Docker第四回(容器虚拟化网络)
Posted baomaggie
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Docker第四回(容器虚拟化网络)相关的知识,希望对你有一定的参考价值。
一、docker网络简介
网络作为docker容器化实现的6个名称空间的其中之一,是必不可少的。其在Linux内核2.6时已经被加载进内核支持了。网络名称空间主要用于实现网络设备和协议栈的隔离,列如;一个docker host有4块网卡,在创建容器的时候,将其中一块网卡分配给该名称空间,那么其他名称空间是看不到这块网卡的。且:一个设备只能属于一个名称空间。因为一个名称空间绑定一个物理网卡和外界通信,且一个物理网卡不能分配多个名称空间,这使得我们只能创建4个名称空间。如果要创建的名称空间多于我们的物理网卡数量,那该怎么办呢?
1、 虚拟网络通信的三种方式
1.1、桥接网络:在kvm的虚拟网络中,我们使用的是虚拟网卡设备(用纯软件的方式来模拟一组设备来使用),而在docker中,也不例外。在Linux内核级,支持两种级别设备的模拟,分别是2层设备(工作在链路层能实现封装物理报文并在各网络设备中报文转发的组件);而这个功能,是可以在Linux上利用内核中对二层虚拟设备的支持创建虚拟网卡接口的。而且,这种虚拟网卡接口非常独特,每一个网络接口设备是成对出现的,可以模拟一根网线的两端,其中,一端可以插在主机上,另一端可以插在交换机上。这就相当于让一个主机连接到一个交换机上了。而Linux内核原生支持二层虚拟网桥设备(用软件来构建一个交换机)。例如;我有两个名称空间,都分别使用虚拟网络创建一对网络接口,一头插在名称空间上,另一头插在虚拟网桥设备上,并且两个名称空间配置在同一个网段上,这样就实现了容器间的通信,但是这种桥接方式,如果用在有N多个容器的网络中,由于所有容器全部是桥接在同一块虚拟网桥设备上,会产生广播风暴,在隔离上也是极为不易的,因此在规模容器的场景中,使用桥接这种方式无疑是自讨苦吃,否则都不应该直接桥接的。
1.2、nat网络:如果不桥接,又能与外部通信,用的是nat技术。NAT(network address transfer)网络地址转换,就是替换IP报文头部的地址信息,通过将内部网络IP地址替换为出口的IP地址提供不同网段的通信。比如:两个容器都配置了不同的私网地址,并且为容器配置了虚拟网桥(虚拟交换机),把容器1的网关指向虚拟网桥的IP地址,而后在docker host上打开核心转发功能,这时,当容器1与容器2通信时,报文先送给各自的虚拟网桥经由内核,内核判定目的IP不是自己,会查询路由表,而后将报文送给对应的网卡,物理网卡收到报文之后报文的原地址替换成自己的IP(这个操作称为snat),再将报文发送给容器2的物理网卡,物理网卡收到报文后,会将报文的原IP替换为自己的IP(这个操作称作dnat)发送给虚拟交换机,最后在发送给容器2。容器2收到报文之后,同样的也要经过相同的操作,将回复报文经过改写原ip地址的操作(snat和dnat)送达给容器1的物理网卡,物理网卡收到报文之后在将报文转发给虚拟网桥送给容器1。在这种网络中,如果要跨物理主机,让两个容器通信,必须经过两次nat(snat和dnat),造成了通信效率的低下。在多容器的场景中也不适合。
1.3、Overlay Network
叠加网络,在这种网络中,不同主机的容器通信会借助于一个虚拟网桥,让当前主机的各个容器连接到这个虚拟网桥上来,随后,他们通信时,借助物理网络,来完成报文的隧道转发,从而可以实现容器可以直接看到不同主机的其他容器,进而互相通信。例如;容器1要和其他host上的容器2通信,容器1会把报文发送给虚拟网桥,虚拟网桥发现目的IP不在本地物理服务器上,于是这个报文会从物理网卡发送出去,在发出去之前不在做snat,而是在添加一层IP报头,原地址是容器1的物理网卡地址,目的地址是容器2所在主机的物理网卡地址。报文到达主机,主机拆完第一层数据报文,发现还有一层报头,并且IP地址是当前主机的容器地址,进而将报文发送给虚拟网桥,最后在发送给容器2。这种用一个IP来承载另外一个IP的方式叫做隧道。
2、docker支持的四种网络模型
2.1、Closed container:只有loop接口,就是null类型
2.2、Bridged container A:桥接式类型,容器网络接入到docker0网络上
2.3、joined container A:联盟式网络,让两个容器有一部分名称空间隔离(User、Mount、Pid),这样两个容器间就拥有同一个网络接口,网络协议栈
2.4、Open container:开放式网络:直接共享物理机的三个名称空间(UTS、IPC、Net),世界使用物理主机的网卡通信,赋予容器管理物理主机网络的特权
二、Docker网络的指定
1、bridge网络(NAT)
docker在安装完以后自动提供了3种网络,默认使用bridge(nat桥接)网络,如果启动容器时,不指定--network=string,就是用的bridge网络,使用docker network ls可以看到这三种网络类型
[root@bogon ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
ea9de27d788c bridge bridge local
126249d6b177 host host local
4ad67e37d383 none null local
docker在安装完成后,会自动在本机创建一个软交换机(docker0),可以扮演二层的交换机设备,也可以扮演二层的网卡设备
[root@bogon ~]# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:2f:51:41:2d txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
当我们在创建容器时,docker会通过软件自动创建2个虚拟的网卡,一端接在容器上,另一端接在docker0交换机上,从而使得容器就好像连接在了交换机上。
这是我还没有启动容器之前本地host的网络信息
[root@bogon ~]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:2fff:fe51:412d prefixlen 64 scopeid 0x20<link>
ether 02:42:2f:51:41:2d txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 14 bytes 1758 (1.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.31.186 netmask 255.255.255.0 broadcast 192.168.31.255
inet6 fe80::a3fa:7451:4298:fe76 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:fb:f6:a1 txqueuelen 1000 (Ethernet)
RX packets 2951 bytes 188252 (183.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 295 bytes 36370 (35.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 96 bytes 10896 (10.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 96 bytes 10896 (10.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:1a:be:ae txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@bogon ~]#
[root@bogon ~]#
[root@bogon ~]#
下面我启动两个容器,查看网络信息的变化,可以看到多出来两个vethf的虚拟网卡
这就是docker为容器启动创建的一对虚拟网卡中的一半
