Docker-04-docker单机网络详解
Posted 流光给给
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Docker-04-docker单机网络详解相关的知识,希望对你有一定的参考价值。
一、docker的网络模式概述
1.1 单机模式
- bridge
默认模式,此模式会为每一个容器分配、设置IP等,并将容器连接到一个docker0虚拟网桥,通过docker0网桥以及Iptables nat表配置与宿主机通信。
- host
容器将不会虚拟出自己的网卡,配置自己的IP等,而是使用宿主机的IP和端口。
- none
该模式关闭了容器的网络功能。
1.2 多机模式
- overlay
2、Linux网络命名空间
2.1 查看namespace之间的隔离性
- 第一步:运行一个busybox
docker run -d --name test1 busybox /bin/sh -c "while true;do sleep 3600;done"
- 第二步:进入生成的容器
[root@docker01 ~]# docker exec -it test1 /bin/sh
/ #
- 第三步:通过`ip a`命名查看容器和宿主机的网络命名空间,可以发现容器的网络namespace和主机是隔离的
#查看容器的网络namespace
/ # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever
#查看宿主机的网络namespace
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff inet 192.168.1.38/24 brd 192.168.1.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::90c6:d2ff:fe2d:4098/64 scope link valid_lft forever preferred_lft forever 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:ccff:fea5:3e94/64 scope link valid_lft forever preferred_lft forever 15: veth9b0a4fb@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP link/ether 1a:3d:79:de:cd:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::183d:79ff:fede:cd28/64 scope link valid_lft forever preferred_lft forever
- 第四步:再生成另外一个容器,并查看两个容器的网络namespace。通过在两个容器中互ping,发现两个容器的网络namespace是可以互相连通的。
[root@docker01 ~]# docker run -d --name test2 busybox /bin/sh -c "while true;do sleep 3600;done" e8a75ef22834a402a3a0f71460f8551a658a7bacd364937de9358d35abe960cb
[root@docker01 ~]# sudo docker exec test1 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever [root@docker01 ~]# sudo docker exec test2 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 16: eth0@if17: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever
2.2 Linux网络namepace原理实验
实验:在两个namespace上面创建veth接口,并使两个namespace相通!
在做实验之间,先来想象一下两台电脑如果需要连通所需的条件:
- 两台电脑都需要一个网口
- 两个网口之间需要连接一根网线
- 两台电脑需要配置一个同网段的地址
满足上述三个要求,那么两个主机就能实现网络互联。Linux网络namespace采用veth pair技术,过程基本一致,下面就来做下实验。
2.2.1 网络namspace的基本用法
实验之前先来看看基本的命令和用法:
- 查看linxu主机的network namespace
[root@docker01 ~]# ip netns list
- 创建network namespace
[root@docker01 ~]# ip netns add test1 [root@docker01 ~]# ip netns add test2 [root@docker01 ~]# ip netns list test2 test1
- 查看network namespace里面的ip地址
#可以看到一个新的network namespace里面只有一个回环口,并没有分配ip地址;并且状态为DOWN [root@docker01 ~]# ip netns exec test1 ip a 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
- 启动namespace里面的网卡,例如lo
[root@docker01 ~]# ip netns exec test1 ip link set dev lo up [root@docker01 ~]# ip netns exec test1 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever
2.2.2 实验过程
- 第一步:在主机上添加一对link veth-test1和veth-test2,创建完成后状态为DOWN。(这一步联想做两个网卡,并用网线将两个网卡互连)
[root@docker01 ~]# ip link add veth-test1 type veth peer name veth-test2 [root@docker01 ~]# ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT qlen 1000 link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff 15: veth9b0a4fb@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT link/ether 1a:3d:79:de:cd:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0 17: veth8abdbae@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT link/ether ae:b3:fa:8f:90:b5 brd ff:ff:ff:ff:ff:ff link-netnsid 1 18: veth-test2@veth-test1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000 link/ether 36:ad:7c:f7:32:e7 brd ff:ff:ff:ff:ff:ff 19: veth-test1@veth-test2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000 link/ether fa:27:f5:29:95:0b brd ff:ff:ff:ff:ff:ff
- 第二步:为network namespace test1添加link veth-test1(这一步骤连想将一端网卡差到第一台电脑)
添加前test1里面只有一个lo口,并且为DOWN状态
#将test1添加到veth-test1里面 [root@docker01 ~]# ip link set veth-test1 netns test1 #查看test1的ip地址 root@docker01 ~]# ip netns exec test1 ip a 1: lo: <LOOPBACK> mtu 65536 qdisc noqueue state DOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 19: veth-test1@if18: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether fa:27:f5:29:95:0b brd ff:ff:ff:ff:ff:ff link-netnsid 0 #并且发现本地的19口已经没有了(添加到了test1里面) [root@docker01 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff inet 192.168.1.38/24 brd 192.168.1.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::90c6:d2ff:fe2d:4098/64 scope link valid_lft forever preferred_lft forever 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:ccff:fea5:3e94/64 scope link valid_lft forever preferred_lft forever 15: veth9b0a4fb@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP link/ether 1a:3d:79:de:cd:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::183d:79ff:fede:cd28/64 scope link valid_lft forever preferred_lft forever 17: veth8abdbae@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP link/ether ae:b3:fa:8f:90:b5 brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet6 fe80::acb3:faff:fe8f:90b5/64 scope link valid_lft forever preferred_lft forever 18: veth-test2@if19: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 36:ad:7c:f7:32:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 2
- 第三步:将network namespace test2添加link veth-test2(这一步骤连想将一端网卡差到第二台电脑)
添加前test2里面只有一个lo口,并且为DOWN状态
