#导入连接到host2的环境变量
[root@host1:~ [host2]]#eval $(docker-machine env host2)
#查看docker的原生网络:桥接、本机、无三种
[root@host1:~ [host2]]#docker network ls
NETWORK ID NAME DRIVER SCOPE
88cb1b40a898 bridge bridge local
4aa36335be46 host host local
7eadfbd8b20c none null local
#none网络类型的容器,对安全性要求高:比如生成随机密码的容器
# [root@host1:~ [host2]]#docker run -it --network=none busybox
/# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
#host网络类型的容器,共享docker host的网络栈,容器的网络配置和host完全一样
[root@host1:~ [host2]]#docker run -it --network=host busybox
/ # ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:B1:61:57:56
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:b1ff:fe61:5756/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:1060 (1.0 KiB)
ens33 Link encap:Ethernet HWaddr 00:0C:29:CB:87:7A
inet addr:192.168.142.170 Bcast:192.168.142.255 Mask:255.255.255.0
inet6 addr: fe80::3f46:a638:8094:76e4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15374 errors:0 dropped:0 overruns:0 frame:0
TX packets:3605 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6923612 (6.6 MiB) TX bytes:507427 (495.5 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1760 errors:0 dropped:0 overruns:0 frame:0
TX packets:1760 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:137627 (134.4 KiB) TX bytes:137627 (134.4 KiB)
#桥接
1)默认情况有一个叫docker0的Linux bridge,如果不指定网络的话,创建的容器会挂载到此网络上
[root@host1:~]#brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.02426a0b9c15 no
2)当我们创建一个网络时,一个名为veth88b534c的网络接口被挂载了此网络上
[root@host1:~]#docker run -d httpd
e4c5b37d239d3a6b9da599edf57a4f5d9dec2f0c22886b421d8f29c5e6381727
[root@host1:~]#brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.02426a0b9c15 no veth88b534c
#查看容器的网络配置,其中if8和veth88b534c是一对儿特殊的网络设备,这样虚拟机可以连接到docker0(即将docker0(172.17.0.1)作为网关)
[root@host1:~]#docker run -d httpd
e4c5b37d239d3a6b9da599edf57a4f5d9dec2f0c22886b421d8f29c5e6381727
[root@host1:~]#docker exec -it e4c5b37d239d3a6b9da599edf57a4f5d9dec2f0c22886b421d8f29c5e6381727 bash
root@e4c5b37d239d:/usr/local/apache2# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 scope global eth0
valid_lft forever preferred_lft forever
#自定义网络
#创建my_net的桥接网络
[root@host1:~]#docker network create --driver bridge my_net
7342a6a014718ad595b71f2173e546cbcf0d67b3a6a662b5592fd51e1540894f
#可以查看创建的br-7342a6a01471
[root@host1:~]#brctl show
bridge name bridge id STP enabled interfaces
br-7342a6a01471 8000.024278ac213f no
docker0 8000.02426a0b9c15 no veth0294be2
#查看my_net的详细信息
[root@host1:~]#docker network inspect my_net
[
{
"Name": "my_net",
"Id": "7342a6a014718ad595b71f2173e546cbcf0d67b3a6a662b5592fd51e1540894f",
"Created": "2017-07-30T00:39:57.199683843-07:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.18.0.0/16",
"Gateway": "172.18.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]
#指定子网和网关的的bridge:my_net2
[root@host1:~]#docker network create --driver bridge --subnet 172.22.16.0/24 --gateway 172.22.16.1 my_net2
#创建容器时可以指定网络和ip地址,ip地址需要在此网络中,不能只单独指定IP
#IP不在此子网中
[root@host1:~]#docker run -d --network my_net --ip 172.22.16.2 busybox
82924b593ed13028f60bef65e6fd796e3e4cb47f163f650302a73246328ec201
docker: Error response from daemon: user specified IP address is supported only when connecting to networks with user configured subnets.
