Docker網絡
Docker網絡
Docker網絡
Linux 網絡
查看本地網絡信息
[root@sail ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:16:3e:30:01:20 brd ff:ff:ff:ff:ff:ff
inet 172.24.19.94/18 brd 172.24.63.255 scope global dynamic eth0
valid_lft 310201059sec preferred_lft 310201059sec
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:23:ae:ac:24 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
有三個網卡信息:
- lo:本地。
- ens:虛擬機或阿里云服務器地址。
- docker0:Docker 網絡地址。
Docker 網絡
在 Docker 安裝后,主機會為 Docker 分配一個網卡,名為 docker0 。
該網卡使用橋接模式,使用的是 veth-pair 技術。
啟動兩個容器
[root@sail ~]# docker run -d -p 8081:8080 --name=tomcat01 tomcat
29a06eab16e73f34458b77a520081083fe536d8eb34eb67dbb9c6632fc720687
[root@sail ~]# docker run -d -p 8082:8080 --name=tomcat02 tomcat
442add0d94cef631e0f531dff9d8f55b7e2f1aaeb088f742c3d8e240d4f9cc7d
[root@sail ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
442add0d94ce tomcat "catalina.sh run" 4 seconds ago Up 3 seconds 0.0.0.0:8082->8080/tcp tomcat02
29a06eab16e7 tomcat "catalina.sh run" 15 seconds ago Up 14 seconds 0.0.0.0:8081->8080/tcp tomcat01
查看 Linux 網絡
[root@sail tomcat]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:16:3e:30:01:20 brd ff:ff:ff:ff:ff:ff
inet 172.24.19.94/18 brd 172.24.63.255 scope global dynamic eth0
valid_lft 310199524sec preferred_lft 310199524sec
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:23:ae:ac:24 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
7: veth4a18f1b@if110: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 52:69:3c:bc:83:4a brd ff:ff:ff:ff:ff:ff link-netnsid 0
9: veth296fd0d@if112: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 76:3c:34:e8:c4:90 brd ff:ff:ff:ff:ff:ff link-netnsid 1
Docker 每啟動一個容器,就會分配一個 IP。
查看容器的內部網絡
[root@sail ~]# docker exec -it tomcat01 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@sail ~]# docker exec -it tomcat02 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
可以看到容器內 IP 與本機 IP 成對出現(xiàn),這就是 veth-pair 技術。
容器訪問 docker0 測試
[root@sail ~]# docker exec -it tomcat01 ping 172.17.0.1
PING 172.17.0.1 (172.17.0.1) 56(84) bytes of data.
64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.845 ms
64 bytes from 172.17.0.1: icmp_seq=2 ttl=64 time=0.139 ms
64 bytes from 172.17.0.1: icmp_seq=3 ttl=64 time=0.130 ms
64 bytes from 172.17.0.1: icmp_seq=4 ttl=64 time=0.134 ms
64 bytes from 172.17.0.1: icmp_seq=5 ttl=64 time=0.119 ms
64 bytes from 172.17.0.1: icmp_seq=6 ttl=64 time=0.082 ms
容器與 docker0 之間是可以訪問的。
容器與容器之間訪問
docker0 相當于一個路由器,各個容器都與 docker0 相連,容器之間的通信通過路由器來轉發(fā)。
Docker 中的所有網絡接口都是虛擬的,相當于內網傳遞。
只要刪除容器,對應網絡就會刪除。
容器間網絡連接
docker run —link
每次重啟容器或 Linux,IP 就會變化,固定 IP 互聯(lián)網絡就會失效。
如果能使用服務名來連接,而不考慮 IP,就會方便很多。
測試使用容器名來 ping
[root@sail ~]# docker exec -it tomcat01 ping tomcat02
ping: tomcat02: Name or service not known
容器之間無法通過容器名來連接。
使用 --link 啟動測試,先啟動 tomcat01
[root@sail ~]# docker run -d -P --name=tomcat01 tomcat0d39450a3253544ff5a9bf390b450a218b1055c4d1e60fc02b153ab58544d600
使用 –-link 命令啟動 tomcat02
[root@sail ~]# docker run -d -P --name tomcat02 --link tomcat01 tomcat
1901445346baf10ddca6e8a639f0aed72b2cf758046e6da9c28426857c7bb3fd
在 tomcat02 訪問 tomcat01
[root@node1 ~]# docker exec -it tomcat02 ping tomcat01
PING tomcat01 (172.17.0.2) 56(84) bytes of data.
64 bytes from tomcat01 (172.17.0.2): icmp_seq=1 ttl=64 time=0.120 ms
64 bytes from tomcat01 (172.17.0.2): icmp_seq=2 ttl=64 time=0.184 ms
^C
--- tomcat01 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 0.120/0.152/0.184/0.032 ms
在 tomcat01 訪問 tomcat02 則無法訪問。
tomcat02 能夠通過容器名訪問 tomcat01,原理是 --link 通過 tomcat02 在自己容器 hosts 文件中配置了 tomcat01 IP 信息。
[root@sail ~]# docker exec -it tomcat02 cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 tomcat01 0d39450a3253
172.17.0.3 1901445346ba
所以 --link 本質就是修改 host 映射。
這種方式已經不流行了,建議使用自定義網絡實現(xiàn)。
查看Docker網絡信息
docker network ls
[root@sail ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
f3eeb014197a bridge bridge local
28d77e958643 host host local
c3ff850e96f0 none null local
- bridge:橋接模式(默認)。自己創(chuàng)建也使用這種模式。
- host:和宿主即共享。
- none:不配置網絡。
創(chuàng)建自定義網絡
啟動容器
[root@sail ~]# docker run -d -P --net bridge --name tomcat01 tomcat
f048aad0addb07e861c138d167cd644c4c99f9d64c99c6b8ab3f7960fde1dce4
在我們啟動容器的時候默認會有一個網絡設置。
自定義網絡,先使用 docker network --help 命令查詢一下
[root@sail ~]# docker network --help
Usage: docker network COMMAND
Manage networks
Commands:
connect Connect a container to a network
create Create a network
disconnect Disconnect a container from a network
inspect Display detailed information on one or more networks
ls List networks
prune Remove all unused networks
rm Remove one or more networks
Run 'docker network COMMAND --help' for more information on a command.
