Docker入门(四)Docker网络-Network
Network: bridge host ipvlan macvlan null overlay 6种网络模式
默认是bridge模式
docker info 可以查看到
1、bridge模式--Bridged containers
桥接式容器一般有2个接口:一个环回接口和一个连接到主机上某桥设备的以太网接口。
docker daemon启动时默认会创建一个名为docker0的网络桥,并且创建的容器为桥接式容器,其以太网接口桥接至docker0。
--network bridge 即为将容器接口添加至docker0桥。
1、启动nginx01 docker run --name nginx01 -d --rm --network bridge nginx docker exec -it nginx /bin/sh 查看IP: / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02 inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:648 (648.0 B) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 2、启动nginx02 docker run --name nginx02 -d --rm nginx 没有配置network docker exec -it nginx02 /bin/sh 查看IP: / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:04 inet addr:172.17.0.4 Bcast:172.17.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:648 (648.0 B) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 可以看出默认是bridge模式 |
2、none模式--Closed containers
不参与网络通信,运行于此容器中的进程仅能访问本地换回接口。
仅适用于进程无需网络通信的场景中,例如备份、进程诊断以及各种离线任务等
--network none
docker run --name nginx02 -d --rm --network none nginx docker exec -it nginx02 /bin/sh 发现其中只有LO; / # ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) |
3、host模式
共享宿主的网络
docker run --name nginx02 -d --rm --network host nginx docker exec -it nginx02 /bin/sh 发现有很多网卡,和主机一样: / # ifconfig docker0 Link encap:Ethernet HWaddr 02:42:9C:3C:FB:5B inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0 inet6 addr: fe80::42:9cff:fe3c:fb5b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:36 errors:0 dropped:0 overruns:0 frame:0 TX packets:45 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:6140 (5.9 KiB) TX bytes:4215 (4.1 KiB) ens33 Link encap:Ethernet HWaddr 00:0C:29:08:EB:17 inet addr:192.168.8.115 Bcast:192.168.8.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:487914 errors:0 dropped:0 overruns:0 frame:0 TX packets:347323 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:479142790 (456.9 MiB) TX bytes:257067925 (245.1 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:452212 errors:0 dropped:0 overruns:0 frame:0 TX packets:452212 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:591442962 (564.0 MiB) TX bytes:591442962 (564.0 MiB) veth925d62a Link encap:Ethernet HWaddr AE:17:9F:60:E1:C5 inet6 addr: fe80::ac17:9fff:fe60:e1c5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:16 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:672 (672.0 B) TX bytes:1320 (1.2 KiB) vethcb8add9 Link encap:Ethernet HWaddr AA:B4:37:99:5C:62 inet6 addr: fe80::a8b4:37ff:fe99:5c62/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:16 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:672 (672.0 B) TX bytes:1320 (1.2 KiB) virbr0 Link encap:Ethernet HWaddr 52:54:00:F5:7D:F7 inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) / # |
4、指定主机名和DNS等相关
查看容器主机名和DNS , 发现没有主机名,DNS用的是宿主的 / # cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 / # cat /etc/resolv.conf # Generated by NetworkManager nameserver 114.114.114.114 nameserver 8.8.8.8 / # |
启动容器时指定主机名和DNS docker run --help 查看 -h 设置主机名 --dns 设置DNS --dns-search dns查询 docker run --name nginx01 -d --rm -p 80 -h docker.test.com --dns 1.1.1.1 --dns-search baidu.com nginx docker exec -it nginx01 /bin/sh / # cat /etc/hosts 127.0.0.1localhost ::1localhost ip6-localhost ip6-loopback fe00::0ip6-localnet ff00::0ip6-mcastprefix ff02::1ip6-allnodes ff02::2ip6-allrouters 172.17.0.2docker.test.com docker / # cat /etc/resolv.conf search baidu.com nameserver 1.1.1.1 / # |
