Docker-04-docker单机网络详解

Posted 流光给给

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Docker-04-docker单机网络详解相关的知识,希望对你有一定的参考价值。

一、docker的网络模式概述

1.1 单机模式

  • bridge

默认模式,此模式会为每一个容器分配、设置IP等,并将容器连接到一个docker0虚拟网桥,通过docker0网桥以及Iptables nat表配置与宿主机通信。

  • host

容器将不会虚拟出自己的网卡,配置自己的IP等,而是使用宿主机的IP和端口。

  • none

该模式关闭了容器的网络功能。

1.2 多机模式

  • overlay

2、Linux网络命名空间

2.1 查看namespace之间的隔离性

  • 第一步:运行一个busybox
docker run -d --name test1 busybox /bin/sh -c "while true;do sleep 3600;done"
  • 第二步:进入生成的容器
[root@docker01 ~]# docker exec -it test1 /bin/sh
/ # 
  • 第三步:通过`ip a`命名查看容器和宿主机的网络命名空间,可以发现容器的网络namespace和主机是隔离的
#查看容器的网络namespace
/ # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever
#查看宿主机的网络namespace
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.38/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::90c6:d2ff:fe2d:4098/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:ccff:fea5:3e94/64 scope link 
       valid_lft forever preferred_lft forever
15: veth9b0a4fb@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP 
    link/ether 1a:3d:79:de:cd:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::183d:79ff:fede:cd28/64 scope link 
       valid_lft forever preferred_lft forever
  • 第四步:再生成另外一个容器,并查看两个容器的网络namespace。通过在两个容器中互ping,发现两个容器的网络namespace是可以互相连通的。
[root@docker01 ~]# docker run -d --name test2 busybox /bin/sh -c "while true;do sleep 3600;done"
e8a75ef22834a402a3a0f71460f8551a658a7bacd364937de9358d35abe960cb
[root@docker01 ~]# sudo docker exec test1 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
[root@docker01 ~]# sudo docker exec test2 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
16: eth0@if17: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

2.2 Linux网络namepace原理实验

实验:在两个namespace上面创建veth接口,并使两个namespace相通!

在做实验之间,先来想象一下两台电脑如果需要连通所需的条件:

  1. 两台电脑都需要一个网口
  2. 两个网口之间需要连接一根网线
  3. 两台电脑需要配置一个同网段的地址

满足上述三个要求,那么两个主机就能实现网络互联。Linux网络namespace采用veth pair技术,过程基本一致,下面就来做下实验。

2.2.1 网络namspace的基本用法

实验之前先来看看基本的命令和用法:

  • 查看linxu主机的network namespace
[root@docker01 ~]# ip netns list
  • 创建network namespace
[root@docker01 ~]# ip netns add test1
[root@docker01 ~]# ip netns add test2
[root@docker01 ~]# ip netns list
test2
test1
  • 查看network namespace里面的ip地址
#可以看到一个新的network namespace里面只有一个回环口,并没有分配ip地址;并且状态为DOWN
[root@docker01 ~]# ip netns exec test1 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  • 启动namespace里面的网卡,例如lo
[root@docker01 ~]# ip netns exec test1 ip link set dev lo up
[root@docker01 ~]# ip netns exec test1 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever

2.2.2 实验过程

  • 第一步:在主机上添加一对link  veth-test1veth-test2,创建完成后状态为DOWN。(这一步联想做两个网卡,并用网线将两个网卡互连)
[root@docker01 ~]# ip link add veth-test1 type veth peer name veth-test2
[root@docker01 ~]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT qlen 1000
    link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT 
    link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff
15: veth9b0a4fb@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT 
    link/ether 1a:3d:79:de:cd:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0
17: veth8abdbae@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT 
    link/ether ae:b3:fa:8f:90:b5 brd ff:ff:ff:ff:ff:ff link-netnsid 1
18: veth-test2@veth-test1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether 36:ad:7c:f7:32:e7 brd ff:ff:ff:ff:ff:ff
19: veth-test1@veth-test2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether fa:27:f5:29:95:0b brd ff:ff:ff:ff:ff:ff
  • 第二步:为network namespace test1添加link veth-test1(这一步骤连想将一端网卡差到第一台电脑)

添加前test1里面只有一个lo口,并且为DOWN状态

#将test1添加到veth-test1里面
[root@docker01 ~]# ip link set veth-test1 netns test1

#查看test1的ip地址
root@docker01 ~]# ip netns exec test1 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noqueue state DOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
19: veth-test1@if18: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether fa:27:f5:29:95:0b brd ff:ff:ff:ff:ff:ff link-netnsid 0

#并且发现本地的19口已经没有了(添加到了test1里面)
[root@docker01 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.38/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::90c6:d2ff:fe2d:4098/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:ccff:fea5:3e94/64 scope link 
       valid_lft forever preferred_lft forever
15: veth9b0a4fb@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP 
    link/ether 1a:3d:79:de:cd:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::183d:79ff:fede:cd28/64 scope link 
       valid_lft forever preferred_lft forever
17: veth8abdbae@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP 
    link/ether ae:b3:fa:8f:90:b5 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::acb3:faff:fe8f:90b5/64 scope link 
       valid_lft forever preferred_lft forever
18: veth-test2@if19: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 36:ad:7c:f7:32:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 2
  • 第三步:将network namespace test2添加link veth-test2(这一步骤连想将一端网卡差到第二台电脑)

