一、容器默认网络通信
Usage: dockerd [OPTIONS] Options: --icc Enable inter-container communication (default true) --icc=false 可以禁用容器间网络通信
Dokcer 默认使用bridge模式,服务安装后会默认生成一个名为docker0 网段为 172.17.0.0/16 的网桥,启动的容器会在容器内及宿主机内创建一对虚拟网卡,并动态分配172.17.0.0/16 网段的地址,通过将宿主机虚拟网卡连接至网桥的式实现容器间及对外的网络通信
可通过安装 bridge-uitlls 工具查看网桥信息状态
[root@Docker-Ubu1804-p11:~]# apt install -y bridge-utils Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: ifupdown The following NEW packages will be installed: bridge-utils 0 upgraded, 1 newly installed, 0 to remove and 69 not upgraded. Need to get 30.1 kB of archives. After this operation, 102 kB of additional disk space will be used. Get:1 http://cn.archive.ubuntu.com/ubuntu bionic/main amd64 bridge-utils amd64 1.5-15ubuntu1 [30.1 kB] Fetched 30.1 kB in 1s (34.9 kB/s) Selecting previously unselected package bridge-utils. (Reading database ... 108899 files and directories currently installed.) Preparing to unpack .../bridge-utils_1.5-15ubuntu1_amd64.deb ... Unpacking bridge-utils (1.5-15ubuntu1) ... Setting up bridge-utils (1.5-15ubuntu1) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... #宿主机网卡信息 [root@Docker-Ubu1804-p11:~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d7:ff:18 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed7:ff18/64 scope link valid_lft forever preferred_lft forever 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ee:f6:4c:b1 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:eeff:fef6:4cb1/64 scope link valid_lft forever preferred_lft forever 9: veth16f14be@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether be:32:c5:e1:12:b3 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::bc32:c5ff:fee1:12b3/64 scope link valid_lft forever preferred_lft forever #网桥信息 [root@Docker-Ubu1804-p11:~]# brctl show bridge name bridge id STP enabled interfaces docker0 8000.0242eef64cb1 no veth16f14be #容器内网卡信息 [root@Docker-Ubu1804-p11:~]# docker exec app1 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever
默认允许同一宿主机内的容器间进行网络互联
[root@Docker-Ubu1804-p11:~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 98266e2eae21 busybox "tail -f /etc/hosts" 2 minutes ago Up 2 minutes brave_bassi 3559cb35d921 janzen/app1 "nginx" 10 minutes ago Up 9 minutes 0.0.0.0:80->80/tcp, 443/tcp app1 94e0a35875d9 mysql "docker-entrypoint.s…" 3 days ago Exited (0) 3 days ago some-mysql [root@Docker-Ubu1804-p11:~]# docker exec app1 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever [root@Docker-Ubu1804-p11:~]# docker exec 98266e2eae21 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever [root@Docker-Ubu1804-p11:~]# docker exec -it app1 bash [root@3559cb35d921 /]# ping 172.17.0.3 PING 172.17.0.3 (172.17.0.3) 56(84) bytes of data. 64 bytes from 172.17.0.3: icmp_seq=1 ttl=64 time=0.204 ms 64 bytes from 172.17.0.3: icmp_seq=2 ttl=64 time=0.049 ms 64 bytes from 172.17.0.3: icmp_seq=3 ttl=64 time=0.049 ms 64 bytes from 172.17.0.3: icmp_seq=4 ttl=64 time=0.049 ms 64 bytes from 172.17.0.3: icmp_seq=5 ttl=64 time=0.051 ms ^C --- 172.17.0.3 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4081ms rtt min/avg/max/mdev = 0.049/0.080/0.204/0.062 ms [root@3559cb35d921 /]# exit exit [root@Docker-Ubu1804-p11:~]# docker exec -it 98266e2eae21 sh/ # ping 172.17.0.2 PING 172.17.0.2 (172.17.0.2): 56 data bytes 64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.055 ms 64 bytes from 172.17.0.2: seq=1 ttl=64 time=0.063 ms 64 bytes from 172.17.0.2: seq=2 ttl=64 time=0.066 ms 64 bytes from 172.17.0.2: seq=3 ttl=64 time=0.063 ms ^C --- 172.17.0.2 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.055/0.061/0.066 ms / # exit
禁用容器间网络互联
#修改dockerd的systemd启动文件,添加 --icc=false 参数,禁用容器间网络访问 [root@Docker-Ubu1804-p11:~]# vim /lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --icc=false [root@Docker-Ubu1804-p11:~]# systemctl daemon-reload [root@Docker-Ubu1804-p11:~]# systemctl restart docker.service [root@Docker-Ubu1804-p11:~]# ps -aux | grep docker root 4994 0.3 8.4 838972 83096 ? Ssl 01:50 0:00 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --icc=false root 5155 0.0 0.1 13216 1108 pts/0 S+ 01:51 0:00 grep --color=auto docker
[root@Docker-Ubu1804-p11:~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES cc66eb6cc1ca janzen/app1 "nginx" 15 seconds ago Up 14 seconds 0.0.0.0:80->80/tcp, 443/tcp app1 98266e2eae21 busybox "tail -f /etc/hosts" 22 minutes ago Up 5 seconds brave_bassi 94e0a35875d9 mysql "docker-entrypoint.s…" 3 days ago Exited (0) 3 days ago some-mysql [root@Docker-Ubu1804-p11:~]# docker exec app1 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever [root@Docker-Ubu1804-p11:~]# docker exec 98266 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever [root@Docker-Ubu1804-p11:~]# docker exec -it app1 bash [root@cc66eb6cc1ca /]# ping 172.17.0.3 PING 172.17.0.3 (172.17.0.3) 56(84) bytes of data. ^C --- 172.17.0.3 ping statistics --- 6 packets transmitted, 0 received, 100% packet loss, time 5102ms [root@cc66eb6cc1ca /]# exit exit [root@Docker-Ubu1804-p11:~]# docker exec -it 98266 sh / # ping 172.17.0.2 PING 172.17.0.2 (172.17.0.2): 56 data bytes ^C --- 172.17.0.2 ping statistics --- 7 packets transmitted, 0 packets received, 100% packet loss / # exit
