10 Docker0网络详解
Docker 网络
理解Docker0网络
-
测试
三个网络: lo,eth0, docker0/podman0
Docker是如何处理容器网络访问的?
[root@localhost ~]# [root@localhost ~]# ip ad sh 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:e0:70:2b:4e:1a brd ff:ff:ff:ff:ff:ff inet 192.168.73.10/24 brd 192.168.73.255 scope global noprefixroute eth0 valid_lft forever preferred_lft forever 3: cni-podman0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 0e:b7:b0:23:cb:d9 brd ff:ff:ff:ff:ff:ff inet 10.88.0.1/16 brd 10.88.255.255 scope global cni-podman0 valid_lft forever preferred_lft forever# 启动刚才上传到阿里云的tomcat9: [root@localhost ~]# podman run -p 9080:8080 --name "tomcat9" -d c379423344cf ec72ee25696946790ede78dbcf98148601a63f399f05dd91cfaf5c05f9fc10db [root@localhost ~]# [root@localhost ~]# podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ec72ee256969 registry.cn-chengdu.aliyuncs.com/diablofmb/diablofmb:1.0 /bin/sh -c /usr/l... 9 seconds ago Up 7 seconds ago 0.0.0.0:9080->8080/tcp tomcat9 # 查看网络信息 [root@localhost ~]# podman exec ec72ee256969 ip ad sh 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 3: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 3a:3d:af:4a:e5:7e brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.88.0.11/16 brd 10.88.255.255 scope global eth0 valid_lft forever preferred_lft forever # 容器启动时,podman会给容器分配网络网卡eth0@if13,以及配置网络地址 # 思考. linux 内部能否ping通容器地址。 [root@localhost ~]# ping 10.88.0.11 PING 10.88.0.11 (10.88.0.11) 56(84) bytes of data. 64 bytes from 10.88.0.11: icmp_seq=1 ttl=64 time=0.140 ms ^C --- 10.88.0.11 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.140/0.140/0.140/0.000 ms [root@localhost ~]#原理是怎样?
- 我们每启动一个docker容器,docker就会给docker容器分配一个ip,我们只要安装了docker,就会有一个docker0/podman0 网卡,桥接模式,使用的evth-apir技术!!
# 我们发现,容器新增的网卡,都是成对出现。 # evth-pair 就是一对的虚拟设备接口,它们都是成对出现的。一端连接着协议,另一端彼此相连。 # 正因为有这样的特性,evth-pair就可以充当一个桥梁,链接各种虚拟网络设备。 # OpenStack,Docker容器之间的链接,OVS(OpenVSwitch) 的链接,都是使用evth-pair技术。 # 可以看到,docker0上链接着两个另外的虚拟网卡,而这个网卡另一端,就是容器内的地址 [root@Simon_Phicomm-N1:~]# brctl show bridge name bridge id STP enabled interfaces docker0 8000.0242ec32f694 no veth0991058 vethb6b413f br-faf39c0b6e58 8000.02426946e4cc no [root@Simon_Phicomm-N1:~]# # 查看一下防火墙规则,在POSTROUTING可以看到一条规则 [root@Simon_Phicomm-N1:~]# iptables -t nat -xvnL ...... Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes) pkts bytes target prot opt in out source destination 35 1481 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 ...... [root@Simon_Phicomm-N1:~]# # 35 1481 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 # 从任何接口进来,只要不是从docker0网络接口出去的数据包,源地址是172.17.0.0/16,不管到什么地址 # 0.0.0.0/0,自动做MASQUERADE(地址伪装),而且是自动SNAT,就是自动在本机上物理网卡中,选择一个 # 最合适的源地址做伪装。 # ## 所以说docker0桥,是NAT桥,就是这个原因结论
容器和容器之间是可以互相ping通的。
容器和容器之间共用一个网桥路由,Docker0/Podman0
所有容器在不指定网络的情况下,都是docker0路由,docker会给容器分配一个默认可用的IP。
docker中所有的网络接口都是虚拟的,因为虚拟的转发效率高!
