docker学习之路网络篇
docker的四种网络类型
1) bridge模式:
bridge模式是Docker默认的网络设置,此模式会为每一个容器分配Network Namespace、设置IP等,并将并将一个主机上的Docker容器连接到一个虚拟网桥上。当Docker server启动时,会在主机上创建一个名为docker0的虚拟网桥,此主机上启动的Docker容器会连接到这个虚拟网桥上。虚拟网桥的工作方式和物理交换机类似,这样主机上的所有容器就通过交换机连在了一个二层网络中。接下来就要为容器分配IP了,Docker会从RFC1918所定义的私有IP网段中,选择一个和宿主机不同的IP地址和子网分配给docker0,连接到docker0的容器就从这个子网中选择一个未占用的IP使用。如一般Docker会使用172.17.0.0/16这个网段,并将172.17.42.1/16分配给docker0网桥(在主机上使用ifconfig命令是可以看到docker0的,可以认为它是网桥的管理端口,在宿主机上作为一块虚拟网卡使用)。
2) host模式:
如果启动容器的时候使用host模式,那么这个容器将不会获得一个独立的Network Namespace,而是和宿主机共用一个Network Namespace。容器将不会虚拟出自己的网卡,配置自己的IP等,而是使用宿主机的IP和端口。
3) none模式:
在none模式下,Docker容器拥有自己的Network Namespace,但是,并不为Docker容器进行任何网络配置。也就是说,这个Docker容器没有网卡、IP、路由等信息。需要我们自己为Docker容器添加网卡、配置IP等。
4) container模式:
这个模式指定新创建的容器和已经存在的一个容器共享一个Network Namespace,而不是和宿主机共享。新创建的容器不会创建自己的网卡,配置自己的IP,而是和一个指定的容器共享IP、端口范围等。同样,两个容器除了网络方面,其他的如文件系统、进程列表等还是隔离的。两个容器的进程可以通过lo网卡设备通信。
以上是
一. 基础环境
1.系统版本以及docker版本
[root@docker ~]# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
[root@docker ~]#
[root@docker ~]# docker -v
Docker version 18.09.0, build 4d60db4
[root@docker ~]#
2.docker网络(默认)
[root@docker ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b5:c8:bf brd ff:ff:ff:ff:ff:ff
inet 192.168.1.31/24 brd 192.168.1.255 scope global dynamic ens33
valid_lft 6621sec preferred_lft 6621sec
inet6 fe80::ca58:2ea0:cde5:290/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:65:90:e5:3c brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
3.docker镜像、容器、网络以及卷列表(默认)
[root@docker ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
[root@docker ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
fac18b86913d bridge bridge local
5c25ba0dec47 host host local
ff32283000f2 none null local
[root@docker ~]# ll /var/lib/docker/volumes/
total 24
-rw-------. 1 root root 32768 Jan 23 04:40 metadata.db
二.下载一个镜像,run一个容器
[root@docker ~]# docker pull centos
Using default tag: latest
latest: Pulling from library/centos
a02a4930cb5d: Pull complete
Digest: sha256:184e5f35598e333bfa7de10d8fb1cebb5ee4df5bc0f970bf2b1e7c7345136426
Status: Downloaded newer image for centos:latest
[root@docker ~]# docker run -it --name db1 -d centos
83965573d79ae0ba4a413d821c74d92dcf0f85dc04824a09ec2e758cce8fd0cb
[root@docker ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest 1e1148e4cc2c 6 weeks ago 202MB
[root@docker ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
83965573d79a centos "/bin/bash" 12 seconds ago Up 12 seconds db1
[root@docker ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b5:c8:bf brd ff:ff:ff:ff:ff:ff
inet 192.168.1.31/24 brd 192.168.1.255 scope global dynamic ens33
valid_lft 6121sec preferred_lft 6121sec
inet6 fe80::ca58:2ea0:cde5:290/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:65:90:e5:3c brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:65ff:fe90:e53c/64 scope link
valid_lft forever preferred_lft forever
5: veth0f485c5@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
link/ether 4a:ed:d3:94:b3:75 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::48ed:d3ff:fe94:b375/64 scope link
valid_lft forever preferred_lft forever
[root@docker ~]# docker inspect db1 | tail -n 20
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "fac18b86913df0fecb95c466a57f22f608b85c314b06cbb24d309b9025609e66",