也可以在启动时添加hosts docker run --name nginx01 -d --rm -p 80 -h docker.test.com --dns 1.1.1.1 --dns-search baidu.com --add-host qq.com:2.2.2.2 nginx docker exec -it nginx01 /bin/sh / # cat /etc/hosts 127.0.0.1localhost ::1localhost ip6-localhost ip6-loopback fe00::0ip6-localnet ff00::0ip6-mcastprefix ff02::1ip6-allnodes ff02::2ip6-allrouters 2.2.2.2qq.com 172.17.0.2docker.test.com docker |
5、容器对外开发端口
Docker0为NAT桥,因此容器一般获得的是私有网络地址,可以把容器想象为宿主机NAT服务背后的主机。
如果开放容器或其上的服务为外部网络访问,需要在宿主机上为其定义DNAT规则,例如:
1:对宿主机某IP地址的访问全部映射给某容器地址
主机IP ---- 容器IP
-A PREROUTING -d 主机IP -j DNAT --to-destination 容器IP
2:对宿主机某IP地址的某端口的访问映射给某容器地址的某端口
主机IP:port --- 容器IP:port
-A PREROUTING -d 主机IP -p {tcp|udp} --dport 主机端口 -j DNAT --to-destination 容器IP:端口
docker命令:
docker run 命令使用-p 选项即可实现端口映射,无需手动添加规则
-p选项的使用格式 ①-p containerPort 将指定的容器端口映射至主机所有IP地址的一个动态端口 ②-p hostPort : containerPort 将容器端口containerPort映射至主机所有IP的指定端口hostPort ③-p ip::containerPort 两个冒号 将指定的容器端口containerPort映射至指定ip的动态端口 ④-p ip:hostPort:containerPort 将指定的容器端口containerPort映射至主机指定IP的指定端口hostPort 动态端口指的是随机端口,具体的映射结果可以使用命令查看: docker [container] port containerId|containerName |
第一种:-p containerPort
docker run --name nginx01 -d --rm -p 80 nginx:latest [root@localhost docker]# docker container port nginx01 80/tcp -> 0.0.0.0:32777 [root@localhost docker]# docker port nginx01 80/tcp -> 0.0.0.0:32777 [root@localhost docker]# 或者 使用“iptables -t nat -vnL” 最后一行 [root@localhost docker]# iptables -t nat -vnL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 342 17768 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes) pkts bytes target prot opt in out source destination 48 2880 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 10 683 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24 0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255 0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80 Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:32777 to:172.17.0.2:80 [root@localhost docker]# |
第二种:-p hostPort : containerPort
docker run --name nginx01 -d --rm -p 8888:80 nginx:latest [root@localhost docker]# docker port nginx01 80/tcp -> 0.0.0.0:8888 [root@localhost docker]# |
第三种:-p ip::containerPort
docker run --name nginx01 -d --rm -p 192.168.8.115::80 nginx:latest 宿主IP为 192.168.8.115 [root@localhost docker]# docker port nginx01 80/tcp -> 192.168.8.115:32768 [root@localhost docker]# |
第四种:-p ip:hostPort:containerPort
docker run --name nginx01 -d --rm -p 192.168.8.115:8888:80 nginx:latest [root@localhost docker]# docker port nginx01 80/tcp -> 192.168.8.115:8888 [root@localhost docker]# |
6、联盟式容器-Joined containers
联盟式容器是指使用某个存在容器的网络接口的容器,接口被联盟内的各容器共享使用;
因此联盟式容器彼此间完全无隔离。
联盟式容器彼此间虽然共享一个网络名称空间,但其它名称空间如User、Mount等还隔离的。
联盟式容器彼此间存在端口冲突的可能性,因此,通常只会在多个容器上的程序需要程序loopback接口互相通信、或对某已经存在的容器的网络进行监控时才使用此种模式的网络模型。
1、创建第1个容器 docker run --name b1 -it -p 8888:80 busybox / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02 inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:648 (648.0 B) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) / # 2、创建第二个容器 docker run --name b2 -it --network container:b1 busybox / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02 inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:648 (648.0 B) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) eth0信息是完全相同的。 当b1容器停了后,b2中的网卡就只剩下lo |
7、自定义网桥信息
docker默认容器网段为172.17.xx.xx。所以docker0网桥的地址一般是172.17.0.1 ,然后创建容器的IP地址是172.17.0.2 ,172.17.0.3 ......
