docker网络

docker network create ......

[原文链接]https://www.cnblogs.com/zuxing/articles/8780661.html

桥接网络类似于默认bridge网络[虚拟网桥的工作方式和物理交换机类似，这样主机上的所有容器就通过交换机连在了一个二层网络中。]

• docker network create --driver bridge new_bridge

$ ifconfig
br-f677ada3003c: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.18.0.1  netmask 255.255.0.0  broadcast 0.0.0.0
        ether 02:42:2f:c1:db:5a  txqueuelen 0  (Ethernet)
        RX packets 4001976  bytes 526995216 (502.5 MiB)
        RX errors 0  dropped 35  overruns 0  frame 0
        TX packets 1424063  bytes 186928741 (178.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Macvlan 是真正的网络虚拟化技术的转折点 [实现网络之间的分离和与物理网络的连接]

• Macvlan Bridge模式
  

注意: 对于Macvlan桥接模式，子网值需要与Docker主机的NIC的接口相匹配。例如，使用由该-o parent=选项指定的Docker主机以太网接口的相同子网和网关。

此示例中使用的父接口位于eth0子网上172.16.86.0/24，这些容器中的容器docker network也需要和父级同一个子网-o parent=。网关是网络上的外部路由器，不是任何ip伪装或任何其他本地代理。

驱动程序用-d driver_name选项指定，在这种情况下-d macvlan。

父节点-o parent=eth0配置如下：

$ ip addr show eth0

eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 172.16.86.250/24 brd 172.16.86.255 scope global eth0

创建macvlan网络并运行附加的几个容器：

# Macvlan  (-o macvlan_mode= Defaults to Bridge mode if not specified)
docker network create -d macvlan \
    --subnet=172.16.86.0/24 \
    --gateway=172.16.86.1  \
    -o parent=eth0 pub_net
 
# Run a container on the new network specifying the --ip address.
docker  run --net=pub_net --ip=172.16.86.10 -itd alpine /bin/sh
 
# Start a second container and ping the first
docker  run --net=pub_net -it --rm alpine /bin/sh
ping -c 4 172.16.86.10

看看容器ip和路由表：

ip a show eth0
    eth0@if3: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 46:b2:6b:26:2f:69 brd ff:ff:ff:ff:ff:ff
    inet 172.16.86.2/24 scope global eth0
 
ip route
    default via 172.16.86.1 dev eth0
    172.16.86.0/24 dev eth0  src 172.16.86.2
 
# NOTE: the containers can NOT ping the underlying host interfaces as
# they are intentionally filtered by Linux for additional isolation.
# In this case the containers cannot ping the -o parent=172.16.86.250

• Trunk Bridge模式
  
  VLAN ID 10

$ docker network create \
  --driver macvlan \
  --subnet=10.10.0.0/24 \
  --gateway=10.10.0.253 \
  -o parent=eth0.10 macvlan10

开启一个桥接Macvlan的容器：

$ docker run --net=macvlan10 -it --name macvlan_test1 --rm alpine /bin/sh
/ # ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
21: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 02:42:0a:0a:00:01 brd ff:ff:ff:ff:ff:ff
    inet 10.10.0.1/24 scope global eth0
       valid_lft forever preferred_lft forever

可以看到分配了一个10.10.0.1的地址，然后看一下路由地址。

/ # ip route
default via 10.10.0.253 dev eth0
10.10.0.0/24 dev eth0  src 10.10.0.1

然后再开启一个桥接Macvlan的容器：

$ docker run --net=macvlan10 -it --name macvlan_test2 --rm alpine /bin/sh
/ # ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
22: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 02:42:0a:0a:00:02 brd ff:ff:ff:ff:ff:ff
    inet 10.10.0.2/24 scope global eth0
       valid_lft forever preferred_lft forever

可以看到分配了一个10.10.0.2的地址，然后可以在两个容器之间相互ping，是可以ping通的。

/ # ping 10.10.0.1
PING 10.10.0.1 (10.10.0.1): 56 data bytes
64 bytes from 10.10.0.1: seq=0 ttl=64 time=0.094 ms
64 bytes from 10.10.0.1: seq=1 ttl=64 time=0.057 ms

经过上面两个容器的创建可以看出，容器IP是根据创建网络时的网段从小往大分配的。

当然，在创建容器时，我们也可以使用--ip手动执行一个IP地址分配给容器，如下操作。

$ docker run --net=macvlan10 -it --name macvlan_test3 --ip=10.10.0.189 --rm alpine /bin/sh
/ # ip addr show eth0
24: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 02:42:0a:0a:00:bd brd ff:ff:ff:ff:ff:ff
    inet 10.10.0.189/24 scope global eth0
       valid_lft forever preferred_lft forever

VLAN ID 20
接着可以创建由Docker主机标记和隔离的第二个VLAN网络，该macvlan_mode默认是macvlan_mode=bridge，如下：

$ docker network create \
  --driver macvlan \
  --subnet=192.10.0.0/24 \
  --gateway=192.10.0.253 \
  -o parent=eth0.20 \
  -o macvlan_mode=bridge macvlan20

当我们创建完Macvlan网络之后，在docker主机可以看到相关的子接口，如下：

$ ifconfig
eth0.10: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 00:0c:29:16:01:8b  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 18  bytes 804 (804.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
eth0.20: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 00:0c:29:16:01:8b  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

在/proc/net/vlan/config文件中，还可以看见相关的Vlan信息，如下：

$ cat /proc/net/vlan/config
VLAN Dev name    | VLAN ID
Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD
eth0.10        | 10  | eth0
eth0.20        | 20  | eth0