添加前test2里面只有一个lo口,并且为DOWN状态

#将veth-test2添加到test2里
[root@docker01 ~]# ip link set veth-test2 netns test2

#查看添加之后test2包含的ip [root@docker01
~]# ip netns exec test2 ip link 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 18: veth-test2@if19: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000 link/ether 36:ad:7c:f7:32:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 0

#再次查看主机ip,发现本地的18口也没有了 [root@docker01
~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff inet 192.168.1.38/24 brd 192.168.1.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::90c6:d2ff:fe2d:4098/64 scope link valid_lft forever preferred_lft forever 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:ccff:fea5:3e94/64 scope link valid_lft forever preferred_lft forever 15: veth9b0a4fb@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP link/ether 1a:3d:79:de:cd:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::183d:79ff:fede:cd28/64 scope link valid_lft forever preferred_lft forever 17: veth8abdbae@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP link/ether ae:b3:fa:8f:90:b5 brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet6 fe80::acb3:faff:fe8f:90b5/64 scope link valid_lft forever preferred_lft forever
  • 第四步:分别给test1和test2分配IP地址
[root@docker01 ~]# ip netns exec test1 ip addr add 10.0.0.1/24 dev veth-test1
[root@docker01 ~]# ip netns exec test2 ip addr add 10.0.0.2/24 dev veth-test2
  • 第五步:分别启动两个namespace的veth网卡
[root@docker01 ~]# ip netns exec test1 ip link set dev veth-test1 up
[root@docker01 ~]# ip netns exec test2 ip link set dev veth-test2 up
  • 第六步:查看两个namespace的ip地址
[root@docker01 ~]# ip netns exec test1 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noqueue state DOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
19: veth-test1@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether fa:27:f5:29:95:0b brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet 10.0.0.1/24 scope global veth-test1
       valid_lft forever preferred_lft forever
    inet6 fe80::f827:f5ff:fe29:950b/64 scope link 
       valid_lft forever preferred_lft forever
[root@docker01 ~]# ip netns exec test2 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
18: veth-test2@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 36:ad:7c:f7:32:e7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.0.0.1/24 scope global veth-test2
       valid_lft forever preferred_lft forever
    inet6 fe80::34ad:7cff:fef7:32e7/64 scope link 
       valid_lft forever preferred_lft forever
  • 两个NameSpace互ping,能ping通则说明实验成功!!
[root@docker01 ~]# ip netns exec test1 ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.121 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.109 ms
^C
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.109/0.115/0.121/0.006 ms
[root@docker01 ~]# ip netns exec test2 ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.079 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.106 ms
^C
--- 10.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.079/0.092/0.106/0.016 ms

 Linux的网络namespace原理基本如上,docker容器的网络也类似于此!!

三、Docker Bridge网络

3.1 docker network命令

  • 查看docker主机的网络模式
[root@docker01 ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
afba28b63ba9        bridge              bridge              local
d12ebb4b73d8        host                host                local
c2fb11041077        none                null                local
  • 查看network的详细信息

在输出结果中可以看到有一项为container,并且有test1这个容器的信息,说明test1的网络加入到了这个bridge

[root@docker01 ~]# docker network inspect afba28b63ba9
[
    {
        "Name": "bridge",
        "Id": "afba28b63ba9369a0068985cc75f93c309c3e802bee19ad616d2961f45df310a",
        "Created": "2019-03-30T10:45:07.636737489+08:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "8e8f15985b86f0d0811332bd5d963342e8d1f3e9a060de55237db9a3e084b0a6": {
                "Name": "test1",
                "EndpointID": "47e99078d905b7c11fe0b4cd6279470746f4c0d85fcec8a6e40d536987163ddb",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

3.2 容器网络通信原理

3.2.1 容器之间互相访问原理

容器首先都连接到docekr0设备,然后实现网络的互通!

3.2.2 实验过程

首先,我们通过ip a命令来看宿主机的网络namespace,除了lo网卡和eth0网卡外,还有另外两个网卡!

  • docker0:本机桥接网络的一个network namespace,即上图的docker0设备
  • veth9b0a4fb@if14:负责连到docker0上面的veth pair的一个端口,另一端连接到容器上!
[root@docker01 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 92:c6:d2:2d:40:98 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.38/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::90c6:d2ff:fe2d:4098/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:cc:a5:3e:94 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:ccff:fea5:3e94/64 scope link 
       valid_lft forever preferred_lft forever
15: veth9b0a4fb@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP 
    link/ether 1a:3d:79:de:cd:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::183d:79ff:fede:cd28/64 scope link 
       valid_lft forever preferred_lft forever
  • 第二步:查看test1容器的网络

发现有一个eth0@if15的网卡设备,这个设备和宿主机的veth9b0a4fb@if14是一对!