一、docker網絡訪問的方式
隨機映射: - docker run -P 指定映射: 1. -p hostPort:containerPort 2. -p ip:hostPort:containerPort 3. -p ip::containerPort 4. -p hostPort:containerPort 5. -p hostPort:containerPort:udp
1、環境準備
環境準備
IP 主機名 操作系統 192.168.56.11 linux-node1 centos7 注意:我這裏使用的是centos7,如果是使用centos5或者centos6,需要升級操作系統內核,否則Docker的許多新功能都無法使用
2、隨機映射
優點: 不會發生端口衝突
[root@linux-node1 ~]# docker run -d -P nginx 4d5a21ea94e0df102198812fd899d8293198a2376dd5d952642113b76448ca65 [root@linux-node1 ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4d5a21ea94e0 nginx "nginx -g 'daemon off" 7 seconds ago Up 4 seconds 0.0.0.0:10001->80/tcp, 0.0.0.0:10000->443/tcp evil_murdock c627741a7dc1 centos "/bin/bash" 13 days ago Up 2 hours mydocker [root@linux-node1 ~]# 本地的10001端口映射到80,10000端口映射到443 訪問本地的端口 在url中輸入192.168.56.11:10001,可以進入到nginx的歡迎界面 查看端口占用情況 [root@linux-node1 ~]# netstat -lnpt|grep 10001 tcp6 0 0 :::10001 :::* LISTEN 6800/docker-proxy
查詢nat的詳細信息 -nvL 這其實是三個參數,等效於 -n -v -L -n 不解析主機名和端口名,也就是全部主機和端口都用數字表示 -v 詳細信息列表 -L 列表 [root@linux-node1 ~]# iptables -t nat -vnL Chain PREROUTING (policy ACCEPT 7 packets, 855 bytes) pkts bytes target prot opt in out source destination 2 104 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT 7 packets, 855 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 959 packets, 57540 bytes) pkts bytes target prot opt in out source destination 12949 777K DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT 960 packets, 57592 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 0 0 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24 0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255 0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 0 0 MASQUERADE tcp -- * * 172.17.0.3 172.17.0.3 tcp dpt:443 0 0 MASQUERADE tcp -- * * 172.17.0.3 172.17.0.3 tcp dpt:80 Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0 0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 to:172.17.0.3:443 1 52 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10001 to:172.17.0.3:80
使用之前寫的進入docker的腳本,進入docker,查看進程 [root@linux-node1 ~]# ./docker_in.sh 4d5a21ea94e0 root@4d5a21ea94e0:/# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 31724 2840 ? Ss 05:58 0:00 nginx: master process nginx -g daemon off; nginx 8 0.0 0.0 32116 1936 ? S 05:58 0:00 nginx: worker process root 9 0.2 0.0 20256 1956 ? S 06:13 0:00 -bash root 22 0.0 0.0 17492 1156 ? R+ 06:13 0:00 ps aux root@4d5a21ea94e0:/# docker運行的第一進程的PID是1 root@4d5a21ea94e0:/# ip ad li 1: lo:mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 18: eth0@if19:mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff inet 172.17.0.3/16 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::42:acff:fe11:3/64 scope link valid_lft forever preferred_lft forever root@4d5a21ea94e0:/# 這個IP地址是通過DHCP獲取的
我們可以使用docker logs查看nginx的訪問日誌
[root@linux-node1 ~]# docker logs 4d5a21ea94e0 192.168.56.1 - - [19/Sep/2016:06:01:04 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36" "-" 192.168.56.1 - - [19/Sep/2016:06:01:06 +0000] "GET /favicon.ico HTTP/1.1" 404 571 "http://192.168.56.11:10001/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36" "-" 2016/09/19 06:01:06 [error] 8#8: *1 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 192.168.56.1, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "192.168.56.11:10001", referrer: "http://192.168.56.11:10001/"
3、指定端口映射:
(1)將本地的81端口映射到docker容器的80端口
[root@linux-node1 ~]# docker run -d -p 192.168.56.11:81:80 --name mynginx nginx 17df7e2a56678e60e18a6cb1d5d9197b031f922dc8a18f045296dcab30d60f76 [root@linux-node1 ~]# docker ps -l CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 17df7e2a5667 nginx "nginx -g 'daemon off" 10 seconds ago Up 9 seconds 443/tcp, 192.168.56.11:81->80/tcp mynginx 通過端口映射的方式,我們可以很方便的訪問docker容器內的服務
可以使用docker port命令查看端口映射情況
[root@linux-node1 ~]# docker port mynginx 80/tcp -> 192.168.56.11:81 查看docker容器端口映射
(2)多個端口的映射
[root@linux-node1 ~]# docker run -d -p 443:443 -p 82:80 --name nginx2 nginx c4c9b4947e613e15f84bfaa9233116377f2608796de8f824285360c6aeddc028 [root@linux-node1 ~]# docker port nginx2 80/tcp -> 0.0.0.0:82 443/tcp -> 0.0.0.0:443 [root@linux-node1 ~]# 缺點:由於端口映射的方式是經過NAT的,所以會影響系統的性能。