[root@bogon ~]# docker container run --name=nginx1 -d nginx:stable
11b031f93d019640b1cd636a48fb9448ed0a7fc6103aa509cd053cbbf8605e6e
[root@bogon ~]# docker container run --name=redis1 -d redis:4-alpine
fca571d7225f6ce94ccf6aa0d832bad9b8264624e41cdf9b18a4a8f72c9a0d33
[root@bogon ~]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:2fff:fe51:412d prefixlen 64 scopeid 0x20<link>
ether 02:42:2f:51:41:2d txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 14 bytes 1758 (1.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.31.186 netmask 255.255.255.0 broadcast 192.168.31.255
inet6 fe80::a3fa:7451:4298:fe76 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:fb:f6:a1 txqueuelen 1000 (Ethernet)
RX packets 2951 bytes 188252 (183.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 295 bytes 36370 (35.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 96 bytes 10896 (10.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 96 bytes 10896 (10.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth0a95d3a: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::cc12:e7ff:fe27:2c7f prefixlen 64 scopeid 0x20<link>
ether ce:12:e7:27:2c:7f txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 648 (648.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethf618ec3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::882a:aeff:fe73:f6df prefixlen 64 scopeid 0x20<link>
ether 8a:2a:ae:73:f6:df txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22 bytes 2406 (2.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:1a:be:ae txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@bogon ~]#
[root@bogon ~]#
另一半在容器中
[root@bogon ~]# docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fca571d7225f redis:4-alpine "docker-entrypoint.s?? About a minute ago Up About a minute 6379/tcp redis1
11b031f93d01 nginx:stable "nginx -g ‘daemon of?? 10 minutes ago Up 10 minutes 80/tcp nginx1
并且他们都被关联到了docker0虚拟交换机中,可以使用brctl和ip link show查看到
[root@bogon ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.02422f51412d no veth0a95d3a
vethf618ec3
[root@bogon ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 00:0c:29:fb:f6:a1 brd ff:ff:ff:ff:ff:ff
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
link/ether 52:54:00:1a:be:ae brd ff:ff:ff:ff:ff:ff
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT group default qlen 1000
link/ether 52:54:00:1a:be:ae brd ff:ff:ff:ff:ff:ff
5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 02:42:2f:51:41:2d brd ff:ff:ff:ff:ff:ff
7: vethf618ec3@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether 8a:2a:ae:73:f6:df brd ff:ff:ff:ff:ff:ff link-netnsid 0
9: veth0a95d3a@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether ce:12:e7:27:2c:7f brd ff:ff:ff:ff:ff:ff link-netnsid 1
可以看到,vethf虚拟网卡后面还有一半“@if6和@if8”,这两个就是在容器中的虚拟网卡
bridge0是一个nat桥,因此docker在启动容器后,还会自动为容器生成一个iptables规则
[root@bogon ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 43 packets, 3185 bytes)
pkts bytes target prot opt in out source destination
53 4066 PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
53 4066 PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
53 4066 PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 474 bytes)
pkts bytes target prot opt in out source destination
24 2277 OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 3 packets, 474 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
2 267 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
22 2010 POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
22 2010 POSTROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
22 2010 POSTROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