修改默认网络配置
Usage: dockerd [OPTIONS] A self-sufficient runtime for containers. Options: --bip string Specify network bridge IP -b, --bridge string Attach containers to a network bridge
修改默认网桥使用的IP地址
[root@Docker-Ubu1804-p11:~]# vim /lib/systemd/system/docker.service [root@Docker-Ubu1804-p11:~]# cat /lib/systemd/system/docker.service | grep ExecStart ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --bip=192.168.17.1/24 [root@Docker-Ubu1804-p11:~]# systemctl daemon-reload [root@Docker-Ubu1804-p11:~]# systemctl restart docker.service [root@Docker-Ubu1804-p11:~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d7:ff:18 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed7:ff18/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:ee:f6:4c:b1 brd ff:ff:ff:ff:ff:ff inet 192.168.17.1/24 brd 192.168.17.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:eeff:fef6:4cb1/64 scope link valid_lft forever preferred_lft forever
修改默认网桥连接
#新建网桥br0,配置使用 192.168.19.0/24 网段 [root@Docker-Ubu1804-p11:~]# brctl addbr br0 [root@Docker-Ubu1804-p11:~]# ip a a 192.168.19.1/24 dev br0 [root@Docker-Ubu1804-p11:~]# brctl show bridge name bridge id STP enabled interfaces br0 8000.000000000000 no docker0 8000.0242eef64cb1 no [root@Docker-Ubu1804-p11:~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d7:ff:18 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed7:ff18/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:ee:f6:4c:b1 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:eeff:fef6:4cb1/64 scope link valid_lft forever preferred_lft forever 16: br0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 76:17:d6:4b:2b:94 brd ff:ff:ff:ff:ff:ff inet 192.168.19.1/24 scope global br0 valid_lft forever preferred_lft forever #修改dockerd启动文件,添加-b参数指定使用br0作为网络连接网桥 [root@Docker-Ubu1804-p11:~]# vim /lib/systemd/system/docker.service [root@Docker-Ubu1804-p11:~]# cat /lib/systemd/system/docker.service | grep ExecStart ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -b br0 [root@Docker-Ubu1804-p11:~]# systemctl daemon-reload [root@Docker-Ubu1804-p11:~]# systemctl restart docker.service [root@Docker-Ubu1804-p11:~]# ps aux | grep dockerd root 6721 0.0 8.3 757044 82048 ? Ssl 02:18 0:00 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -b br0 root 6870 0.0 0.1 13216 1148 pts/0 S+ 02:21 0:00 grep --color=auto dockerd #新建容器查看容器网卡信息,进行验证 [root@Docker-Ubu1804-p11:~]# docker run -d --name nginx janzen/nginx-centos7:1.20.1-v2.0 5fb23af783414778bdf8cfda82d9138446c762c397ebd3befe4fab6ee3782faa [root@Docker-Ubu1804-p11:~]# docker exec -it nginx ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 17: eth0@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:c0:a8:13:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.168.19.2/24 brd 192.168.19.255 scope global eth0 valid_lft forever preferred_lft forever [root@Docker-Ubu1804-p11:~]# brctl show bridge name bridge id STP enabled interfaces br0 8000.4a165c89efc8 no veth7c6805a docker0 8000.0242eef64cb1 no
二、容器名称互联
1、容器名称实现互联
1.1、容器名称介绍
在同一个宿主机上的容器之间可以通过自定义的容器名称进行相互访问,由于容器在启动时的名称是由DHCP随机分配的,因而使用相对固定的容器名称进行访问。
可以在docker run 创建容器时添加 --link 参数,实现容器名称的引用
注意:被引用容器必须提前创建
注意:如果被引用容器发生地址变化,需要重启当前容器才能重新获取被引用容器的新地址
Usage: docker run [OPTIONS] IMAGE [COMMAND] [ARG...] Run a command in a new container Options: --link list Add link to another container
1.2、使用容器名称进行网络访问
#创建mysql容器,创建nginx容器指定连接 mysql [root@Docker-Ubu1804-p11:~]# docker run --name mysql -e MYSQL_ROOT_PASSWORD=passwd -d mysql 17ad715abb2424b24a8c77c3a202b0b2fa732bff84d63b5911c0c2288fab41a6 [root@Docker-Ubu1804-p11:~]# docker run --name nginx --link mysql -d janzen/nginx-centos7:1.20.1-v2.0 e8e2515a4426de167f41deaa4dbb79c9a087933e2df3076645d1cdc0a0c6766e [root@Docker-Ubu1804-p11:~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e8e2515a4426 janzen/nginx-centos7:1.20.1-v2.0 "nginx" 22 seconds ago Up 20 seconds 80/tcp, 443/tcp nginx 17ad715abb24 mysql "docker-entrypoint.s…" About a minute ago Up About a minute 3306/tcp, 33060/tcp mysql [root@Docker-Ubu1804-p11:~]# docker inspect mysql -f "{{.NetworkSettings}}" {{ 693f42a505b49fd8580e3be09c1da1391a5aa98de790bbf986103f76005cb270 false 0 map[3306/tcp:[] 33060/tcp:[]] /var/run/docker/netns/693f42a505b4 [] []} {d57c4d5b5c72ad0d38b780368c4ee7dafc449258a5e28e0cf5151c7883742d9f 192.168.19.1 0 192.168.19.2 24 02:42:c0:a8:13:02} map[bridge:0xc0003015c0]} [root@Docker-Ubu1804-p11:~]# docker inspect nginx -f "{{.NetworkSettings}}" {{ e761523b5361d148f107f0cc124d5a4aea054cfd99e0e39feb2a35a8119791d7 false 0 map[443/tcp:[] 80/tcp:[]] /var/run/docker/netns/e761523b5361 [] []} {48f9df6fa35cb7becb7e3c9af748e2497edbf25940644861b6bfd23bc01329d7 192.168.19.1 0 192.168.19.3 24 02:42:c0:a8:13:03} map[bridge:0xc0002ff5c0]} [root@Docker-Ubu1804-p11:~]# docker exec -it nginx bash [root@e8e2515a4426 /]# cat /etc/host host.conf hostname hosts hosts.allow hosts.deny [root@e8e2515a4426 /]# cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.19.2 mysql 17ad715abb24 192.168.19.3 e8e2515a4426 [root@e8e2515a4426 /]# ping mysql PING mysql (192.168.19.2) 56(84) bytes of data. 64 bytes from mysql (192.168.19.2): icmp_seq=1 ttl=64 time=0.167 ms 64 bytes from mysql (192.168.19.2): icmp_seq=2 ttl=64 time=0.063 ms 64 bytes from mysql (192.168.19.2): icmp_seq=3 ttl=64 time=0.047 ms ^C --- mysql ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2034ms rtt min/avg/max/mdev = 0.047/0.092/0.167/0.053 ms [root@e8e2515a4426 /]# exit exit #验证容器IP发生变化 [root@Docker-Ubu1804-p11:~]# docker stop mysql mysql [root@Docker-Ubu1804-p11:~]# docker run -d busybox tail -f /etc/hosts c3cbdbc623b1026cb3efffb613d0f4f1e7dae2473db0e3eb77551c319430c61a [root@Docker-Ubu1804-p11:~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c3cbdbc623b1 busybox "tail -f /etc/hosts" 7 seconds ago Up 6 seconds admiring_wescoff e8e2515a4426 janzen/nginx-centos7:1.20.1-v2.0 "nginx" 7 minutes ago Up 7 minutes 80/tcp, 443/tcp nginx [root@Docker-Ubu1804-p11:~]# docker inspect c3cbdbc623b1 -f "{{.NetworkSettings}}" {{ 616e505a4a2454ad05156c1e8c524c8ce366efa350cf5ad41565a4256d02005d false 0 map[] /var/run/docker/netns/616e505a4a24 [] []} {2513e7c313d0d8e18a47d5836c7647dcb06053bfe80025ca13ae2f75aaada014 192.168.19.1 0 192.168.19.2 24 02:42:c0:a8:13:02} map[bridge:0xc0002ff5c0]} [root@Docker-Ubu1804-p11:~]# docker start mysql mysql [root@Docker-Ubu1804-p11:~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c3cbdbc623b1 busybox "tail -f /etc/hosts" 57 seconds ago Up 56 seconds admiring_wescoff e8e2515a4426 janzen/nginx-centos7:1.20.1-v2.0 "nginx" 8 minutes ago Up 8 minutes 80/tcp, 443/tcp nginx 17ad715abb24 mysql "docker-entrypoint.s…" 8 minutes ago Up 4 seconds 3306/tcp, 33060/tcp mysql [root@Docker-Ubu1804-p11:~]# docker inspect mysql -f "{{.NetworkSettings}}" {{ e08e48e61767595fdc37df3590f1725666169a1c46f21060170e540a18ef6d42 false 0 map[3306/tcp:[] 33060/tcp:[]] /var/run/docker/netns/e08e48e61767 [] []} {f7e34ad6702fadf1c9d13ce53c13e0e25a1513004b3b14ddf49ba399d3ddc13a 192.168.19.1 0 192.168.19.4 24 02:42:c0:a8:13:04} map[bridge:0xc0002ff5c0]} [root@Docker-Ubu1804-p11:~]# docker exec -it nginx bash [root@e8e2515a4426 /]# cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.19.4 mysql 17ad715abb24 192.168.19.3 e8e2515a4426 [root@e8e2515a4426 /]# ping mysql PING mysql (192.168.19.4) 56(84) bytes of data. 64 bytes from mysql (192.168.19.4): icmp_seq=1 ttl=64 time=0.187 ms 64 bytes from mysql (192.168.19.4): icmp_seq=2 ttl=64 time=0.049 ms 64 bytes from mysql (192.168.19.4): icmp_seq=3 ttl=64 time=0.046 ms 64 bytes from mysql (192.168.19.4): icmp_seq=4 ttl=64 time=0.111 ms 64 bytes from mysql (192.168.19.4): icmp_seq=5 ttl=64 time=0.048 ms 64 bytes from mysql (192.168.19.4): icmp_seq=6 ttl=64 time=0.045 ms ^C --- mysql ping statistics --- 6 packets transmitted, 6 received, 0% packet loss, time 5067ms rtt min/avg/max/mdev = 0.045/0.081/0.187/0.052 ms [root@e8e2515a4426 /]# exit exit [root@Docker-Ubu1804-p11:~]#
2、容器别名实现互联
2.1、容器别名介绍
命名格式:
docker run --name <容器名称> docker run --link <目标容器名称>:<目标容器别名>
2.2、使用容器别名进行网络访问
#创建新容器,引用前面创建的nginx容器,并创建别名 [root@Docker-Ubu1804-p11:~]# docker run -it --rm --link nginx:nginx-server1 alpine sh / # cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.19.3 nginx-server1 e8e2515a4426 nginx 192.168.19.5 dbf6642469fd / # ping nginx PING nginx (192.168.19.3): 56 data bytes 64 bytes from 192.168.19.3: seq=0 ttl=64 time=0.234 ms 64 bytes from 192.168.19.3: seq=1 ttl=64 time=0.074 ms 64 bytes from 192.168.19.3: seq=2 ttl=64 time=0.065 ms ^C --- nginx ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.065/0.124/0.234 ms / # ping nginx-server1 PING nginx-server1 (192.168.19.3): 56 data bytes 64 bytes from 192.168.19.3: seq=0 ttl=64 time=0.128 ms 64 bytes from 192.168.19.3: seq=1 ttl=64 time=0.072 ms 64 bytes from 192.168.19.3: seq=2 ttl=64 time=0.062 ms ^C --- nginx-server1 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.062/0.087/0.128 