"EndpointID": "c43e42c3a1def426dac2a23009189a441094315e656c20e35fd99d01eb3622e6",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:02",
"DriverOpts": null
}
}
}
}
]
这里pull一个CentOS的镜像,然后使用这个镜像run一个名字为db1的容器。然后使用docker inspect db1 命令查看容器的信息,发现db1的容器网络地址为172.17.0.2,这是默认网段
三.创建一个docker网络,然后使用这个网络run一个容器;(默认网段172.17.0.0/16,添加第一个网络:172.18.0.0/16,添加第二个网络:172.19.0.0/16,…………)
[root@docker ~]# docker network create network-test1
f3d416fe3b1f1214ff423ac22bafb93a61e262890e0cfe0a96e899103cdc5714
[root@docker ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
fac18b86913d bridge bridge local
5c25ba0dec47 host host local
f3d416fe3b1f network-test1 bridge local
ff32283000f2 none null local
[root@docker ~]# docker run -it --name db2 --network network-test1 -d centos
e74060cd8ab5864ce9e224622f638bb6dd6eacb39968b1597e1b59f84b82cc09
[root@docker ~]# docker inspect db2 |tail -n 20
"IPAMConfig": null,
"Links": null,
"Aliases": [
"e74060cd8ab5"
],
"NetworkID": "f3d416fe3b1f1214ff423ac22bafb93a61e262890e0cfe0a96e899103cdc5714",
"EndpointID": "56d3d1d0d9538cb493359fa9f0e92c960d037dcecb144849f82be007b11f6ea9",
"Gateway": "172.18.0.1",
"IPAddress": "172.18.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:12:00:02",
"DriverOpts": null
}
}
}
}
]
[root@docker ~]# docker exec -it db2 bash
[root@e74060cd8ab5 /]# ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
四.一个已存在的容器添加一个网络
[root@docker ~]# docker network connect network-test1 db1
[root@docker ~]# docker inspect db1 | tail -n 40
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "02:42:ac:11:00:02",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "fac18b86913df0fecb95c466a57f22f608b85c314b06cbb24d309b9025609e66",
"EndpointID": "c43e42c3a1def426dac2a23009189a441094315e656c20e35fd99d01eb3622e6",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:02",
"DriverOpts": null
},
"network-test1": {
"IPAMConfig": {},
"Links": null,
"Aliases": [
"83965573d79a"
],
"NetworkID": "f3d416fe3b1f1214ff423ac22bafb93a61e262890e0cfe0a96e899103cdc5714",
"EndpointID": "639e89639a8cf9e1b2938d8a8524c1f5e413b7f1c5379ef94b435fb3c690c816",
"Gateway": "172.18.0.1",
"IPAddress": "172.18.0.3",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:12:00:03",
"DriverOpts": null
}
}
}
}
]
[root@docker ~]# docker exec -it db1 bash
[root@83965573d79a /]# ping 172.18.0.2
PING 172.18.0.2 (172.18.0.2) 56(84) bytes of data.
64 bytes from 172.18.0.2: icmp_seq=1 ttl=64 time=0.070 ms
64 bytes from 172.18.0.2: icmp_seq=2 ttl=64 time=0.069 ms
64 bytes from 172.18.0.2: icmp_seq=3 ttl=64 time=0.075 ms
64 bytes from 172.18.0.2: icmp_seq=4 ttl=64 time=0.078 ms
64 bytes from 172.18.0.2: icmp_seq=5 ttl=64 time=0.055 ms
^C
--- 172.18.0.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3998ms
rtt min/avg/max/mdev = 0.055/0.069/0.078/0.010 ms
[root@83965573d79a /]# exit
exit
[root@docker ~]# docker exec -it db2 bash
[root@e74060cd8ab5 /]# 172.17.0.2
bash: 172.17.0.2: command not found
[root@e74060cd8ab5 /]# ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
^C
--- 172.17.0.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
[root@e74060cd8ab5 /]# ping 172.18.0.3
PING 172.18.0.3 (172.18.0.3) 56(84) bytes of data.