#OK的情况,既指定了网络也指定了IP
[root@host1:~]#docker run -d --network my_net2 --ip 172.22.16.2 busybox
3c7d600ab60f6b33bcc8c05adb241037c33d242c5ea00d2acd72908a3486211b
#容器间不同网段的通信是由防火墙的DROP规则实现的
[root@host1:~]#iptables-save
# Generated by iptables-save v1.6.0 on Sun Jul 30 02:13:54 2017
*nat
:PREROUTING ACCEPT [51:5969]
:INPUT ACCEPT [37:4065]
:OUTPUT ACCEPT [201:15938]
:POSTROUTING ACCEPT [199:15902]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.22.16.0/24 ! -o br-1040ac23396d -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-7342a6a01471 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i br-1040ac23396d -j RETURN
-A DOCKER -i br-7342a6a01471 -j RETURN
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sun Jul 30 02:13:54 2017
# Generated by iptables-save v1.6.0 on Sun Jul 30 02:13:54 2017
*filter
:INPUT ACCEPT [3360:245776]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2689:254929]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o br-1040ac23396d -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-1040ac23396d -j DOCKER
-A FORWARD -i br-1040ac23396d ! -o br-1040ac23396d -j ACCEPT
-A FORWARD -i br-1040ac23396d -o br-1040ac23396d -j ACCEPT
-A FORWARD -o br-7342a6a01471 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-7342a6a01471 -j DOCKER
-A FORWARD -i br-7342a6a01471 ! -o br-7342a6a01471 -j ACCEPT
-A FORWARD -i br-7342a6a01471 -o br-7342a6a01471 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION -i docker0 -o br-1040ac23396d -j DROP
-A DOCKER-ISOLATION -i br-1040ac23396d -o docker0 -j DROP
-A DOCKER-ISOLATION -i br-7342a6a01471 -o br-1040ac23396d -j DROP
-A DOCKER-ISOLATION -i br-1040ac23396d -o br-7342a6a01471 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-7342a6a01471 -j DROP
-A DOCKER-ISOLATION -i br-7342a6a01471 -o docker0 -j DROP
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Jul 30 02:13:54 2017
#可以通过多块网卡实现容器间通信
[root@host1:~]#docker network connect my_net2 512cefa7565b
#容器间通信的三种方式
1)容器共有一个同属一个子网的网卡
2)在自定义网络中,可以通过DOCKER DNS SERVER 实现,即定义容器的名字
[root@host1:~]#docker run -it --network=my_net2 --name=bbox3 busybox
/ # ping bbox3
PING bbox3 (172.22.16.2): 56 data bytes
64 bytes from 172.22.16.2: seq=0 ttl=64 time=0.038 ms
^C
--- bbox3 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.038/0.038/0.038 ms
/ # ping bbox4
PING bbox4 (172.22.16.4): 56 data bytes
64 bytes from 172.22.16.4: seq=0 ttl=64 time=0.183 ms
^C
--- bbox4 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.183/0.183/0.183 ms
3)joined 容器之间可以通过 127.0.0.1 直接通信 --network=container:bbox4
#不同容器中的程序希望通过 loopback 高效快速地通信,比如 web server 与 app server。
[root@host1:~]#docker run -it --network=container:bbox4 busybox
/ # ping bbox4
PING bbox4 (172.22.16.4): 56 data bytes
64 bytes from 172.22.16.4: seq=0 ttl=64 time=0.037 ms
64 bytes from 172.22.16.4: seq=1 ttl=64 time=0.144 ms
^C
--- bbox4 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.037/0.090/0.144 ms
#容器如何访问外网
busybox 发送 ping 包:172.17.0.2 > www.bing.com
docker0 收到包,发现是发送到外网的,交给 NAT 处理
NAT 将源地址换成 enp0s3 的 IP:10.0.2.15 > www.bing.com。
ping 包从 enp0s3 发送出去,到达 www.bing.com。
#外部世界如何访问容器
A:端口映射 -p参数
总结:
1)首先学习了 Docker 的三种网络:none, host 和 bridge 并讨论了它们的不同使用场景;
2)然后我们实践了创建自定义网络;
3)最后详细讨论了如何实现容器与容器之间,容器与外部网络之间的通信。