#将veth-test2添加到test2里
[root@docker01 ~]# ip link set veth-test2 netns test2
#查看添加之后test2包含的ip [root@docker01 ~]# ip netns exec test2 ip link 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 18: veth-test2@if19: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000 link/ether 36:ad:7c:f7:32:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
#再次查看主机ip,发现本地的18口也没有了 [root@docker01 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff inet 192.168.1.38/24 brd 192.168.1.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::90c6:d2ff:fe2d:4098/64 scope link valid_lft forever preferred_lft forever 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:ccff:fea5:3e94/64 scope link valid_lft forever preferred_lft forever 15: veth9b0a4fb@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP link/ether 1a:3d:79:de:cd:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::183d:79ff:fede:cd28/64 scope link valid_lft forever preferred_lft forever 17: veth8abdbae@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP link/ether ae:b3:fa:8f:90:b5 brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet6 fe80::acb3:faff:fe8f:90b5/64 scope link valid_lft forever preferred_lft forever
- 第四步:分别给test1和test2分配IP地址
[root@docker01 ~]# ip netns exec test1 ip addr add 10.0.0.1/24 dev veth-test1 [root@docker01 ~]# ip netns exec test2 ip addr add 10.0.0.2/24 dev veth-test2
- 第五步:分别启动两个namespace的veth网卡
[root@docker01 ~]# ip netns exec test1 ip link set dev veth-test1 up [root@docker01 ~]# ip netns exec test2 ip link set dev veth-test2 up
- 第六步:查看两个namespace的ip地址
[root@docker01 ~]# ip netns exec test1 ip a 1: lo: <LOOPBACK> mtu 65536 qdisc noqueue state DOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 19: veth-test1@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000 link/ether fa:27:f5:29:95:0b brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet 10.0.0.1/24 scope global veth-test1 valid_lft forever preferred_lft forever inet6 fe80::f827:f5ff:fe29:950b/64 scope link valid_lft forever preferred_lft forever [root@docker01 ~]# ip netns exec test2 ip a 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 18: veth-test2@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000 link/ether 36:ad:7c:f7:32:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.0.0.1/24 scope global veth-test2 valid_lft forever preferred_lft forever inet6 fe80::34ad:7cff:fef7:32e7/64 scope link valid_lft forever preferred_lft forever
- 两个NameSpace互ping,能ping通则说明实验成功!!
[root@docker01 ~]# ip netns exec test1 ping 10.0.0.2 PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.121 ms 64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.109 ms ^C --- 10.0.0.2 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.109/0.115/0.121/0.006 ms [root@docker01 ~]# ip netns exec test2 ping 10.0.0.1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.079 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.106 ms ^C --- 10.0.0.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.079/0.092/0.106/0.016 ms
Linux的网络namespace原理基本如上,docker容器的网络也类似于此!!
三、Docker Bridge网络
3.1 docker network命令
- 查看docker主机的网络模式
[root@docker01 ~]# docker network ls NETWORK ID NAME DRIVER SCOPE afba28b63ba9 bridge bridge local d12ebb4b73d8 host host local c2fb11041077 none null local
- 查看network的详细信息
在输出结果中可以看到有一项为container,并且有test1这个容器的信息,说明test1的网络加入到了这个bridge
[root@docker01 ~]# docker network inspect afba28b63ba9 [ { "Name": "bridge", "Id": "afba28b63ba9369a0068985cc75f93c309c3e802bee19ad616d2961f45df310a", "Created": "2019-03-30T10:45:07.636737489+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "8e8f15985b86f0d0811332bd5d963342e8d1f3e9a060de55237db9a3e084b0a6": { "Name": "test1", "EndpointID": "47e99078d905b7c11fe0b4cd6279470746f4c0d85fcec8a6e40d536987163ddb", "MacAddress": "02:42:ac:11:00:02", "IPv4Address": "172.17.0.2/16", "IPv6Address": "" } }, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ]
3.2 容器网络通信原理
3.2.1 容器之间互相访问原理
容器首先都连接到docekr0设备,然后实现网络的互通!
3.2.2 实验过程
首先,我们通过ip a命令来看宿主机的网络namespace,除了lo网卡和eth0网卡外,还有另外两个网卡!
- docker0:本机桥接网络的一个network namespace,即上图的docker0设备
- veth9b0a4fb@if14:负责连到docker0上面的veth pair的一个端口,另一端连接到容器上!
[root@docker01 ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff inet 192.168.1.38/24 brd 192.168.1.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::90c6:d2ff:fe2d:4098/64 scope link valid_lft forever preferred_lft forever 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:ccff:fea5:3e94/64 scope link valid_lft forever preferred_lft forever 15: veth9b0a4fb@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP link/ether 1a:3d:79:de:cd:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::183d:79ff:fede:cd28/64 scope link valid_lft forever preferred_lft forever
- 第二步:查看test1容器的网络
发现有一个eth0@if15的网卡设备,这个设备和宿主机的veth9b0a4fb@if14是一对!
[root@docker01 ~]# docker exec test1 ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1云原生|Docker04-docker的资源限制SPRING05_BeanFactory概述HierarchicalBeanFactoryListableBeanFacotoryDefaultListableBeanFactory档案馆详解(代码片