ms / # exit #创建新容器,引用前面创建的mysql容器,创建多个别名 [root@Docker-Ubu1804-p11:~]# docker run -it --rm --link mysql:"mysql-node0 mysql-node1" alpine sh / # cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.19.4 mysql-node0 mysql-node1 17ad715abb24 mysql 192.168.19.5 0eb3e54c1a5e / # ping mysql PING mysql (192.168.19.4): 56 data bytes 64 bytes from 192.168.19.4: seq=0 ttl=64 time=0.093 ms 64 bytes from 192.168.19.4: seq=1 ttl=64 time=0.067 ms 64 bytes from 192.168.19.4: seq=2 ttl=64 time=0.068 ms ^C --- mysql ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.067/0.076/0.093 ms / # ping mysql-node0 PING mysql-node0 (192.168.19.4): 56 data bytes 64 bytes from 192.168.19.4: seq=0 ttl=64 time=0.052 ms 64 bytes from 192.168.19.4: seq=1 ttl=64 time=0.076 ms 64 bytes from 192.168.19.4: seq=2 ttl=64 time=0.073 ms 64 bytes from 192.168.19.4: seq=3 ttl=64 time=0.065 ms ^C --- mysql-node0 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.052/0.066/0.076 ms / # ping mysql-node1 PING mysql-node1 (192.168.19.4): 56 data bytes 64 bytes from 192.168.19.4: seq=0 ttl=64 time=0.055 ms 64 bytes from 192.168.19.4: seq=1 ttl=64 time=0.076 ms 64 bytes from 192.168.19.4: seq=2 ttl=64 time=0.077 ms 64 bytes from 192.168.19.4: seq=3 ttl=64 time=0.075 ms ^C --- mysql-node1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.055/0.070/0.077 ms / # exit
三、Docker 网络连接模式
1、容器网络连接模式介绍
Docker支持的5种网络模式
官方文档介绍:https://docs.docker.com/config/containers/container-networking/
- none
- bridge
- host
- container
- network-name
[root@Docker-Ubu1804-p11:~]# docker network ls NETWORK ID NAME DRIVER SCOPE 40cf956014a3 bridge bridge local e33dad33c534 host host local 71f677643168 none null local
2、容器网络模式指定
Docker默认使用 Brideg网络模式,可在创建容器时使用 docker run 命令添加 网络选项指定网络模式
docker run --network <mode> docker run --net=<mode> <mode> 可选选项 none bridge host container:<容器名称或容器ID> <自定义网络名称>
3、Bridge 网络模式
此模式是Docker默认的网络模式,此模式创建的容器会为每一个容器自动分配自己网络内的IP,并将容器通过连接到一个虚拟网桥实现对外通信
可以和外部网络通信,通过SNAT访问外网,使用DNAT可以让容器被外部访问,因此此模式也被称为NAT模式
此模式宿主机需要启动 ip_forward 功能
Bridge 网络模式特点
- 网络资源隔离:不同宿主机的容器无法直接通信,各自使用独立的网络
- 无需手动配置:容器默认获取172.17.0.0/16 网段地址,此地址可手动修改
- 可访问外网:利用宿主机的物理网卡,SNAT连接外网
- 外部主机无法直接访问容器:可以通过配置DNAT接受外网访问
- 性能较低:因为可通过NAT,网络转换带来部分资源损耗
- 端口管理繁琐:每个容器必须指定唯一端口,因此可能带来更多的端口冲突
默认Bridge配置
#默认Bridge配置 [root@Docker-Ubu1804-p11:~]# docker inspect bridge [ { "Name": "bridge", "Id": "40cf956014a38ee53ecc7c2f36c87fae1c7c903f93e291b146657c1ec7dd9ef3", "Created": "2023-05-02T22:28:34.35625987+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "4dbcfaf0ed837a51fab95845a3cc6d3a7223a8b8441a2793f8888b222c746b46": { "Name": "app1", "EndpointID": "382dbe3365550872277ef6f15b19cb79ba01a10098a5fb99eba14e210bc4d0ff", "MacAddress": "02:42:ac:11:00:02", "IPv4Address": "172.17.0.2/16", "IPv6Address": "" } }, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ]
#宿主机网络状态 [root@Docker-Ubu1804-p11:~]# cat /proc/sys/net/ipv4/ip_forward 1 [root@Docker-Ubu1804-p11:~]# docker inspect bridge [ { "Name": "bridge", "Id": "40cf956014a38ee53ecc7c2f36c87fae1c7c903f93e291b146657c1ec7dd9ef3", "Created": "2023-05-02T22:28:34.35625987+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "4dbcfaf0ed837a51fab95845a3cc6d3a7223a8b8441a2793f8888b222c746b46": { "Name": "app1", "EndpointID": "382dbe3365550872277ef6f15b19cb79ba01a10098a5fb99eba14e210bc4d0ff", "MacAddress": "02:42:ac:11:00:02", "IPv4Address": "172.17.0.2/16", "IPv6Address": "" } }, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ]
修改Bridge配置网段
#通过指定 dockerd 启动参数修改Bridge网段配置 [root@Docker-Ubu1804-p11:~]# vim /lib/systemd/system/docker.service [root@Docker-Ubu1804-p11:~]# cat /lib/systemd/system/docker.service | grep ExecStart ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --bip=192.168.17.1/24 [root@Docker-Ubu1804-p11:~]# systemctl daemon-reload [root@Docker-Ubu1804-p11:~]# systemctl restart docker.service [root@Docker-Ubu1804-p11:~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d7:ff:18 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed7:ff18/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:ee:f6:4c:b1 brd ff:ff:ff:ff:ff:ff inet 192.168.17.1/24 brd 192.168.17.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:eeff:fef6:4cb1/64 scope link valid_lft forever preferred_lft forever #通过修改配置文件,修改Bridge网段配置 [root@Docker-Ubu1804-p11:~]# vim /etc/docker/daemon.json { "registry-mirrors": ["https://hub-mirror.c.163.com","https://po3g231a.mirror.aliyuncs.com","https://docker.mirrors.ustc.edu.cn"], "bip": "192.168.17.1/24", #配置docker0使用的IP,24是容器IP的掩码 "fixed-cidr": "192.168.17.128/26", #配置自动分配给容器的网络范围,26不代表地址掩码,代表网段地址范围, "default-gateway": "192.168.17.254" #网关地址必须与bip地址在同一网段,默认为 docker0地址 } [root@Docker-Ubu1804-p11:~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d7:ff:18 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed7:ff18/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:b4:3a:65:43 brd ff:ff:ff:ff:ff:ff inet 192.168.17.1/24 brd 192.168.17.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:b4ff:fe3a:6543/64 scope link valid_lft forever preferred_lft forever