其实也可以自定义容器网段。
默认 "bip" : "172.17.0.1/16"
vim /etc/docker/deamon.json { "registry-mirrors": ["https://registry.docker-cn.com"], "bip" : "192.168.10.1/24", "dns" : ["1.1.1.1","2.2.2.2"] } 重启docker systemctl restart docker 查看docker0的IP: [root@localhost docker]# ifconfig docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 192.168.10.1 netmask 255.255.255.0 broadcast 192.168.10.255 inet6 fe80::42:9cff:fe3c:fb5b prefixlen 64 scopeid 0x20<link> ether 02:42:9c:3c:fb:5b txqueuelen 0 (Ethernet) RX packets 45 bytes 6744 (6.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 53 bytes 4777 (4.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 …… 创建容器并查看IP: [root@localhost docker]# docker run -it --rm -p 80 busybox ifconfig eth0 Link encap:Ethernet HWaddr 02:42:C0:A8:0A:02 inet addr:192.168.10.2 Bcast:192.168.10.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:168 (168.0 B) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) [root@localhost docker]# 未修改前旧数据 [root@localhost ~]# docker run --name b3 -it --rm -p 81 busybox / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03 inet addr:172.17.0.3 Bcast:172.17.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:508 (508.0 B) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) |
自定义docker0桥的网络属性信息:/etc/docker/daemon.json文件 { "bip": "192.168.1.5/24", "fixed-cidr": "10.20.0.0/16", "fixed-cidr-v6": "2001:db8::/64", "mtu": 1500, "default-gateway": "10.20.1.1", "default-gateway-v6": "2001:db8:abcd::89", "dns": ["10.20.1.2","10.20.1.3"] } 核心选项为bip,即bridge ip之意,用于指定docker0桥自身的IP地址;其它选项可通过此地址计算得出。 文档路径: https://docs.docker.com/engine/userguide/networking/default_network/custom-docker0/ 容器构建示例: https://github.com/mysql/mysql-docker |
8、远程操作docker
dockerd守护进程的C/S,其默认仅监听Unix SOcket格式的地址,/var/run/docker.sock;如果使用TCP套接字, /etc/docker/daemon.json: "hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"] 也可向dockerd直接传递“-H|--host”选项; { "registry-mirrors": ["https://registry.docker-cn.com"], "bip" : "192.168.10.1/24", "dns" : ["1.1.1.1","2.2.2.2"], "hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"] } 本人测试没有成功,配置上"hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]就重启不了,去掉就正常重启。也没找到问题原因。下面是相关报错信息。 |
[root@localhost ~]# systemctl restart docker Job for docker.service failed because start of the service was attempted too often. See "systemctl status docker.service" and "journalctl -xe" for details. To force a start use "systemctl reset-failed docker.service" followed by "systemctl start docker.service" again. [root@localhost ~]# systemctl restart docker Job for docker.service failed because the control process exited with error code. See "systemctl status docker.service" and "journalctl -xe" for details. [root@localhost ~]# systemctl status docker.service ● docker.service - Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled) Active: failed (Result: start-limit) since Fri 2020-03-06 07:00:25 EST; 6s ago Docs: https://docs.docker.com Process: 62286 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock (code=exited, status=1/FAILURE) Main PID: 62286 (code=exited, status=1/FAILURE) Mar 06 07:00:23 localhost.localdomain systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE Mar 06 07:00:23 localhost.localdomain systemd[1]: Failed to start Docker Application Container Engine. Mar 06 07:00:23 localhost.localdomain systemd[1]: Unit docker.service entered failed state. Mar 06 07:00:23 localhost.localdomain systemd[1]: docker.service failed. Mar 06 07:00:25 localhost.localdomain systemd[1]: docker.service holdoff time over, scheduling restart. Mar 06 07:00:25 localhost.localdomain systemd[1]: start request repeated too quickly for docker.service Mar 06 07:00:25 localhost.localdomain systemd[1]: Failed to start Docker Application Container Engine. Mar 06 07:00:25 localhost.localdomain systemd[1]: Unit docker.service entered failed state. Mar 06 07:00:25 localhost.localdomain systemd[1]: docker.service failed. |
