 minutes                           centos7.202
b308fb5c097f        hub.c.163.com/public/centos:7.2-tools   "/usr/bin/supervisord"   21 minutes ago       Up 21 minutes       22/tcp              centos7.201
[root@centos01 ~]# docker exec -it centos7.203 /bin/bash  <!--登录到centos7.203容器-->
[root@centos01 /]# ifconfig    <!--查看IP地址-->
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 0.0.0.0

ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.10  netmask 255.255.255.0  broadcast 192.168.100.255

ens34: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.126  netmask 255.255.255.0  broadcast 192.168.0.255

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0

vethc39178a: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::7c4b:a6ff:fe1c:a37f  prefixlen 64  scopeid 0x20<link>

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
[root@centos01 ~]# docker exec -it centos7.203 /bin/bash   <!--登录centos7.203容器-->
[root@centos01 /]# ping www.baidu.com   <!--ping公网测试-->
PING www.a.shifen.com (39.156.66.14) 56(84) bytes of data.
64 bytes from 39.156.66.14: icmp_seq=1 ttl=51 time=20.0 ms
64 bytes from 39.156.66.14: icmp_seq=2 ttl=51 time=19.1 ms
64 bytes from 39.156.66.14: icmp_seq=3 ttl=51 time=15.9 ms
[root@centos01 /]# ping 192.168.100.10   <!--ping宿主机IP地址测试-->
PING 192.168.100.10 (192.168.100.10) 56(84) bytes of data.
64 bytes from 192.168.100.10: icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from 192.168.100.10: icmp_seq=2 ttl=64 time=0.060 ms
64 bytes from 192.168.100.10: icmp_seq=3 ttl=64 time=0.030 ms
          <!---Centos7.203容器安装nginx-->
[root@centos01 ~]# cp /mnt/nginx-1.6.0.tar.gz ./   <!--拷贝Nginx压缩包-->
[root@centos01 ~]# ls 
anaconda-ks.cfg  initial-setup-ks.cfg  nginx-1.6.0.tar.gz
[root@centos01 ~]# cp nginx-1.6.0.tar.gz  /var/lib/docker/volumes/dc755f3b6036f167471435629918d06264e1c2c6a8b175426fa80da36143a87e/_data/  
        <!--将Nginx压缩包通过数据卷共享到centos7.203容器-->
[root@centos01 ~]# docker exec -it centos7.203 /bin/bash   <!--登录到centos7.203容器-->
[root@centos01 /]# ls
anaconda-post.log  bin  data1  dev  etc  home  lib  lib64  lost+found  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
[root@centos01 /]# cd data1/   <!--查看宿主机共享的数据-->
[root@centos01 data1]# ls   
nginx-1.6.0.tar.gz
[root@centos01 /]# yum -y install pcre-devel zlib-devel   <!--安装Nginx依赖程序-->
[root@centos01 /]# useradd -M -s /sbin/nologin nginx   <!--创建管理Nginx用户-->
[root@centos01 /]# tar zxvf /data1/nginx-1.6.0.tar.gz -C /usr/src/   <!--解压缩Nginx包-->
[root@centos01 /]#yum -y install gcc  pcre-devel zlib-devel make  <!--先安装依赖-->
[root@centos01 /]# cd /usr/src/nginx-1.6.0/
[root@centos01 nginx-1.6.0]# ./configure --prefix=/usr/local/nginx --user=nginx --with-http_stub_status_module && make && make install    
               <!--配置Nginx并 编译安装nginx-->
[root@centos01 nginx-1.6.0]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/  <!--优化Nginx执行命令-->
[root@centos01 nginx-1.6.0]# echo "www.docker.nginx.com" > /usr/local/nginx/html/index.html           
                      <!--修改Nginx网站主页内容-->
[root@centos01 nginx-1.6.0]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/  
         <!--在centos7.203容器中启动Nginx服务-->
[root@centos01 nginx-1.6.0]# netstat -anptu | grep nginx <!--监听Nginx服务端口号是否正在运行-->
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      6268/nginx: master  
[root@centos01 ~]# curl http://192.168.100.10 <!--docker宿主机访问centos7.203容器中的nginx-->
www.docker.nginx.com
[root@centos01 nginx-1.6.0]# cat /usr/local/nginx/logs/access.log    
          <!--查看centos7.203容器中成功访问Nginx的日志-->
192.168.100.10 - - [12/May/2020:21:42:47 +0800] "GET / HTTP/1.1" 200 21 "-" "curl/7.29.0"