12 953 POST_public all -- * ens33 0.0.0.0/0 0.0.0.0/0 [goto]
10 1057 POST_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain POSTROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public (2 references)
pkts bytes target prot opt in out source destination
22 2010 POST_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
22 2010 POST_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
22 2010 POST_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POST_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
53 4066 PRE_public all -- ens33 * 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 PRE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public (2 references)
pkts bytes target prot opt in out source destination
53 4066 PRE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
53 4066 PRE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
53 4066 PRE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PRE_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_log (1 references)
pkts bytes target prot opt in out source destination
其中在POSTROUTING的chain上,有一个“MASQUERADE”从任何地址进入,只要不从docker0出去,原地址是172.17网段,到任何地址去的数据,都将被地址转换,snat
上面提到过,当docker使用nat网络时,仅仅只有当前docker host和当前docker host上的容器之间可以互相访问,那么不同主机的容器要进行通信,就必须要进行dnat(端口映射的方式),且同一个端口只能映射一个服务,那么在这个docker host中如果有多个web服务,就只能映射到一个80端口,其他的web服务就只能改默认端口,这也为我们带来了很大的局限性。
1.1、使用ip命令操作net名称空间
由于docker的Net、UTS以及IPC是可以被容器共享的,所以能够构建出一个此前在KVM的虚拟化网络中所谓的隔离式网络、桥接式网络、NET式网络、物理桥式网络初次之外所不具有的特殊网络模型,我们可以用ip命令手动去操作网络名称空间的,ip命令所能操作的众多对象当中包括netns
查询是否安装ip命令
[root@bogon ~]# rpm -q iproute
iproute-4.11.0-14.el7.x86_64
创建net名称空间
[root@bogon ~]# ip netns help
Usage: ip netns list
ip netns add NAME
ip netns set NAME NETNSID
ip [-all] netns delete [NAME]
ip netns identify [PID]
ip netns pids NAME
ip [-all] netns exec [NAME] cmd ...
ip netns monitor
ip netns list-id
[root@bogon ~]# ip netns add ns1
[root@bogon ~]# ip netns add ns2
如果没有单独为netns创建网卡接口的话,那么默认就只有一个loop网卡
[root@bogon ~]# ip netns exec ns1 ifconfig -a
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@bogon ~]# ip netns exec ns2 ifconfig -a
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
创建网卡接口对并放入net名称空间
[root@bogon ~]# ip link add name veth1.1 type veth peer name veth1.2
[root@bogon ~]# ip link show
...
...
7: veth1.2@veth1.1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 06:9d:b4:1f:96:88 brd ff:ff:ff:ff:ff:ff
8: veth1.1@veth1.2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 22:ac:45:de:61:5d brd ff:ff:ff:ff:ff:ff
[root@bogon ~]# ip netns exec ns1 ip link set dev veth1.1 name eth0
[root@bogon ~]# ip netns exec ns2 ip link set dev veth1.2 name eth0
[root@bogon ~]# ip netns exec ns1 ifconfig eth0 10.10.1.1/24 up
[root@bogon ~]# ip netns exec ns2 ifconfig eth0 10.10.1.2/24 up
[root@bogon ~]# ip netns exec ns1 ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.1.1 netmask 255.255.255.0 broadcast 10.10.1.255
inet6 fe80::20ac:45ff:fede:615d prefixlen 64 scopeid 0x20<link>
ether 22:ac:45:de:61:5d txqueuelen 1000 (Ethernet)
RX packets 8 bytes 648 (648.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 648 (648.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@bogon ~]# ip netns exec ns2 ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.1.2 netmask 255.255.255.0 broadcast 10.10.1.255
inet6 fe80::49d:b4ff:fe1f:9688 prefixlen 64 scopeid 0x20<link>
ether 06:9d:b4:1f:96:88 txqueuelen 1000 (Ethernet)
RX packets 8 bytes 648 (648.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 648 (648.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@bogon ~]# ip netns exec ns1 ping 10.10.1.2
PING 10.10.1.2 (10.10.1.2) 56(84) bytes of data.