配置默认Bridge模式容器
[root@Docker-Ubu1804-p11:~]# docker run -d --name centos janzen/centos7:v1.0 tail -f /etc/hosts 02389ba56fbda68357902856e5e72b07bc3bf8adef40c7b64fe1acc5637e68e4 [root@Docker-Ubu1804-p11:~]# docker inspect centos -f "{{.NetworkSettings}}" {{ 4be143e167f90088a90944196b660bc616f80c82cb2193cab40b0c40322a7912 false 0 map[] /var/run/docker/netns/4be143e167f9 [] []} {f2f5b8d19eb7cd146938bceb4711cf1846f75e90b8537565ca803e2f61e12b9b 192.168.17.254 0 192.168.17.128 24 02:42:c0:a8:11:80} map[bridge:0xc0002ff5c0]} [root@Docker-Ubu1804-p11:~]# docker exec -it centos bash [root@02389ba56fbd /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:c0:a8:11:80 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.168.17.128/24 brd 192.168.17.255 scope global eth0 valid_lft forever preferred_lft forever
4、host 网络模式
如果指定指定Host模式启动的容器,新建容器不会创建自己的虚拟网卡, 而是直接使用宿主机的网卡和IP,因此在容器中看到的网卡信息实际是宿主机的网络信息,访问容器之间使用 宿主机IP+容器端口 即可,不过容器内的除网络外的其他系统依旧保持隔离状态。此模式由于直接使用宿主机网卡,无需进行NAT转换,因此网络性能最好,但是多个容器内使用的端口不能重复,适用于运行的容器端口较为固定的业务。
Host 网络模式特点
- 使用参数 --network host 固定
- 共享宿主机网络
- 网络性能无损耗
- 网络排障相对简单
- 各容器之间网络无隔离
- 各网络资源访问无法分别统计
- 端口管理难度较大:容易产生端口冲突
- 不支持端口映射
配置Host模式容器
#查看宿主机网络信息 [root@Docker-Ubu1804-p11:~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d7:ff:18 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed7:ff18/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:b4:3a:65:43 brd ff:ff:ff:ff:ff:ff inet 192.168.17.1/24 brd 192.168.17.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:b4ff:fe3a:6543/64 scope link valid_lft forever preferred_lft forever [root@Docker-Ubu1804-p11:~]# ss -ntl | grep 80 #创建容器指定网络模式为 Host [root@Docker-Ubu1804-p11:~]# docker run -d --name app1-host --network host janzen/app1:v3.0 4dddedc405962e76712ffc9e200ef2cf850517ebea7eca8be3e60e0f88e31270 #查看Host模式容器启动后,宿主机监听端口变化 [root@Docker-Ubu1804-p11:~]# ss -ntlp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=9500,fd=6),("nginx",pid=9487,fd=6)) LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=905,fd=13)) LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1105,fd=3)) LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* users:(("sshd",pid=1979,fd=10)) LISTEN 0 128 [::]:80 [::]:* users:(("nginx",pid=9500,fd=7),("nginx",pid=9487,fd=7)) LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1105,fd=4)) LISTEN 0 128 [::1]:6010 [::]:* users:(("sshd",pid=1979,fd=9)) [root@Docker-Ubu1804-p11:~]# docker port app1-host #进入容器查看容器内网络信息,看到容器hostname 引用的是宿主机的hostname,网卡信息也与宿主机一致 [root@Docker-Ubu1804-p11:~]# docker exec -it app1-host bash [root@Docker-Ubu1804-p11 /]# hostname Docker-Ubu1804-p11.janzen.com [root@Docker-Ubu1804-p11 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d7:ff:18 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed7:ff18/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:b4:3a:65:43 brd ff:ff:ff:ff:ff:ff inet 192.168.17.1/24 brd 192.168.17.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:b4ff:fe3a:6543/64 scope link valid_lft forever preferred_lft forever [root@Docker-Ubu1804-p11 /]# ss -ntlp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* users:(("nginx",pid=1,fd=6)) LISTEN 0 128 127.0.0.53%lo:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 127.0.0.1:6010 *:* LISTEN 0 128 [::]:80 [::]:* users:(("nginx",pid=1,fd=7)) LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 [::1]:6010 [::]:*
#指定端口映射无效 [root@Docker-Ubu1804-p11:~]# docker run -d --name nginx-host --network host -p 8080:80 janzen/nginx-centos7:1.20.1-v2.0 WARNING: Published ports are discarded when using host network mode a91677c1a43de4d55e6e866a76a119716a24e80c2a796d6891b05ec226122278 [root@Docker-Ubu1804-p11:~]# ss -ntlp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 127.0.0.1:6011 0.0.0.0:* users:(("sshd",pid=17610,fd=10)) LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=18743,fd=6),("nginx",pid=18726,fd=6)) LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=905,fd=13)) LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1105,fd=3)) LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* users:(("sshd",pid=1979,fd=10)) LISTEN 0 128 [::1]:6011 [::]:* users:(("sshd",pid=17610,fd=9)) LISTEN 0 128 [::]:80 [::]:* users:(("nginx",pid=18743,fd=7),("nginx",pid=18726,fd=7)) LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1105,fd=4)) LISTEN 0 128 [::1]:6010 [::]:* users:(("sshd",pid=1979,fd=9))
