12、Docker的网络--bridge
-
单机网络
- Bridge Network
- Host Network
- None Network
-
多机网络
- Overlay Network
12.1 网络命名空间
启动一个容器
docker run -d --name test1 busybox /bin/sh -c "while true;do sleep 3600;done"
进入容器
docker exec -it test1 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
166: eth0@if167: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
再启动一个容器
docker run -d --name test2 busybox /bin/sh -c "while true;do sleep 3600;done"
docker exec -it test2 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
168: eth0@if169: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.4/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
由此可见,docker在启动容器的时候会自动分配一个IP给容器,并且容器间的IP是不一样的,但是同一台服务器上的docker容器之间是可以ping通的。
docker exec -it test1 /bin/sh
/ # ping 172.17.0.4
PING 172.17.0.4 (172.17.0.4): 56 data bytes
64 bytes from 172.17.0.4: seq=0 ttl=64 time=0.121 ms
64 bytes from 172.17.0.4: seq=1 ttl=64 time=0.083 ms
64 bytes from 172.17.0.4: seq=2 ttl=64 time=0.078 ms
64 bytes from 172.17.0.4: seq=3 ttl=64 time=0.079 ms
^C
--- 172.17.0.4 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.078/0.090/0.121 ms
linux上的网络命名空间
通过命令行实现两个网络命名空间互联:
# 添加两个网络命名空间test1和test2
ip netns add test1
ip netns add test2
# 添加一对veth的接口link
ip link add veth-test1 type veth peer name veth-test2
# 查看link
ip link
ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000
link/ether 00:16:3e:00:68:40 brd ff:ff:ff:ff:ff:ff
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
link/ether 02:42:0c:47:25:c2 brd ff:ff:ff:ff:ff:ff
147: veth1e50917@if146: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
link/ether 22:74:d9:54:88:da brd ff:ff:ff:ff:ff:ff link-netnsid 0
167: veth2e7a7c3@if166: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
link/ether 1e:83:e1:ee:e5:25 brd ff:ff:ff:ff:ff:ff link-netnsid 1
169: veth3391153@if168: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
link/ether c2:33:b7:f4:d9:98 brd ff:ff:ff:ff:ff:ff link-netnsid 2
170: veth-test2@if171: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether 56:e7:51:26:cd:37 brd ff:ff:ff:ff:ff:ff link-netnsid 3
171: veth-test1@veth-test2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether 9a:b1:aa:6b:d3:80 brd ff:ff:ff:ff:ff:ff
# 将veth-test1添加到网络命名空间test1中
ip link set veth-test1 netns test1
# 查看test1的link
ip netns exec test1 ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
171: veth-test1@if170: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether 9a:b1:aa:6b:d3:80 brd ff:ff:ff:ff:ff:ff link-netnsid 0
# 查看本地link
ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000
link/ether 00:16:3e:00:68:40 brd ff:ff:ff:ff:ff:ff
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
link/ether 02:42:0c:47:25:c2 brd ff:ff:ff:ff:ff:ff
147: veth1e50917@if146: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
link/ether 22:74:d9:54:88:da brd ff:ff:ff:ff:ff:ff link-netnsid 0
167: veth2e7a7c3@if166: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
link/ether 1e:83:e1:ee:e5:25 brd ff:ff:ff:ff:ff:ff link-netnsid 1
169: veth3391153@if168: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
link/ether c2:33:b7:f4:d9:98 brd ff:ff:ff:ff:ff:ff link-netnsid 2
170: veth-test2@if171: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether 56:e7:51:26:cd:37 brd ff:ff:ff:ff:ff:ff link-netnsid 3
# 可以发现veth-test1已经不见了
# 将veth-test2添加到网络命名空间test2中
ip link set veth-test2 netns test2
# 查看test1的link
ip netns exec test2 ip link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
170: veth-test2@if171: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether 56:e7:51:26:cd:37 brd ff:ff:ff:ff:ff:ff link-netnsid 0
# 查看本地link
ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000
link/ether 00:16:3e:00:68:40 brd ff:ff:ff:ff:ff:ff
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT
link/ether 02:42:0c:47:25:c2 brd ff:ff:ff:ff:ff:ff
147: veth1e50917@if146: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
link/ether 22:74:d9:54:88:da brd ff:ff:ff:ff:ff:ff link-netnsid 0
167: veth2e7a7c3@if166: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
link/ether 1e:83:e1:ee:e5:25 brd ff:ff:ff:ff:ff:ff link-netnsid 1
169: veth3391153@if168: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
link/ether c2:33:b7:f4:d9:98 brd ff:ff:ff:ff:ff:ff link-netnsid 2
至此,之前创建的两个veth接口都已经消失了。但是test1和test2两个网络命名空间都只有一个Mac地址,并没有IP地址,而且状态都是down的。
分别给这两个网络命名空间添加IP:
ip netns exec test1 ip addr add 192.168.1.1/24 dev veth-test1
ip netns exec test2 ip addr add 192.168.1.2/24 dev veth-test2
启动这两个命名空间:
ip netns exec test1 ip link set dev veth-test1 up
ip netns exec test2 ip link set dev veth-test2 up
检测两个命名空间的状态:
# 检查test1是否启动
ip netns exec test1 ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
171: veth-test1@if170: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT qlen 1000
link/ether 9a:b1:aa:6b:d3:80 brd ff:ff:ff:ff:ff:ff link-netnsid 1
# 检查test2是否启动
ip netns exec test2 ip link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
170: veth-test2@if171: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT qlen 1000
link/ether 56:e7:51:26:cd:37 brd ff:ff:ff:ff:ff:ff link-netnsid 0