自定义网络
- 查看所有的docker网络
[root@Simon_Phicomm-N1:~]# docker network --help Usage: docker network COMMAND Manage networks Commands: connect Connect a container to a network create Create a network disconnect Disconnect a container from a network inspect Display detailed information on one or more networks ls List networks prune Remove all unused networks rm Remove one or more networks Run 'docker network COMMAND --help' for more information on a command. [root@Simon_Phicomm-N1:~]# docker network ls NETWORK ID NAME DRIVER SCOPE 8e2a5c39c11b bridge bridge local 706910adfed0 host host local f6da1cad8b8f macnet macvlan local eb985bc0f88e none null local网络模式
- bridge:桥接,docker (默认,自己创建网络,也用bridge模式)
- none: 不配置网络
- host:和宿主机共享网络
- container:容器网络连通!(用的少,局限性大,了解就行)
创建自定义网络:
[root@Simon_Phicomm-N1:~]# docker network create --help Usage: docker network create [OPTIONS] NETWORK Create a network Options: --attachable Enable manual container attachment --aux-address map Auxiliary IPv4 or IPv6 addresses used by Network driver (default map[]) --config-from string The network from which copying the configuration --config-only Create a configuration only network -d, --driver string Driver to manage the Network (default "bridge") --gateway strings IPv4 or IPv6 Gateway for the master subnet --ingress Create swarm routing-mesh network --internal Restrict external access to the network --ip-range strings Allocate container ip from a sub-range --ipam-driver string IP Address Management Driver (default "default") --ipam-opt map Set IPAM driver specific options (default map[]) --ipv6 Enable IPv6 networking --label list Set metadata on a network -o, --opt map Set driver specific options (default map[]) --scope string Control the network's scope --subnet strings Subnet in CIDR format that represents a network segment # 需要用到的参数: # 指定网络模式,默认为bridge -d, --driver string Driver to manage the Network (default "bridge") # 掩码 --subnet strings Subnet in CIDR format that represents a network segment # 网关 --gateway strings IPv4 or IPv6 Gateway for the master subnet [root@Simon_Phicomm-N1:~]# docker network create --driver bridge --subnet 192.168.78.0/24 --gateway 192.168.78.1 net_test faf39c0b6e584c56e46964beeb0c6752225a98128d9e08afc133761198dbeae2 [root@Simon_Phicomm-N1:~]# docker network ls NETWORK ID NAME DRIVER SCOPE 8e2a5c39c11b bridge bridge local 706910adfed0 host host local f6da1cad8b8f macnet macvlan local faf39c0b6e58 net_test bridge local eb985bc0f88e none null local [root@Simon_Phicomm-N1:~]# docker network inspect net_test [ { "Name": "net_test", "Id": "faf39c0b6e584c56e46964beeb0c6752225a98128d9e08afc133761198dbeae2", "Created": "2020-09-20T13:34:54.442270485+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "192.168.78.0/24", "Gateway": "192.168.78.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": {}, "Options": {}, "Labels": {} } ] [root@Simon_Phicomm-N1:~]# # 启动容器两个容器,测试网络 [root@Simon_Phicomm-N1:~]# docker run -d -P --name "tomcat-net-01“ --net net_test tomcat [root@Simon_Phicomm-N1:~]# docker run -d -P --name "tomcat-net-02” --net net_test tomcat [root@Simon_Phicomm-N1:~]# docker exec -it tomcat-net-01 ping tomcat-net-02 [root@Simon_Phicomm-N1:~]# docker exec -it tomcat-net-02 ping tomcat-net-01 # 自定义网络,docker已经维护好对应关系,可以通过主机名直接ping通链接。 # 好处: # 不同集群,使用不同的网络,保证集群是安全和健康的网络连通的操作
[root@Simon_Phicomm-N1:~]# docker network connect --help Usage: docker network connect [OPTIONS] NETWORK CONTAINER Connect a container to a network Options: --alias strings Add network-scoped alias for the container --ip string IPv4 address (e.g., 172.30.100.104) --ip6 string IPv6 address (e.g., 2001:db8::33) --link list Add link to another container --link-local-ip strings Add a link-local address for the container开启docker的远程连接:
docker服务是可以被远程连接的,默认docker服务只显示本机资源,也就是sock接口
[root@Simon_Phicomm-N1:~]# ll /var/run/docker.sock srw-rw---- 1 root root 0 Aug 24 20:40 /var/run/docker.sock # 修改docker的daemon.json,添加tcp服务监听端口2375,不要忘记保留原docker.sock方式 # bip 参数是为 docker0 网桥指定地址 [root@Simon_Phicomm-N1:~]# cat /etc/docker/daemon.json { "storage-driver": "overlay2", "registry-mirrors": ["https://hvs1rb9d.mirror.aliyuncs.com", "https://quay.io" ], "bip": "10.0.0.1/16" , "hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock" ] } [root@Simon_Phicomm-N1:~]#systemctl reload docker
