docker網絡：原生網絡、自定義網絡、容器通信、跨主機網絡

• • • 一、 認識docker原生網絡
    • • 1. bridge
      • 2. host
      • 3. none
    • 二、 dokcker自定義網絡
    • • 1. 建立自定義網橋
    • 三、 docker容器通信
    • • 1. joined
      • 2. link
      • 3. 容器通路外網是通過iptables的SNAT實作的
    • 四、 跨主機容器網絡
    • 五、總結

一、 認識docker原生網絡

1. bridge

容器和外界的通信：

container — docker0 —eth0 —外界

docker0和eth0直接通過核心路由功能 net.ipv4.ip_forward = 1

docker network ls

檢視docker上有哪些網絡模式

docker rm -f

docker ps -aq` 删除所有的容器

2. host

docker run -d --name nginx --network host nginx

指定容器的網絡模型

host 和主控端共享網絡 缺點：資源競争

3. none

docker run -d --name nginx --network none busybox 
           

–network none 表示容器内禁用網絡的意思

二、 dokcker自定義網絡

1. 建立自定義網橋

[[email protected] ~]# docker network create -d bridge mynet1
c740f469fc4fe6388b3c8c724253660081e2850cf4aa762c0018ce67b7cb5fc6

[[email protected] ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
af1f2d72b38b        bridge              bridge              local
04c9c9355a17        harbor_harbor       bridge              local
b74354eca92c        host                host                local
c740f469fc4f        mynet1              bridge              local
b88b514e0f2d        none                null                local

           

在容器中使用建立的網絡

[[email protected] ~]# docker run -it --name demo --network mynet1 busybox

[[email protected] ~]# docker network rm mynet1 删除自定義網絡

           

建立網絡指定子網 和 網關

docker network create --subnet 192.168.1.0/24 --geteway 192.168.1.1 mynet1
執行ip建立容器（前提時指定了上面的子網和網關）
docker run -it --name vm2 --network mynet1 --ip 192.168.1.10 busybox
           

三、 docker容器通信

1. joined

joined時容器之間共用網絡棧

2. link

link的缺點是：當倉庫的配置設定的位址發生變化時，再次開啟倉庫時env資料沒有随時更改

3. 容器通路外網是通過iptables的SNAT實作的

1. 容器發送資料包到外網時，通過位址僞裝

   檢視

   iptables -t nat -nL

   在postrouting中進行僞裝

[[email protected] ~]# iptables -t nat -nL
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           
           

1. 外網通路容器

   

   (1) 端口映射

[[email protected] ~]# docker run -d --name vm1 -p 80:80 nginx

[[email protected] ~]# iptables -t nat -nL
Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.17.0.2:80
           

(2) host也可以

四、 跨主機容器網絡

準備server1 server2 兩個主機

在server1和server2各添加一個虛拟網卡（virtio）

[[email protected] network-scripts]# cat ifcfg-eth1 
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none

[[email protected] network-scripts]# ifup eth1 激活網卡

[[email protected] network-scripts]# cat ifcfg-eth1
DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes

[[email protected] network-scripts]# ifup eth1

[[email protected] network-scripts]# ip link set eth1 promisc on  在eth1網卡上打開混雜模式(開啟子接口，回有多個ip位址)
[[email protected] network-scripts]# ip link set eth1 promisc on

           

在兩台docker主機上建立macvlan網絡

[[email protected] ~]# docker network create -d macvlan --subnet 172.20.0.0/24 --gateway 172.20.0.1 -o parent=eth1 mynet1
d77df1686800c94c450762ba6422e2d8d37ae06af7ceb7b2b4ce436e1215bcef
[[email protected] ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
af1f2d72b38b        bridge              bridge              local
b74354eca92c        host                host                local
d77df1686800        mynet1              macvlan             local
b88b514e0f2d        none                null                local

[[email protected] ~]# docker run -it --rm --name vm1 --network mynet1 busybox
/ # ip addr 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
53: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:14:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.2/24 brd 172.20.0.255 scope global eth0
       valid_lft forever preferred_lft forever

[[email protected] docker]# cat daemon.json 
{
  "registry-mirrors": ["https://qe6d82ah.mirror.aliyuncs.com"]
}
[[email protected] docker]# systemctl daemon-reload 
[[email protected] docker]# systemctl restart docker
[[email protected] docker]# docker pull radial/busyboxplus
[[email protected] ~]# docker tag radial/busyboxplus:latest busyboxplus

[[email protected] ~]# docker network create -d macvlan --subnet 172.20.0.0/24 --gateway 172.20.0.1 -o parent=eth1 mynet1

[[email protected] ~]# docker run -it --name vm2 --rm --network mynet1 --ip 172.20.0.100 busyboxplus
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: [email protected]: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:14:00:64 brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.100/24 brd 172.20.0.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # ping 172.20.0.2
PING 172.20.0.2 (172.20.0.2): 56 data bytes
64 bytes from 172.20.0.2: seq=0 ttl=64 time=0.649 ms
64 bytes from 172.20.0.2: seq=1 ttl=64 time=0.302 ms

           

解決mac獨占主控端網卡
[[email protected] ~]# docker network create -d macvlan --subnet 172.21.0.0/24 --gateway 172.21.0.1 -o parent=eth1.1 mynet2

           

五、總結