Docker网络
介绍
只要装了docker,就会有一个网卡docker0,每启动一个docker容器,docker就会给容器分配一个ip,默认使用的是桥接模式,使用的技术是evth-pair。当容器停止或被删除时,生成的网卡也会被删除,。
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:7d:1f:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.11.130/24 brd 192.168.11.255 scope global noprefixroute dynamic ens33
valid_lft 1624sec preferred_lft 1624sec
inet6 fe80::929c:9d6d:8589:24cd/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ff:d9:83:c2 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:ffff:fed9:83c2/64 scope link
valid_lft forever preferred_lft forever
$ docker run -d --name tomcat1 tomcat #运行容器
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:7d:1f:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.11.130/24 brd 192.168.11.255 scope global noprefixroute dynamic ens33
valid_lft 1667sec preferred_lft 1667sec
inet6 fe80::929c:9d6d:8589:24cd/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ff:d9:83:c2 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:ffff:fed9:83c2/64 scope link
valid_lft forever preferred_lft forever
#多了一对网卡
381: veth3695120@if380: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 2a:04:14:48:38:ae brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::2804:14ff:fe48:38ae/64 scope link
valid_lft forever preferred_lft forever
#容器内部ip addr
$ docker exec -it tomcat1 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
380: eth0@if381: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
容器与容器之间是不互相通信,只是容器与docker0之间是通信的,docker0与宿主机的物理网卡通过-p参数映射。
隔离性
命令
docker network create --net 模式
模式:
bridge:桥接模式(默认),docker run 默认采用此模式。
host:本地模式,docker容器与宿主机采用相同的网络。
此模式下启动容器不会生成evth-pair,也不需要-p参数映射就可访问容器内端口
none:不配置网络,一般用作测试
container:使用其他容器的网络栈,不同容器中ip相同,可通过回环接口访问。
用法:docker run --net container:容器名
$ docker network ls
NETWORK ID NAME DRIVER SCOPE
f3a0af1ba07b bridge bridge local
30eaddd942a9 host host local
383f7401900a none null local
创建自定义网络
扩展:子网掩码中的16代表位数,表明还可以创建255*255-回环-0.1这么多ip
如果是24 表明还可以创建255-回环-0.1这么多ip
#创建网关是169.253.0.1,容器ip可以为169.253.x.x的网络
$ docker network create --gateway 169.253.0.1 --subnet 169.253.0.0/16 mynet
$ docker network ls #多出了自定义的网络
$ ifconfig #多了一个网桥
#通过自定义网络启动容器
$ docker run -d --net mynet --name apache1 myhttpd:v1
$ docker run -d --net mynet --name apache2 myhttpd:v1
$ docker run -d --name apache3 myhttpd:v1
#再次查看自定义网络元数据,发现分配了两个容器ip
$ docker network inspect mynet
[
{
"Name": "mynet",
"Id": "1dfc137cc6918db0582a959933ce050c775f49c1c935007a82614b38affc19e5",
"Created": "2022-07-04T20:50:04.711134688+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "169.253.0.0/16",
"Gateway": "169.253.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"6ea0f20093935d29030fb3ad69d94d4c991fe745ec0f41fcdeafd5ec6a60b88a": {
"Name": "apache1",
"EndpointID": "c835e32a361103ae5d93da6740218b8720e9aa7e7a2a0577a05a3284cb3c5310",
"MacAddress": "02:42:a9:fd:00:02",
"IPv4Address": "169.253.0.2/16",
"IPv6Address": ""
},
"d9261eccd254f0d579033f312332bccb5430b06f4a82efb74023dee770483078": {
"Name": "apache2",
"EndpointID": "0535dca700b252bfa47564c68644e844d2cefc3cca40ce1c5eaf284c859f7c49",
"MacAddress": "02:42:a9:fd:00:03",
"IPv4Address": "169.253.0.3/16",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {}
}
]
相同网桥下两个容器之间可以互通,而不同网桥下的容器无法互通.
$ docker exec -it apache2 ping apache1
PING apache1 (169.253.0.2) 56(84) bytes of data.
64 bytes from apache1.mynet (169.253.0.2): icmp_seq=1 ttl=64 time=0.259 ms
64 bytes from apache1.mynet (169.253.0.2): icmp_seq=2 ttl=64 time=0.255 ms
$ docker exec -it apache2 ping apache3
ping: apache3: Name or service not known
联通性
如何实现不同网桥下容器的互通?网桥与网桥之间是不能通信的,实现的是容器与网桥之间的通信
命令:
$ docker network connect 网卡 容器
#容器apache1、apache2采用自定义网络,apache3采用默认网桥
$ docker run -d --net mynet --name apache1 myhttpd:v1
$ docker run -d --net mynet --name apache2 myhttpd:v1
$ docker run -d --name apache3 myhttpd:v1
#此时相同网桥下两个容器之间可以互通,而不同网桥下的容器无法互通.
$ docker exec -it apache2 ping apache1
PING apache1 (169.253.0.2) 56(84) bytes of data.
64 bytes from apache1.mynet (169.253.0.2): icmp_seq=1 ttl=64 time=0.259 ms
64 bytes from apache1.mynet (169.253.0.2): icmp_seq=2 ttl=64 time=0.255 ms
$ docker exec -it apache2 ping apache3
ping: apache3: Name or service not known
#使用docker network connect命令
$ docker network connect mynet apache3
#查看元数据,发现apache3直接写在了mynet网络的,并且ip地址发生了变化,变为169.253.0.4,变成同网段。
$ docker inspect mynet
[
...
"Containers": {
"6ea0f20093935d29030fb3ad69d94d4c991fe745ec0f41fcdeafd5ec6a60b88a": {
"Name": "apache1",
"EndpointID": "c835e32a361103ae5d93da6740218b8720e9aa7e7a2a0577a05a3284cb3c5310",
"MacAddress": "02:42:a9:fd:00:02",
"IPv4Address": "169.253.0.2/16",
"IPv6Address": ""
},
"85e7e7a6c99736a7ed428cb9df987ceee4107f3a2bd718c9d5be5d19c3b5025e": {
"Name": "apache3",
"EndpointID": "e25ec9c88c9b119425b4864b1304c1cd60604d84b427b28acdf2e8fa9f5a3d1d",
"MacAddress": "02:42:a9:fd:00:04",
"IPv4Address": "169.253.0.4/16",
"IPv6Address": ""
},
"d9261eccd254f0d579033f312332bccb5430b06f4a82efb74023dee770483078": {
"Name": "apache2",
"EndpointID": "0535dca700b252bfa47564c68644e844d2cefc3cca40ce1c5eaf284c859f7c49",
"MacAddress": "02:42:a9:fd:00:03",
"IPv4Address": "169.253.0.3/16",
"IPv6Address": ""
}
},
....
#此时,三个容器可以互相通信
$ docker exec -it apache2 ping apache3
PING apache3 (169.253.0.4) 56(84) bytes of data.
64 bytes from apache3.mynet (169.253.0.4): icmp_seq=1 ttl=64 time=0.175 ms
64 bytes from apache3.mynet (169.253.0.4): icmp_seq=2 ttl=64 time=0.132 ms
64 bytes from apache3.mynet (169.253.0.4): icmp_seq=3 ttl=64 time=0.160 ms
.....
删除connect命令
$ docker network disconnect -f mynet apache3
#此时又无法通信
$ docker exec -it apache2 ping apache3
ping: apache3: Name or service not known