64 bytes from 172.18.0.3: icmp_seq=1 ttl=64 time=0.069 ms
^C
--- 172.18.0.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.069/0.069/0.069/0.000 ms
五.创建一个指定的网段,一定不能与宿主机的网段一样
[root@docker ~]# docker network create --subnet=192.168.10.0/24 --gateway=192.168.10.254 network-test2
b4447cd299ec5e0e06d9cef76fbb211569724ec9585a9ee1e1bd8ba3f2c1e60b
[root@docker ~]#
[root@docker ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
fac18b86913d bridge bridge local
5c25ba0dec47 host host local
f3d416fe3b1f network-test1 bridge local
b4447cd299ec network-test2 bridge local
ff32283000f2 none null local
[root@docker ~]# docker run -itd --name db3 --network network-test2 centos
aa3738327f27150ffe77d638a44b221d29d44a21134e21961a259180596832fd
[root@docker ~]# docker ipspect db3 |tail -n 20
docker: 'ipspect' is not a docker command.
See 'docker --help'
[root@docker ~]# docker inspect db3 |tail -n 20
"IPAMConfig": null,
"Links": null,
"Aliases": [
"aa3738327f27"
],
"NetworkID": "b4447cd299ec5e0e06d9cef76fbb211569724ec9585a9ee1e1bd8ba3f2c1e60b",
"EndpointID": "779bb57b85c70552a2bb49f266070413579e0029761c2e2b46ef603cb4e7567b",
"Gateway": "192.168.10.254",
"IPAddress": "192.168.10.1",
"IPPrefixLen": 24,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:c0:a8:0a:01",
"DriverOpts": null
}
}
}
}
]
六. 删除网络
[root@docker ~]# docker network rm network-test2
Error response from daemon: error while removing network: network network-test2 id b4447cd299ec5e0e06d9cef76fbb211569724ec9585a9ee1e1bd8ba3f2c1e60b has active endpoints
#上面报错是因为该网络应用在容器上,所以需要从容器上把该网络移除掉
[root@docker ~]# docker network disconnect network-test2 db3
[root@docker ~]# docker network rm network-test2
network-test2
[root@docker ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
fac18b86913d bridge bridge local
5c25ba0dec47 host host local
f3d416fe3b1f network-test1 bridge local
ff32283000f2 none null local
#由于网络已移除,所以该容器下没有IP地址,需要添加一个网络到该容器
[root@docker ~]# docker inspect db3 | tail -n 20
"SandboxID": "da143898cabe72caed5cf92b86cab2633c3a68f5fe6f86e50ac386fbccd4905c",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {},
"SandboxKey": "/var/run/docker/netns/da143898cabe",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "",
"Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"MacAddress": "",
"Networks": {}
}
}
]
[root@docker ~]# docker network connect network-test1 db3
[root@docker ~]# docker inspect db3 | tail -n 20
"IPAMConfig": {},
"Links": null,
"Aliases": [
"aa3738327f27"
],
"NetworkID": "f3d416fe3b1f1214ff423ac22bafb93a61e262890e0cfe0a96e899103cdc5714",
"EndpointID": "92023e9c0b2399e8633c5a5ace9796172632ca177941635468182acb96df7b0d",
"Gateway": "172.18.0.1",
"IPAddress": "172.18.0.4",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:12:00:04",
"DriverOpts": null
}
}
}
}
]
七.修改默认网络
[root@docker ~]# cat > /etc/docker/daemon.json <<EOF
{"bip": "172.17.10.1/24"}
EOF
[root@docker ~]# systemctl restart docker
ip a
[root@docker ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b5:c8:bf brd ff:ff:ff:ff:ff:ff
inet 192.168.1.31/24 brd 192.168.1.255 scope global dynamic ens33
valid_lft 6285sec preferred_lft 6285sec
inet6 fe80::ca58:2ea0:cde5:290/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:65:90:e5:3c brd ff:ff:ff:ff:ff:ff
inet 172.17.10.1/24 brd 172.17.10.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:65ff:fe90:e53c/64 scope link
valid_lft forever preferred_lft forever
6: br-f3d416fe3b1f: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:2d:50:bc:16 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-f3d416fe3b1f
valid_lft forever preferred_lft forever
inet6 fe80::42:2dff:fe50:bc16/64 scope link
valid_lft forever preferred_lft forever