docker network create
參數(shù)
d:網絡模式-subnet:子網-gateway:網關
創(chuàng)建自定義網絡
[root@sail ~]# docker network create -d bridge --subnet 192.168.0.0/16 --gateway 192.168.0.1 mynet
801fbbe1b38c81b12ce90aa9139561b5843dca64b4b17718b6e2622369f9be67
查看創(chuàng)建的網絡
[root@sail ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
f3eeb014197a bridge bridge local
28d77e958643 host host local
801fbbe1b38c mynet bridge local
c3ff850e96f0 none null local
[root@sail ~]# docker network inspect 801fbbe1b38c
[
{
"Name": "mynet",
"Id": "801fbbe1b38c81b12ce90aa9139561b5843dca64b4b17718b6e2622369f9be67",
"Created": "2021-12-30T17:39:43.100705632+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "192.168.0.0/16",
"Gateway": "192.168.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]
以下配置可以看出,自定義網絡創(chuàng)建完成。
"Config": [
{
"Subnet": "192.168.0.0/16",
"Gateway": "192.168.0.1"
}
]
啟動鏡像
[root@sail ~]# docker run -d -P --net=mynet --name=tomcat01 tomcat
f3fad0c65fc3eb9a39b1189a25f5a7f664a0b9415df05cca5ee6edb6b7cc1915
[root@sail ~]# docker run -d -P --net=mynet --name=tomcat02 tomcat
68a78759663854c6d83a14fcc0cf45515e61c5e81d10799e96b22ef79c0d478f
連接測試
[root@sail ~]# docker exec -it tomcat01 ping tomcat02
64 bytes from tomcat02.mynet (192.168.0.3): icmp_seq=1 ttl=64 time=0.187 ms
64 bytes from tomcat02.mynet (192.168.0.3): icmp_seq=2 ttl=64 time=0.147 ms
^C
--- tomcat02 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 4ms
rtt min/avg/max/mdev = 0.147/0.167/0.187/0.020 ms
能夠連通說明不同容器處于同一網絡下。
這種方式可以實現(xiàn)不同集群使用不同的網絡,保證集群網絡的安全。
如 Redis 集群在 192.160.0.0/16 網段下,MySQL 集群在 192.161.0.0/16 網段下。
網絡連通
docker network connect
使用docker network connect實現(xiàn)一個容器鏈接到另一個網段。
建立連接
[root@sail ~]# docker run -d -P --name=tomcat02-net tomcat
5a02cd4172daccc5073907ee6b063560687db5ffdd5041b18fd3ff1055a8984c
[root@sail ~]# docker network connect mynet tomcat02-net
[root@sail ~]#
[root@sail ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
f3eeb014197a bridge bridge local
28d77e958643 host host local
801fbbe1b38c mynet bridge local
c3ff850e96f0 none null local
[root@sail ~]# docker network inspect 801fbbe1b38c
[
{
"Name": "mynet",
"Id": "801fbbe1b38c81b12ce90aa9139561b5843dca64b4b17718b6e2622369f9be67",
"Created": "2021-12-30T17:39:43.100705632+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "192.168.0.0/16",
"Gateway": "192.168.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"5a02cd4172daccc5073907ee6b063560687db5ffdd5041b18fd3ff1055a8984c": {
"Name": "tomcat02-net",
"EndpointID": "e6503138bcb91a7693576e324df75d1dff594f1c5aa3e08397802c38133eb0e9",
"MacAddress": "02:42:c0:a8:00:05",
"IPv4Address": "192.168.0.5/16",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {}
}
]
這樣也可以實現(xiàn)容器鏈接到自定義網絡。
查看容器詳情
[root@sail ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5a02cd4172da tomcat "catalina.sh run" 5 minutes ago Up 5 minutes 0.0.0.0:49159->8080/tcp tomcat02-net
[root@sail ~]# docker inspect 5a02cd4172da
這里也可以發(fā)現(xiàn)容器 tomcat02-net 已經與 mynet 建立了連接。
測試連接
[root@sail ~]# docker exec -it tomcat02 ping tomcat02-net
PING tomcat02-net (192.168.0.2) 56(84) bytes of data.
64 bytes from tomcat02-net.mynet (192.168.0.2): icmp_seq=1 ttl=64 time=0.121 ms
64 bytes from tomcat02-net.mynet (192.168.0.2): icmp_seq=2 ttl=64 time=0.064 ms
^C
--- tomcat02-net ping statistics ---
網絡連通成功。
浙公網安備 33010602011771號