# 检查test1是否有IP
ip netns exec test1 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
171: veth-test1@if170: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 9a:b1:aa:6b:d3:80 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet 192.168.1.1/24 scope global veth-test1
valid_lft forever preferred_lft forever
inet6 fe80::98b1:aaff:fe6b:d380/64 scope link
valid_lft forever preferred_lft forever
# 检查test2是否有IP
ip netns exec test2 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
170: veth-test2@if171: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 56:e7:51:26:cd:37 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.1.2/24 scope global veth-test2
valid_lft forever preferred_lft forever
inet6 fe80::54e7:51ff:fe26:cd37/64 scope link
valid_lft forever preferred_lft forever
检查两个命名空间之间网络是否联通
ip netns exec test2 ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.049 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.038 ms
^C
--- 192.168.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.038/0.043/0.049/0.008 ms
ip netns exec test1 ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.090 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.043 ms
64 bytes from 192.168.1.2: icmp_seq=3 ttl=64 time=0.055 ms
^C
--- 192.168.1.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.043/0.062/0.090/0.021 ms
12.2 docker bridge0
查看docker网络
[root@docker ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
60e81719174c bridge bridge local
67f0fa7f22b0 host host local
01f3c01c3ade none null local
[root@docker ~]#
查看bridge的网络信息:
[root@docker ~]# docker network inspect 60e81719174c
[
{
"Name": "bridge",
"Id": "60e81719174cd81800981dba54d9dd97e0df639e128abb92605ca2828f4f3d06",
"Created": "2018-05-31T16:47:33.917919725+07:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"a10b6f5afb766f59550650656e29cf9fc1dff2c63978ceae02bdd92b367f329a": {
"Name": "test1",
"EndpointID": "8e4b12841f72614d2df2d6b5b53da197847655e09f7bfa84c1e2ed78dd329759",
"MacAddress": "02:42:ac:11:00:03",
"IPv4Address": "172.17.0.3/16",
"IPv6Address": ""
}
},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
[root@docker ~]#
其中有一部分:
"Containers": {
"a10b6f5afb766f59550650656e29cf9fc1dff2c63978ceae02bdd92b367f329a": {
"Name": "test1",
"EndpointID": "8e4b12841f72614d2df2d6b5b53da197847655e09f7bfa84c1e2ed78dd329759",
"MacAddress": "02:42:ac:11:00:03",
"IPv4Address": "172.17.0.3/16",
"IPv6Address": ""
}
},
可以看出容器test1连接到的是个bridge的网络。test1容器内有一个veth的接口eth0@if167,宿主机也有一个veth的接口veth2e7a7c3@if166,所以这两个接口是一对。
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:16:3e:00:68:40 brd ff:ff:ff:ff:ff:ff
inet 172.21.168.103/20 brd 172.21.175.255 scope global dynamic eth0
valid_lft 308698339sec preferred_lft 308698339sec
# docker0是docker在宿主机上的一个bridge网卡
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:0c:47:25:c2 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
167: veth2e7a7c3@if166: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
link/ether 1e:83:e1:ee:e5:25 brd ff:ff:ff:ff:ff:ff link-netnsid 1
docker exec -it test1 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
166: eth0@if167: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
test1中的eth0@if167和本地的veth2e7a7c3@if166是一对veth pair,最终它们还是连接到docker0的:
[root@docker ~]# yum install -y bridge-utils
[root@docker ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.02420c4725c2 no veth2e7a7c3
[root@docker ~]# ip a|grep veth2e7a7c3
167: veth2e7a7c3@if166: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
[root@docker ~]#
再创建一个容器test2验证一下:
[root@docker ~]# docker run -d --name test2 busybox /bin/sh -c "while true;do sleep 3600;done"
再次查看docker bridge网络信息:
[root@docker ~]# docker network inspect 60e81719174c
[
{
"Name": "bridge",
"Id": "60e81719174cd81800981dba54d9dd97e0df639e128abb92605ca2828f4f3d06",
"Created": "2018-05-31T16:47:33.917919725+07:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"47ad250ba92e0ece87c65df825e701a3691c952a65180888da580664b647b298": {
"Name": "test2",
"EndpointID": "d62db8de4e451bd89cc2afbadfb0c803528ca34b8110ae18f997b83980e1e2da",
"MacAddress": "02:42:ac:11:00:02",
"IPv4Address": "172.17.0.2/16",
"IPv6Address": ""
},
"a10b6f5afb766f59550650656e29cf9fc1dff2c63978ceae02bdd92b367f329a": {
"Name": "test1",
"EndpointID": "8e4b12841f72614d2df2d6b5b53da197847655e09f7bfa84c1e2ed78dd329759",
"MacAddress": "02:42:ac:11:00:03",
"IPv4Address": "172.17.0.3/16",
"IPv6Address": ""
}
},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
[root@docker ~]#
可以看到container中多了一个test2的容器信息。可以确定tes2容器也是使用的bridge网络。
ip a
......
177: veth0171814@if176: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
link/ether 4a:33:a7:59:ca:98 brd ff:ff:ff:ff:ff:ff link-netnsid 0
docker exec -it test2 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
176: eth0@if177: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.02420c4725c2 no veth0171814
veth2e7a7c3
可以看到多了一个veth0171814
ip a|grep veth0171814
177: veth0171814@if176: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
单机docker容器之间网络互联
docker单个容器怎么连上互联网
容器通过类似NAT网络地址转换(通过iptables实现),转换成eth0的地址,然后通过eth0连接外网。
