docker网络
Posted wangyp
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了docker网络相关的知识,希望对你有一定的参考价值。
#导入连接到host2的环境变量 [[email protected]:~ [host2]]#eval $(docker-machine env host2) #查看docker的原生网络:桥接、本机、无三种 [[email protected]:~ [host2]]#docker network ls NETWORK ID NAME DRIVER SCOPE 88cb1b40a898 bridge bridge local 4aa36335be46 host host local 7eadfbd8b20c none null local #none网络类型的容器,对安全性要求高:比如生成随机密码的容器 # [[email protected]:~ [host2]]#docker run -it --network=none busybox /# ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) #host网络类型的容器,共享docker host的网络栈,容器的网络配置和host完全一样 [[email protected]:~ [host2]]#docker run -it --network=host busybox / # ifconfig docker0 Link encap:Ethernet HWaddr 02:42:B1:61:57:56 inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::42:b1ff:fe61:5756/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:11 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:1060 (1.0 KiB) ens33 Link encap:Ethernet HWaddr 00:0C:29:CB:87:7A inet addr:192.168.142.170 Bcast:192.168.142.255 Mask:255.255.255.0 inet6 addr: fe80::3f46:a638:8094:76e4/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:15374 errors:0 dropped:0 overruns:0 frame:0 TX packets:3605 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:6923612 (6.6 MiB) TX bytes:507427 (495.5 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:1760 errors:0 dropped:0 overruns:0 frame:0 TX packets:1760 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:137627 (134.4 KiB) TX bytes:137627 (134.4 KiB) #桥接 1)默认情况有一个叫docker0的Linux bridge,如果不指定网络的话,创建的容器会挂载到此网络上 [[email protected]:~]#brctl show bridge name bridge id STP enabled interfaces docker0 8000.02426a0b9c15 no 2)当我们创建一个网络时,一个名为veth88b534c的网络接口被挂载了此网络上 [[email protected]:~]#docker run -d httpd e4c5b37d239d3a6b9da599edf57a4f5d9dec2f0c22886b421d8f29c5e6381727 [[email protected]:~]#brctl show bridge name bridge id STP enabled interfaces docker0 8000.02426a0b9c15 no veth88b534c #查看容器的网络配置,其中if8和veth88b534c是一对儿特殊的网络设备,这样虚拟机可以连接到docker0(即将docker0(172.17.0.1)作为网关) [[email protected]:~]#docker run -d httpd e4c5b37d239d3a6b9da599edf57a4f5d9dec2f0c22886b421d8f29c5e6381727 [[email protected]:~]#docker exec -it e4c5b37d239d3a6b9da599edf57a4f5d9dec2f0c22886b421d8f29c5e6381727 bash [email protected]:/usr/local/apache2# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 7: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff inet 172.17.0.2/16 scope global eth0 valid_lft forever preferred_lft forever #自定义网络 #创建my_net的桥接网络 [[email protected]:~]#docker network create --driver bridge my_net 7342a6a014718ad595b71f2173e546cbcf0d67b3a6a662b5592fd51e1540894f #可以查看创建的br-7342a6a01471 [[email protected]:~]#brctl show bridge name bridge id STP enabled interfaces br-7342a6a01471 8000.024278ac213f no docker0 8000.02426a0b9c15 no veth0294be2 #查看my_net的详细信息 [[email protected]:~]#docker network inspect my_net [ { "Name": "my_net", "Id": "7342a6a014718ad595b71f2173e546cbcf0d67b3a6a662b5592fd51e1540894f", "Created": "2017-07-30T00:39:57.199683843-07:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "172.18.0.0/16", "Gateway": "172.18.