5、container 网络模式
使用Container网络模式创建的容器需要指定一个已经存在的容器,共享指定容器的网络,不会创建自己的独立网卡也不会配置自己的IP,也不与宿主机共享网络,而是和被指定的容器共享IP和端口范围,因此这个而且不能和被指定的容器有端口冲突,除了网络以外的资源仍保持相互隔离状态,两个容器间的进程可以通过lo网卡进行通信。
Container 网络模式特点
- 使用参数 --network container:容器名称或容器ID 指定
- 与宿主机和其他容器网络隔离
- 与指定容器间共享网络空间
- 适合频繁访问的容器间网络通信
- 直接使用对方网络,较少使用
配置Container模式容器(共享Bridge模式容器网络)
#创建容器nginx-bridge,使用默认网络模式(Bridge) [root@Docker-Ubu1804-p11:~]# docker run -d --name nginx-bridge janzen/nginx-centos7:1.20.1-v2.0 7e05357b5021a7343ef1976eea327812dde68c02097918215484ff629a76b24c [root@Docker-Ubu1804-p11:~]# docker exec -it nginx-bridge bash [root@7e05357b5021 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 26: eth0@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:c0:a8:11:80 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.168.17.128/24 brd 192.168.17.255 scope global eth0 valid_lft forever preferred_lft forever [root@7e05357b5021 /]# ss -ntlp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* users:(("nginx",pid=1,fd=6)) LISTEN 0 128 [::]:80 [::]:* users:(("nginx",pid=1,fd=7)) [root@7e05357b5021 /]# exit exit [root@Docker-Ubu1804-p11:~]# docker inspect bridge [ { "Name": "bridge", "Id": "26b9f395f93fbe111f9ebaf387ea433e2e14e6ef4c726648ed6c2a8a6676e374", "Created": "2023-05-03T01:04:57.132159917+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "192.168.17.0/24", "IPRange": "192.168.17.128/30", "Gateway": "192.168.17.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "7e05357b5021a7343ef1976eea327812dde68c02097918215484ff629a76b24c": { "Name": "nginx-bridge", "EndpointID": "572cd7929b5af2bba6c041dbe41bf5d98b2fe4a69b6f268773b7c90233bdf905", "MacAddress": "02:42:c0:a8:11:80", "IPv4Address": "192.168.17.128/24", "IPv6Address": "" } }, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] #创建容器,引用容器nginx-bridge网络模式(Bridge) [root@Docker-Ubu1804-p11:~]# docker run -it --name centos --network container:nginx-bridge janzen/centos7:v1.0 bash [root@7e05357b5021 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 26: eth0@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:c0:a8:11:80 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.168.17.128/24 brd 192.168.17.255 scope global eth0 valid_lft forever preferred_lft forever [root@7e05357b5021 /]# ss -ntlp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* LISTEN 0 128 [::]:80 [::]:* [root@7e05357b5021 /]# curl 127.0.0.1 <h1>nginx-1.20.1 base centOS 7 on docker</h1> [root@7e05357b5021 /]# exit
配置Container模式容器(共享Host模式容器网络)
#创建容器nginx-host,使用Host网络模式 [root@Docker-Ubu1804-p11:~]# docker run -d --name nginx-host --network host janzen/nginx-centos7:1.20.1-v2.0 d38104d63dc27e4e45d12750f44d9e0a31b6dfa6631899d1d76863c864004c4a [root@Docker-Ubu1804-p11:~]# docker exec -it nginx-host bash [root@Docker-Ubu1804-p11 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d7:ff:18 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed7:ff18/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:b4:3a:65:43 brd ff:ff:ff:ff:ff:ff inet 192.168.17.1/24 brd 192.168.17.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:b4ff:fe3a:6543/64 scope link valid_lft forever preferred_lft forever [root@Docker-Ubu1804-p11 /]# ss -ntlp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* users:(("nginx",pid=1,fd=6)) LISTEN 0 128 127.0.0.53%lo:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 127.0.0.1:6010 *:* LISTEN 0 128 [::]:80 [::]:* users:(("nginx",pid=1,fd=7)) LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 [::1]:6010 [::]:* [root@Docker-Ubu1804-p11 /]# curl 127.0.0.1 <h1>nginx-1.20.1 base centOS 7 on docker</h1> [root@Docker-Ubu1804-p11 /]# curl 10.0.0.11 <h1>nginx-1.20.1 base centOS 7 on docker</h1> [root@Docker-Ubu1804-p11 /]# exit exit #创建centos容器,引用nginx-host容器网络 [root@Docker-Ubu1804-p11:~]# docker run -it --name centos --network container:nginx-host janzen/centos7:v1.0 bash [root@Docker-Ubu1804-p11 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d7:ff:18 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed7:ff18/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:b4:3a:65:43 brd ff:ff:ff:ff:ff:ff inet 192.168.17.1/24 brd 192.168.17.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:b4ff:fe3a:6543/64 scope link valid_lft forever preferred_lft forever [root@Docker-Ubu1804-p11 /]# ss -ntlp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* LISTEN 0 128 127.0.0.53%lo:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 127.0.0.1:6010 *:* LISTEN 0 128 [::]:80 [::]:* LISTEN 0 128 [::]:22 [::]:* LISTEN 0 128 [::1]:6010 [::]:* [root@Docker-Ubu1804-p11 /]# cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 Docker-Ubu1804-p11.janzen.com # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters [root@Docker-Ubu1804-p11 /]# curl 127.0.0.1 <h1>nginx-1.20.1 base centOS 7 on docker</h1> [root@Docker-Ubu1804-p11 /]# curl 10.0.0.11 <h1>nginx-1.20.1 base centOS 7 on docker</h1> [root@Docker-Ubu1804-p11 /]# exit exit
