一、docker 主機網絡
# docker network ls NETWORK ID NAME DRIVER SCOPE 7b221a7a8bd4 bridge bridge local aed4e7c4891e host host local cf895048ef39 none null local
可以看出,docker默認創建三種網絡,none,host,和bridge
1.1.none網絡:
# docker run -it --net=none --name "n1" centos /bin/bash [root@7ceb08a002f9 /]#
# docker inspect 7ceb08a002f9 .... "Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "", "IPPrefixLen": 0, "IPv6Gateway": "", "MacAddress": "", ....
none網絡,docker容器不會創建任何網絡,沒有網卡、IP、路由等,但是安全性好,可以存放安全性比較高的內容文件。
1.2.host網絡
[root@localhost /]# docker run -it --net=host --name "h1" centos /bin/bash [root@localhost /]# [root@localhost /]# ifconfig docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255 inet6 fe80::42:3cff:feda:be8d prefixlen 64 scopeid 0x20<link> ether 02:42:3c:da:be:8d txqueuelen 0 (Ethernet) RX packets 20257 bytes 1095063 (1.0 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 23859 bytes 255346643 (243.5 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.2.120 netmask 255.255.255.0 broadcast 192.168.2.255 inet6 fe80::20c:29ff:fe1b:69aa prefixlen 64 scopeid 0x20<link> ether 00:0c:29:1b:69:aa txqueuelen 1000 (Ethernet) RX packets 4249085 bytes 2048586795 (1.9 GiB) RX errors 0 dropped 10 overruns 0 frame 0 TX packets 846659 bytes 242440418 (231.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 82 bytes 6612 (6.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 82 bytes 6612 (6.4 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 veth7065427: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::18db:7bff:fe34:5b84 prefixlen 64 scopeid 0x20<link> ether 1a:db:7b:34:5b:84 txqueuelen 0 (Ethernet) RX packets 20257 bytes 1378661 (1.3 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 23859 bytes 255346643 (243.5 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@localhost /]# hostname localhost.localdomain [root@localhost /]# exit exit [root@localhost /]#
容器使用host網絡後,不會使用獨立的namespace,而是和宿主機公用namespace,網絡一樣,提高了傳輸效率,但是服務端口會和主機衝突。
1.3.bridge網絡
docker創建時默認創建了一個docker0的bridge網絡,如果不指定網絡,默認容器掛在docker0上
查看默認:
# brctl show bridge name bridge id STP enabled interfaces docker0 8000.02423cdabe8d no veth7065427
運行一個容器:
# docker run -itd centos /bin/bash
進入容器,查看ip
# docker exec -it 70278589f518 /bin/bash [root@70278589f518 /]# [root@70278589f518 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 291: eth0@if292: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever
查看主機ip:
# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:1b:69:aa brd ff:ff:ff:ff:ff:ff inet 192.168.2.120/24 brd 192.168.2.255 scope global noprefixroute ens32 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe1b:69aa/64 scope link noprefixroute valid_lft forever preferred_lft forever 292: vethd0cc669@if291: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether 42:91:2c:17:b5:e2 brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet6 fe80::4091:2cff:fe17:b5e2/64 scope link valid_lft forever preferred_lft forever 234: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:3c:da:be:8d brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:3cff:feda:be8d/64 scope link valid_lft forever preferred_lft forever 244: veth7065427@if243: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether 1a:db:7b:34:5b:84 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::18db:7bff:fe34:5b84/64 scope link valid_lft forever preferred_lft forever 主機的veth7065427和容器的eth0@if292組成一對veth pair,veth7065427掛在docker0下。
二、創建自定義bridge網絡
2.1.創建一個bridge網絡
2.1.1.創建網絡
# docker network create -d bridge ckl_net
-d, --driver string #指定driver類型,默認爲bridge
2.1.2.查看創建的網絡:
# docker network ls NETWORK ID NAME DRIVER SCOPE 7b221a7a8bd4 bridge bridge local bf0464ee4b94 ckl_net bridge local #創建的網絡 aed4e7c4891e host host local cf895048ef39 none null local
網絡詳細信息:
# docker inspect ckl_net [ { "Name": "ckl_net", "Id": "bf0464ee4b94fdd7a1ac67ebf0a51105e65ee150f1c400bbc87fd0ffd10e1232", "Created": "2018-12-18T02:53:12.975588177-05:00", "Scope": "local", "Driver": "bridge", #網絡類型 "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "172.19.0.0/16", #分配地址段 "Gateway": "172.19.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": {}, "Options": {}, "Labels": {} } ]
bridge網橋信息:
# brctl show bridge name bridge id STP enabled interfaces br-bf0464ee4b94 8000.0242a447b5e2 no docker0 8000.02423cdabe8d no veth7065427 vethd0cc669
2.1.3.啓動一個容器使用創建的bridge網絡
# docker run -itd --name "bc1" --network=ckl_net centos
查看容器ip:
# docker exec -it 5d8f64359cf6 /bin/bash [root@5d8f64359cf6 /]# [root@5d8f64359cf6 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 295: eth0@if296: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:13:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.19.0.2/16 brd 172.19.255.255 scope global eth0 #指定網絡段的ip valid_lft forever preferred_lft forever
2.2.創建bridge,自定義網段
2.2.1.創建bridge
# docker network create -d bridge --subnet 172.88.11.0/24 --gateway 172.88.11.1 ckl_net1
2.2.2.查看網絡信息
# docker network ls NETWORK ID NAME DRIVER SCOPE 7b221a7a8bd4 bridge bridge local bf0464ee4b94 ckl_net bridge local 33a5e13e7f47 ckl_net1 bridge local #新創建 aed4e7c4891e host host local cf895048ef39 none null local
# docker inspect ckl_net1 [ { "Name": "ckl_net1", "Id": "33a5e13e7f4763f5f19656a545f069373d274320abab0aefd1105849650ea159", "Created": "2018-12-18T03:04:31.964452006-05:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "172.88.11.0/24", #指定的網段 "Gateway": "172.88.11.1" #指定的網關 } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": {}, "Options": {}, "Labels": {} } ]
# brctl show bridge name bridge id STP enabled interfaces br-33a5e13e7f47 8000.0242a7134199 no #新創建橋接網絡 br-bf0464ee4b94 8000.0242a447b5e2 no veth1e80c6c docker0 8000.02423cdabe8d no veth7065427 vethd0cc669
2.2.3.運行容器,指定新創建網絡
# docker run -itd --name "bc2" --network=ckl_net1 centos
進入容器,查看ip:
# docker exec -it 7f175e82e072 /bin/bash [root@7f175e82e072 /]# [root@7f175e82e072 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 298: eth0@if299: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:58:0b:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.88.11.2/24 brd 172.88.11.255 scope global eth0 #使用了自定義的網絡 valid_lft forever preferred_lft forever
三、容器端口映射
3.1.容器默認可以訪問外網,測試如下:
# docker exec -it 7f175e82e072 /bin/bash [root@7f175e82e072 /]# ping -c 3 www.qq.com PING https.qq.com (61.129.7.47) 56(84) bytes of data. 64 bytes from 61.129.7.47 (61.129.7.47): icmp_seq=1 ttl=50 time=6.60 ms 64 bytes from 61.129.7.47 (61.129.7.47): icmp_seq=2 ttl=50 time=7.70 ms 64 bytes from 61.129.7.47 (61.129.7.47): icmp_seq=3 ttl=50 time=3.92 ms --- https.qq.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 3.920/6.078/7.709/1.592 ms
這是因爲在iptable裏面添加了轉發
# iptables -t nat -s ... -A POSTROUTING -s 172.88.11.0/24 ! -o br-33a5e13e7f47 -j MASQUERADE -A POSTROUTING -s 172.19.0.0/16 ! -o br-bf0464ee4b94 -j MASQUERADE -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
#三個網絡都已經做了地址轉發
3.2.如何要指定容器的端口到主機的端口
3.2.1.運行一個nginx容器:
# docker run -d -p 8080:80 nginx cb013604e7f5630577e046483f4732965d7bda7f1ec7c645db587b8906e23567
#-p, --publish list Publish a container's port(s) to the host #發佈一個容器的端口到主機的
3.2.2.訪問nginx
# curl http://127.0.0.1:8080 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>
3.2.3.查看容器
# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES cb013604e7f5 nginx "nginx -g 'daemon of…" About an hour ago Up About an hour 0.0.0.0:8080->80/tcp happy_buck
#映射主機的8080到容器的80端口
3.2.3.如果不指定主機端口,會選擇一個隨機的端口
# docker run -d -p 80 --name "rd1" nginx b5e3819fcfc7857cefaabb579ce92f22cd5b9b6f422f96df2b34d27d0d2c0ad8
# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES b5e3819fcfc7 nginx "nginx -g 'daemon of…" 5 seconds ago Up 3 seconds 0.0.0.0:32768->80/tcp rd1 cb013604e7f5 nginx "nginx -g 'daemon of…" About an hour ago Up About an hour 0.0.0.0:8080->80/tcp happy_buck #選擇隨機端口32768
# curl http://127.0.0.1:32768 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>