6、配置docker0网卡参数

[root@centos01 ~]# ifconfig    <!--查看docker宿主机IP地址-->
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 0.0.0.0
[root@centos01 ~]# systemctl stop docker   <!--停止docker服务-->
[root@centos01 ~]# ip link set dev docker0 down   <!--停止docker0网桥-->
[root@centos01 ~]# brctl delbr docker0    <!--删除系统默认的docker0网桥-->
[root@centos01 ~]# brctl addbr docker0   <!--创建新的网桥,名字是docker0-->
[root@centos01 ~]# ip addr add 192.168.20.1/24 dev dokcer0  <!--新的网桥docker0配置IP地址-->
[root@centos01 ~]# ip link set dev docker0 up   <!--启动新的docker0网桥-->
[root@centos01 ~]# vim /etc/docker/daemon.json    
       <!--修改docker配置文件加载新的网桥docker0-->
{"registry-mirrors":["https://6kx4zyno.mirror.aliyuncs.com"]}
{"bip":"192.168.20.1/24"}    <!--加此行-->
[root@centos01 ~]# systemctl start docker   <!--启动docker服务-->
[root@centos01 ~]# ifconfig    <!--查看docker宿主机IP详细信息-->
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.20.1  netmask 255.255.255.0  broadcast 0.0.0.0
[root@centos01 ~]# docker run -it -d --name centos7.2v1 hub.c.163.com/public/centos:7.2-tools    <!--创建一个容器在后台运行-->
d0b5392e60cef37f3c44d79a9fb73916720cfc44faa7b73862bee05fb2d6ce7b
[root@centos01 ~]# docker exec -it centos7.2v1 /bin/bash  <!--登录centos7.2v1容器-->
[root@d0b5392e60ce /]# ifconfig    <!--查看IP地址详细信息-->
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.20.2  netmask 255.255.255.0  broadcast 0.0.0.0

二、Docker网络隔离

1、Docker网络隔离原理

需要管理创建网络空间名称;将不同的容器加载到不同的网络空间名称中实现隔离;默认不配置网络隔离默认给容器分配的docker0网络空间名称。

2、Docker容器自带的网络空间名称类型

bridge:容器桥接到docker0网桥上;

host:容器同步docker宿主机的网络配置信息;

none:不创建网络,docker容器不需要配置TCP/IP信息;

3、配置Docker网络名称空间隔离

[root@centos01 ~]# docker network ls   <!--查看docker默认的网络名称空间-->
NETWORK ID          NAME                DRIVER              SCOPE
8bb953004416        bridge              bridge              local
2c18234cad82        host                host                local
67860e823c36        none                null                local
[root@centos01 ~]# docker network create -d bridge liyanxin  <!--创建网络名称空间-->
0c69de4672ec173dc4c60b19e0bf93b361f45a804859f7bc2105d85ca83b1169
[root@centos01 ~]# docker network create -d bridge gongsunli   <!--创建网络名称空间-->
35687468c9034262173a96e9c23e045cbb8b7ffa6648fc84e015504740815001
[root@centos01 ~]# ifconfig   <!--查看docker宿主机网卡信息-->
br-0c69de4672ec: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.18.0.1  netmask 255.255.0.0  broadcast 0.0.0.0

br-35687468c903: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.19.0.1  netmask 255.255.0.0  broadcast 0.0.0.0
[root@centos01 ~]# docker run -it -d --name centos6.701 --network=liyanxin hub.c.163.com/public/centos:6.7-tools    
         <!--创建运行的容器添加到liyanxin网络名称空间中隔离-->
b85a2d8419a98756369ddc3b78247d3d42c178e8e563a936fe973f2f6611f951
[root@centos01 ~]# docker exec -it centos6.701 /bin/bash   <!--登录centos6.701容器-->
[root@b85a2d8419a9 /]# ifconfig    <!--查看IP地址-->
eth0      Link encap:Ethernet  HWaddr 02:42:AC:12:00:02  
          inet addr:172.18.0.2  Bcast:0.0.0.0  Mask:255.255.0.0
[root@centos01 ~]# docker run -it -d --name centos6.702 --network=gongsunli hub.c.163.com/public/centos:6.7-tools    
      <!--创建运行的容器添加到gongsunli网络名称空间中隔离-->
9af0fb7b85af3270f3c7c44b62438f436b22289ac0a7604d6ed522604b7b185f
[root@centos01 ~]# docker exec -it centos6.702 /bin/bash  <!--登录centos6.702容器-->
[root@9af0fb7b85af /]# ifconfig    <!--查看IP地址-->
eth0      Link encap:Ethernet  HWaddr 02:42:AC:13:00:02  
          inet addr:172.19.0.2  Bcast:0.0.0.0  Mask:255.255.0.0