64 bytes from 10.10.1.2: icmp_seq=1 ttl=64 time=0.261 ms
64 bytes from 10.10.1.2: icmp_seq=2 ttl=64 time=0.076 ms
这样就完成了ip命令创建netns并设置网卡接口的配置
2、Host网络
重新启动一个容器,指定--network为host网络
[root@bogon ~]# docker container run --name=myhttpd --network=host -d httpd:1.1
17e26c2869f88d8334ee98ea3b3d26e6abe9add5169d1812ffa0a4588935f769
[root@bogon ~]#
[root@bogon ~]# ip netns list
ns2
ns1
使用交互模式连接到容器内部,查看网络信息
可以看到,这个容器使用的网络和物理主机的一模一样。注意:在这个容器内部更改网络信息,就和改物理主机的网络信息是同等的。
[root@bogon ~]# docker container exec -it myhttpd /bin/sh
sh-4.1#
sh-4.1# ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:2F:51:41:2D
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
inet6 addr: fe80::42:2fff:fe51:412d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:1758 (1.7 KiB)
ens33 Link encap:Ethernet HWaddr 00:0C:29:FB:F6:A1
inet addr:192.168.31.186 Bcast:192.168.31.255 Mask:255.255.255.0
inet6 addr: fe80::a3fa:7451:4298:fe76/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30112 errors:0 dropped:0 overruns:0 frame:0
TX packets:2431 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1927060 (1.8 MiB) TX bytes:299534 (292.5 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:96 errors:0 dropped:0 overruns:0 frame:0
TX packets:96 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10896 (10.6 KiB) TX bytes:10896 (10.6 KiB)
veth0a95d3a Link encap:Ethernet HWaddr CE:12:E7:27:2C:7F
inet6 addr: fe80::cc12:e7ff:fe27:2c7f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:648 (648.0 b)
virbr0 Link encap:Ethernet HWaddr 52:54:00:1A:BE:AE
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
sh-4.1# ping www.baidu.com
PING www.a.shifen.com (61.135.169.125) 56(84) bytes of data.
64 bytes from 61.135.169.125: icmp_seq=1 ttl=46 time=6.19 ms
64 bytes from 61.135.169.125: icmp_seq=2 ttl=46 time=6.17 ms
64 bytes from 61.135.169.125: icmp_seq=3 ttl=46 time=6.11 ms
使用inspect也可以看到该容器的网络信息使用的是host
sh-4.1# exit
exit
[root@bogon ~]# docker container inspect myhttpd
[
{
"Id": "17e26c2869f88d8334ee98ea3b3d26e6abe9add5169d1812ffa0a4588935f769",
"Created": "2018-11-03T13:29:08.34016135Z",
"Path": "/usr/sbin/apachectl",
"Args": [
" -D",
"FOREGROUND"
],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 4015,
"ExitCode": 0,
"Error": "",
"StartedAt": "2018-11-03T13:29:08.528631643Z",
"FinishedAt": "0001-01-01T00:00:00Z"
},
"Image": "sha256:bbffcf779dd42e070d52a4661dcd3eaba2bed898bed8bbfe41768506f063ad32",
"ResolvConfPath": "/var/lib/docker/containers/17e26c2869f88d8334ee98ea3b3d26e6abe9add5169d1812ffa0a4588935f769/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/17e26c2869f88d8334ee98ea3b3d26e6abe9add5169d1812ffa0a4588935f769/hostname",
"HostsPath": "/var/lib/docker/containers/17e26c2869f88d8334ee98ea3b3d26e6abe9add5169d1812ffa0a4588935f769/hosts",
"LogPath": "/var/lib/docker/containers/17e26c2869f88d8334ee98ea3b3d26e6abe9add5169d1812ffa0a4588935f769/17e26c2869f88d8334ee98ea3b3d26e6abe9add5169d1812ffa0a4588935f769-json.log",
"Name": "/myhttpd",
"RestartCount": 0,
"Driver": "overlay2",
"Platform": "linux",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": null,
"ContainerIDFile": "",
"LogConfig": {
"Type": "json-file",
"Config": {}
},
"NetworkMode": "host",
"PortBindings": {},
"RestartPolicy": {
"Name": "no",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "shareable",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "runc",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": [],
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DeviceCgroupRules": null,
"DiskQuota": 0,
"KernelMemory": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": null,
"OomKillDisable": false,
"PidsLimit": 0,