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": {}, "Options": {}, "Labels": {} } ] #指定子网和网关的的bridge:my_net2 [[email protected]:~]#docker network create --driver bridge --subnet 172.22.16.0/24 --gateway 172.22.16.1 my_net2 #创建容器时可以指定网络和ip地址,ip地址需要在此网络中,不能只单独指定IP #IP不在此子网中 [[email protected]:~]#docker run -d --network my_net --ip 172.22.16.2 busybox 82924b593ed13028f60bef65e6fd796e3e4cb47f163f650302a73246328ec201 docker: Error response from daemon: user specified IP address is supported only when connecting to networks with user configured subnets. #OK的情况,既指定了网络也指定了IP [[email protected]:~]#docker run -d --network my_net2 --ip 172.22.16.2 busybox 3c7d600ab60f6b33bcc8c05adb241037c33d242c5ea00d2acd72908a3486211b #容器间不同网段的通信是由防火墙的DROP规则实现的 [[email protected]:~]#iptables-save # Generated by iptables-save v1.6.0 on Sun Jul 30 02:13:54 2017 *nat :PREROUTING ACCEPT [51:5969] :INPUT ACCEPT [37:4065] :OUTPUT ACCEPT [201:15938] :POSTROUTING ACCEPT [199:15902] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.22.16.0/24 ! -o br-1040ac23396d -j MASQUERADE -A POSTROUTING -s 172.18.0.0/16 ! -o br-7342a6a01471 -j MASQUERADE -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A DOCKER -i br-1040ac23396d -j RETURN -A DOCKER -i br-7342a6a01471 -j RETURN -A DOCKER -i docker0 -j RETURN COMMIT # Completed on Sun Jul 30 02:13:54 2017 # Generated by iptables-save v1.6.0 on Sun Jul 30 02:13:54 2017 *filter :INPUT ACCEPT [3360:245776] :FORWARD DROP [0:0] :OUTPUT ACCEPT [2689:254929] :DOCKER - [0:0] :DOCKER-ISOLATION - [0:0] :DOCKER-USER - [0:0] -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o br-1040ac23396d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o br-1040ac23396d -j DOCKER -A FORWARD -i br-1040ac23396d ! -o br-1040ac23396d -j ACCEPT -A FORWARD -i br-1040ac23396d -o br-1040ac23396d -j ACCEPT -A FORWARD -o br-7342a6a01471 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o br-7342a6a01471 -j DOCKER -A FORWARD -i br-7342a6a01471 ! -o br-7342a6a01471 -j ACCEPT -A FORWARD -i br-7342a6a01471 -o br-7342a6a01471 -j ACCEPT -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER-ISOLATION -i docker0 -o br-1040ac23396d -j DROP -A DOCKER-ISOLATION -i br-1040ac23396d -o docker0 -j DROP -A DOCKER-ISOLATION -i br-7342a6a01471 -o br-1040ac23396d -j DROP -A DOCKER-ISOLATION -i br-1040ac23396d -o br-7342a6a01471 -j DROP -A DOCKER-ISOLATION -i docker0 -o br-7342a6a01471 -j DROP -A DOCKER-ISOLATION -i br-7342a6a01471 -o docker0 -j DROP -A DOCKER-ISOLATION -j RETURN -A DOCKER-USER -j RETURN COMMIT # Completed on Sun Jul 30 02:13:54 2017 #可以通过多块网卡实现容器间通信 [[email protected]:~]#docker network connect my_net2 512cefa7565b #容器间通信的三种方式 1)容器共有一个同属一个子网的网卡 2)在自定义网络中,可以通过DOCKER DNS SERVER 实现,即定义容器的名字 [[email protected]:~]#docker run -it --network=my_net2 --name=bbox3 busybox / # ping bbox3 PING bbox3 (172.22.16.2): 56 data bytes 64 bytes from 172.22.16.2: seq=0 ttl=64 time=0.038 ms ^C --- bbox3 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.038/0.038/0.038 ms / # ping bbox4 PING bbox4 (172.22.16.4): 56 data bytes 64 bytes from 172.22.16.4: seq=0 ttl=64 time=0.183 ms ^C --- bbox4 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.183/0.183/0.183 ms 3)joined 容器之间可以通过 127.0.0.1 直接通信 --network=container:bbox4 #不同容器中的程序希望通过 loopback 高效快速地通信,比如 web server 与 app server。 [[email protected]:~]#docker run -it --network=container:bbox4 busybox / # ping bbox4 PING bbox4 (172.22.16.4): 56 data bytes 64 bytes from 172.22.16.4: seq=0 ttl=64 time=0.037 ms 64 bytes from 172.22.16.4: seq=1 ttl=64 time=0.144 ms ^C --- bbox4 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.037/0.090/0.144 ms #容器如何访问外网 busybox 发送 ping 包:172.17.0.2 > www.bing.com docker0 收到包,发现是发送到外网的,交给 NAT 处理 NAT 将源地址换成 enp0s3 的 IP:10.0.2.15 > www.bing.com。 ping 包从 enp0s3 发送出去,到达 www.bing.com。 #外部世界如何访问容器 A:端口映射 -p参数 总结: 1)首先学习了 Docker 的三种网络:none, host 和 bridge 并讨论了它们的不同使用场景; 2)然后我们实践了创建自定义网络; 3)最后详细讨论了如何实现容器与容器之间,容器与外部网络之间的通信。
以上是关于docker网络的主要内容,如果未能解决你的问题,请参考以下文章
VSCode自定义代码片段14——Vue的axios网络请求封装
VSCode自定义代码片段14——Vue的axios网络请求封装