三、配置网桥实现网络隔离

1、配置网桥实现网络隔离的目的

实现Docker宿主机的容器跨Docker宿主机的容器通信使用。

2、配置网桥实现网络隔离原理

将物理网卡桥接到创建的网桥网卡上;给网桥网卡配置IP地址;创建容器加载网桥网卡实现;docker宿主机容器跨docker宿主机容器通信;管理员管理docker宿主机通过网桥网卡进行远程管理

3、配置docker网桥实现网络隔离

[root@centos01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32  
         <!--修改docker宿主机物理网卡桥接到网桥网卡br0-->
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
NAME=ens32
DEVICE=ens32
ONBOOT=yes
BRIDGE=br0    <!--添加此行-->
[root@centos01 ~]# cp /etc/sysconfig/network-scripts/ifcfg-ens32 /etc/sysconfig/network-scripts/ifcfg-br0   
         <!--创建并生成br0网桥-->
[root@centos01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-br0 <!--编辑br0网卡配置文件-->
TYPE=Bridge   <!--修改此行-->
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
NAME=br0      <!--修改名字-->
DEVICE=br0    <!--修改名字-->
ONBOOT=yes
IPADDR=192.168.100.10    <!--添加宿主机IP地址-->
NETMASK=255.255.255.0 
[root@centos01 ~]# systemctl restart network   <!--重新启动docker宿主机网卡服务-->
[root@centos01 ~]# ifconfig   <!--查看docker宿主机网卡信息-->
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.10  netmask 255.255.255.0  broadcast 192.168.100.255

br-0c69de4672ec: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.18.0.1  netmask 255.255.0.0  broadcast 0.0.0.0

br-35687468c903: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.19.0.1  netmask 255.255.0.0  broadcast 0.0.0.0

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 0.0.0.0

ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 00:0c:29:18:d3:26  txqueuelen 1000  (Ethernet)

ens34: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::4ad2:dd37:4341:5d8e  prefixlen 64  scopeid 0x20<link>

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0

veth7b0bb5f: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::ccd3:86ff:fee6:5725  prefixlen 64  scopeid 0x20<link>

veth7e0f471: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::684c:fdff:fe13:b436  prefixlen 64  scopeid 0x20<link>

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
[root@centos01 ~]# yum -y install git   <!--docker宿主机安装git-->
[root@centos01 ~]# git clone https://github.com/jpetazzo/pipework
            <!--下载docker容器网络管理工具pipework-->
[root@centos01 ~]# cp pipework/pipework /usr/local/bin/   <!--优化管理命令-->
[root@centos01 ~]# chmod +x /usr/local/bin/pipework    <!--添加执行权限-->
[root@centos01 ~]# docker run -d --name centos6.703 --network=none hub.c.163.com/public/centos:6.7-tools    
             <!--通过镜像运行容器-->
adea0ad48bdde947ec595382d96cba06eb6522ec046e9b3c7bfcb1edb5c84545
[root@centos01 ~]# pipework br0 centos6.703 192.168.100.101/24   
                   <!--给centos6.703容器配置IP地址-->
[root@centos01 ~]# docker exec -it centos6.703 /bin/bash   <!--登录centos6.703容器-->
[root@adea0ad48bdd /]# ifconfig    <!--查看IP地址-->
eth1      Link encap:Ethernet  HWaddr FA:3A:9D:ED:C0:FF  
          inet addr:192.168.100.101  Bcast:192.168.100.255  Mask:255.255.255.0
[root@adea0ad48bdd /]# ping 192.168.100.10
PING 192.168.100.10 (192.168.100.10) 56(84) bytes of data.
64 bytes from 192.168.100.10: icmp_seq=1 ttl=64 time=0.100 ms
64 bytes from 192.168.100.10: icmp_seq=2 ttl=64 time=0.097 ms
64 bytes from 192.168.100.10: icmp_seq=3 ttl=64 time=0.039 ms

4、配置docker宿主机容器和docker宿主机容器通信

[root@centos02 ~]# ping www.baidu.com <!--再新开一台服务器,连接公网,安装docker-->
PING www.a.shifen.com (39.156.66.18) 56(84) bytes of data.
64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=1 ttl=51 time=19.5 ms
64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=2 ttl=51 time=17.3 ms
64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=3 ttl=51 time=18.1 ms
[root@centos02 ~]# cd /etc/yum.repos.d/
[root@centos02 yum.repos.d]# ls
local.repo
[root@centos02 yum.repos.d]# wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo  
        <!--下载centos7源-->
[root@centos02 ~]# yum install docker -y   <!--安装docker-->
[root@centos02 ~]# systemctl start docker     <!--启动docker-->
[root@centos02 ~]# systemctl enable docker   <!--设置开机自动启动-->
[root@centos02 ~]# docker pull hub.c.163.com/public/centos:6.7-tools   <!--下载镜像-->
[root@centos02 ~]# docker images    <!--查看镜像-->
REPOSITORY                    TAG                 IMAGE ID            CREATED             SIZE
hub.c.163.com/public/centos   6.7-tools           b2ab0ed558bb        3 years ago         602 MB
[root@centos02 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32   
             <!--修改docker宿主机网卡配置信息桥接到br0网卡 -->
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
NAME=ens32
DEVICE=ens32
ONBOOT=yes
BRIDGE=br0    <!--添加此行-->
[root@centos02 ~]# cp /etc/sysconfig/network-scripts/ifcfg-ens32 /etc/sysconfig/network-scripts/ifcfg-br0          <!--创建并生成br0网桥-->
[root@centos02 ~]# vim /etc/sysconfig/network-scripts/ifcfg-br0  <!--编辑br0网卡配置文件-->
TYPE=Bridge   <!--修改为Bridge-->
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
NAME=br0    <!--修改名字-->
DEVICE=br0    <!--修改为br0-->
ONBOOT=yes
IPADDR=192.168.100.20   <!--添加宿主机IP地址-->
NETMASK=255.255.255.0
[root@centos02 ~]# systemctl restart network   <!--重新启动docker宿主机网卡服务-->
[root@centos02 ~]# ifconfig    <!--查看docker宿主机网卡信息-->
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.20  netmask 255.255.255.0  broadcast 192.168.100.255

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 0.0.0.0

ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 00:0c:29:97:5c:9f  txqueuelen 1000  (Ethernet)

ens34: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.104  netmask 255.255.255.0  broadcast 192.168.0.255

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
[root@centos02 ~]# yum -y install git    <!--安装git-->
[root@centos02 ~]# git clone https://github.com/jpetazzo/pipework   
         <!--下载docker容器网络管理工具pipework-->
[root@centos02 ~]# cp pipework/pipework /usr/local/bin/   <!--优化管理命令-->
[root@centos02 ~]# chmod +x /usr/local/bin/pipework    <!--添加执行权限-->
[root@centos02 ~]# docker run -d --name centos6.7 --network=none hub.c.163.com/public/centos:6.7-tools    <!--通过进行运行容器-->
abec0a6bd3822a2fd702dc44d1cf3043648aadd1a661e577c23701e30ee9df7a
[root@centos02 ~]# pipework br0 centos6.7 192.168.100.102/24   
          <!--给centos6.7容器配置IP地址-->
[root@centos02 ~]# docker exec -it centos6.7 /bin/bash   <!--登录centos6.7容器-->
[root@abec0a6bd382 /]# ifconfig    <!--查看IP地址-->
eth1      Link encap:Ethernet  HWaddr EE:01:B7:99:90:1C  
          inet addr:192.168.100.102  Bcast:192.168.100.255  Mask:255.255.255.0
[root@abec0a6bd382 /]# ping 192.168.100.101   <!---->
PING 192.168.100.101 (192.168.100.101) 56(84) bytes of data.
64 bytes from 192.168.100.101: icmp_seq=1 ttl=64 time=0.660 ms
64 bytes from 192.168.100.101: icmp_seq=2 ttl=64 time=0.865 ms
64 bytes from 192.168.100.101: icmp_seq=3 ttl=64 time=0.382 ms
[root@abec0a6bd382 /]# ping 192.168.100.10    <!---->
PING 192.168.100.10 (192.168.100.10) 56(84) bytes of data.
64 bytes from 192.168.100.10: icmp_seq=1 ttl=64 time=0.632 ms
64 bytes from 192.168.100.10: icmp_seq=2 ttl=64 time=0.732 ms
64 bytes from 192.168.100.10: icmp_seq=3 ttl=64 time=0.796 ms
[root@abec0a6bd382 /]# ping 192.168.100.20    <!---->
PING 192.168.100.20 (192.168.100.20) 56(84) bytes of data.
64 bytes from 192.168.100.20: icmp_seq=1 ttl=64 time=0.144 ms
64 bytes from 192.168.100.20: icmp_seq=2 ttl=64 time=0.094 ms
64 bytes from 192.168.100.20: icmp_seq=3 ttl=64 time=0.043 ms

———————— 本文至此结束,感谢阅读 ————————

以上是关于Docker容器的网络管理和网络隔离的主要内容,如果未能解决你的问题,请参考以下文章

Docker02:Docker核心技术探索网络命名空间和网络隔离

Docker学习笔记Docker容器相关技术

Docker 之容器网络隔离模型

macvlan 网络隔离和连通 - 每天5分钟玩转 Docker 容器技术(57)

macvlan 网络隔离和连通 - 每天5分钟玩转 Docker 容器技术(57)

Docker关于Docker网络隔离与通信详解