[root@Docker-Ubu1804-p11:~]# docker inspect host [ { "Name": "host", "Id": "e33dad33c534de2ab3cddbb789673284f71213e6c692592be1fa9ef48d361212", "Created": "2023-04-23T10:22:38.456506929+08:00", "Scope": "local", "Driver": "host", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "d38104d63dc27e4e45d12750f44d9e0a31b6dfa6631899d1d76863c864004c4a": { "Name": "nginx-host", "EndpointID": "9162522dabdb1c002e80f0eac272c9c532f68b7c799ff74eacf8aab0fada83b2", "MacAddress": "", "IPv4Address": "", "IPv6Address": "" } }, "Options": {}, "Labels": {} } ] [root@Docker-Ubu1804-p11:~]# docker inspect nginx-host [ { "Id": "d38104d63dc27e4e45d12750f44d9e0a31b6dfa6631899d1d76863c864004c4a", "Created": "2023-05-02T17:21:52.077607782Z", "Path": "nginx", "Args": [], "State": { "Status": "running", "Running": true, "Paused": false, "Restarting": false, "OOMKilled": false, "Dead": false, "Pid": 16460, "ExitCode": 0, "Error": "", "StartedAt": "2023-05-02T17:21:52.424335491Z", "FinishedAt": "0001-01-01T00:00:00Z" }, "Image": "sha256:4919aacb5ea0aa5d93a5f386f0df115c74cf774ff2df2bd68caf12b66fee3fe7", "ResolvConfPath": "/var/lib/docker/containers/d38104d63dc27e4e45d12750f44d9e0a31b6dfa6631899d1d76863c864004c4a/resolv.conf", "HostnamePath": "/var/lib/docker/containers/d38104d63dc27e4e45d12750f44d9e0a31b6dfa6631899d1d76863c864004c4a/hostname", "HostsPath": "/var/lib/docker/containers/d38104d63dc27e4e45d12750f44d9e0a31b6dfa6631899d1d76863c864004c4a/hosts", "LogPath": "/var/lib/docker/containers/d38104d63dc27e4e45d12750f44d9e0a31b6dfa6631899d1d76863c864004c4a/d38104d63dc27e4e45d12750f44d9e0a31b6dfa6631899d1d76863c864004c4a-json.log", "Name": "/nginx-host", "RestartCount": 0, "Driver": "overlay2", "Platform": "linux", "MountLabel": "", "ProcessLabel": "", "AppArmorProfile": "docker-default", "ExecIDs": null, "HostConfig": { "Binds": null, "ContainerIDFile": "", "LogConfig": { "Type": "json-file", "Config": {} }, "NetworkMode": "host", "PortBindings": {}, "RestartPolicy": { "Name": "no", "MaximumRetryCount": 0 }, "AutoRemove": false, "VolumeDriver": "", "VolumesFrom": null, "CapAdd": null, "CapDrop": null, "Capabilities": null, "Dns": [], "DnsOptions": [], "DnsSearch": [], "ExtraHosts": null, "GroupAdd": null, "IpcMode": "private", "Cgroup": "", "Links": null, "OomScoreAdj": 0, "PidMode": "", "Privileged": false, "PublishAllPorts": false, "ReadonlyRootfs": false, "SecurityOpt": null, "UTSMode": "", "UsernsMode": "", "ShmSize": 67108864, "Runtime": "runc", "ConsoleSize": [ 0, 0 ], "Isolation": "", "CpuShares": 0, "Memory": 0, "NanoCpus": 0, "CgroupParent": "", "BlkioWeight": 0, "BlkioWeightDevice": [], "BlkioDeviceReadBps": null, "BlkioDeviceWriteBps": null, "BlkioDeviceReadIOps": null, "BlkioDeviceWriteIOps": null, "CpuPeriod": 0, "CpuQuota": 0, "CpuRealtimePeriod": 0, "CpuRealtimeRuntime": 0, "CpusetCpus": "", "CpusetMems": "", "Devices": [], "DeviceCgroupRules": null, "DeviceRequests": null, "KernelMemory": 0, "KernelMemoryTCP": 0, "MemoryReservation": 0, "MemorySwap": 0, "MemorySwappiness": null, "OomKillDisable": false, "PidsLimit": null, "Ulimits": null, "CpuCount": 0, "CpuPercent": 0, "IOMaximumIOps": 0, "IOMaximumBandwidth": 0, "MaskedPaths": [ "/proc/asound", "/proc/acpi", "/proc/kcore", "/proc/keys", "/proc/latency_stats", "/proc/timer_list", "/proc/timer_stats", "/proc/sched_debug", "/proc/scsi", "/sys/firmware" ], "ReadonlyPaths": [ "/proc/bus", "/proc/fs", "/proc/irq", "/proc/sys", "/proc/sysrq-trigger" ] }, "GraphDriver": { "Data": { "LowerDir": "/var/lib/docker/overlay2/65b930f040362793b56db76574bc16a8508e4cb5586bc1a3beff3614ce5db5e9-init/diff:/var/lib/docker/overlay2/f8d7a1d5eb0d8502ae92b147370ca2f98a04f499ca8d15b9d64e93f77ddf4f60/diff:/var/lib/docker/overlay2/5d97937e774ff42c6d67fbce8ce268f5d8b517e435a077996a7d7e7807ac0a81/diff", "MergedDir": "/var/lib/docker/overlay2/65b930f040362793b56db76574bc16a8508e4cb5586bc1a3beff3614ce5db5e9/merged", "UpperDir": "/var/lib/docker/overlay2/65b930f040362793b56db76574bc16a8508e4cb5586bc1a3beff3614ce5db5e9/diff", "WorkDir": "/var/lib/docker/overlay2/65b930f040362793b56db76574bc16a8508e4cb5586bc1a3beff3614ce5db5e9/work" }, "Name": "overlay2" }, "Mounts": [], "Config": { "Hostname": "Docker-Ubu1804-p11.janzen.com", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "ExposedPorts": { "443/tcp": {}, "80/tcp": {} }, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ], "Cmd": null, "Image": "janzen/nginx-centos7:1.20.1-v2.0", "Volumes": null, "WorkingDir": "", "Entrypoint": [ "nginx" ], "OnBuild": null, "Labels": { "author": "janzen<janzen.com>", "description": "Installed nginx-1.20.1-10.el7 by yum", "org.label-schema.build-date": "20201113", "org.label-schema.license": "GPLv2", "org.label-schema.name": "CentOS Base Image", "org.label-schema.schema-version": "1.0", "org.label-schema.vendor": "CentOS", "org.opencontainers.image.created": "2020-11-13 00:00:00+00:00", "org.opencontainers.image.licenses": "GPL-2.0-only", "org.opencontainers.image.title": "CentOS Base Image", "org.opencontainers.image.vendor": "CentOS", "version": "v2.0" } }, "NetworkSettings": { "Bridge": "", "SandboxID": "d991189faf1f97b644805eb5644142e377ffc07a9f77ffb5df43897a12255aa1", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": {}, "SandboxKey": "/var/run/docker/netns/default", "SecondaryIPAddresses": null, "SecondaryIPv6Addresses": null, "EndpointID": "", "Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "", "IPPrefixLen": 0, "IPv6Gateway": "", "MacAddress": "", "Networks": { "host": { "IPAMConfig": null, "Links": null, "Aliases": null, "NetworkID": "e33dad33c534de2ab3cddbb789673284f71213e6c692592be1fa9ef48d361212", "EndpointID": "9162522dabdb1c002e80f0eac272c9c532f68b7c799ff74eacf8aab0fada83b2", "Gateway": "", "IPAddress": "", "IPPrefixLen": 0, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "", "DriverOpts": null } } } } ] [root@Docker-Ubu1804-p11:~]# docker inspect centos [ { "Id": "8ba2197c8f659751a5bcd2fe253034f2513530490b49ab8544d0c39a83112b8d", "Created": "2023-05-02T17:23:50.562114064Z", "Path": "bash", "Args": [], "State": { "Status": "exited", "Running": false, "Paused": false, "Restarting": false, "OOMKilled": false, "Dead": false, "Pid": 0, "ExitCode": 0, "Error": "", "StartedAt": "2023-05-02T17:23:50.817315423Z", "FinishedAt": "2023-05-02T17:24:59.069363409Z" }, "Image": "sha256:b9d392225b3e0e7a409f577c7100e38c7f3928aa2f38890e1f839c2aa1147335", "ResolvConfPath": "/var/lib/docker/containers/d38104d63dc27e4e45d12750f44d9e0a31b6dfa6631899d1d76863c864004c4a/resolv.conf", "HostnamePath": "/var/lib/docker/containers/d38104d63dc27e4e45d12750f44d9e0a31b6dfa6631899d1d76863c864004c4a/hostname", "HostsPath": "/var/lib/docker/containers/d38104d63dc27e4e45d12750f44d9e0a31b6dfa6631899d1d76863c864004c4a/hosts", "LogPath": "/var/lib/docker/containers/8ba2197c8f659751a5bcd2fe253034f2513530490b49ab8544d0c39a83112b8d/8ba2197c8f659751a5bcd2fe253034f2513530490b49ab8544d0c39a83112b8d-json.log", "Name": "/centos", "RestartCount": 0, "Driver": "overlay2", "Platform": "linux", "MountLabel": "", "ProcessLabel": "", "AppArmorProfile": "docker-default", "ExecIDs": null, "HostConfig": { "Binds": null, "ContainerIDFile": "", "LogConfig": { "Type": "json-file", "Config": {} }, "NetworkMode": "container:d38104d63dc27e4e45d12750f44d9e0a31b6dfa6631899d1d76863c864004c4a", "PortBindings": {}, "RestartPolicy": { "Name": "no", "MaximumRetryCount": 0 }, "AutoRemove": false, "VolumeDriver": "", "VolumesFrom": null, "CapAdd": null, "CapDrop": null, "Capabilities": null, "Dns": [], "DnsOptions": [], "DnsSearch": [], "ExtraHosts": null, "GroupAdd": null, "IpcMode": "private", "Cgroup": "", "Links": null, "OomScoreAdj": 0, "PidMode": "", "Privileged": false, "PublishAllPorts": false, "ReadonlyRootfs": false, "SecurityOpt": null, "UTSMode": "", "UsernsMode": "", "ShmSize": 67108864, "Runtime": "runc", "ConsoleSize": [ 0, 0 ], "Isolation": "", "CpuShares": 0, "Memory": 0, "NanoCpus": 0, "CgroupParent": "", "BlkioWeight": 0, "BlkioWeightDevice": [], "BlkioDeviceReadBps": null, "BlkioDeviceWriteBps": null, "BlkioDeviceReadIOps": null, "BlkioDeviceWriteIOps": null, "CpuPeriod": 0, "CpuQuota": 0, "CpuRealtimePeriod": 0, "CpuRealtimeRuntime": 0, "CpusetCpus": "", "CpusetMems": "", "Devices": [], "DeviceCgroupRules": null, "DeviceRequests": null, "KernelMemory": 0, "KernelMemoryTCP": 0, "MemoryReservation": 0, "MemorySwap": 0, "MemorySwappiness": null, "OomKillDisable": false, "PidsLimit": null, "Ulimits": null, "CpuCount": 0, "CpuPercent": 0, "IOMaximumIOps": 0, "IOMaximumBandwidth": 0, "MaskedPaths": [ "/proc/asound", "/proc/acpi", "/proc/kcore", "/proc/keys", "/proc/latency_stats", "/proc/timer_list", "/proc/timer_stats", "/proc/sched_debug", "/proc/scsi", "/sys/firmware" ], "ReadonlyPaths": [ "/proc/bus", "/proc/fs", "/proc/irq", "/proc/sys", "/proc/sysrq-trigger" ] }, "GraphDriver": { "Data": { "LowerDir": "/var/lib/docker/overlay2/38ebb17863516ff4dfa147160436d3574642748bbd06ba1461cd2ac5306aefbb-init/diff:/var/lib/docker/overlay2/29086581ca9e32cb946203f99b9831141854a8b22a59ecd79148eb7bbf43ca5d/diff:/var/lib/docker/overlay2/5d97937e774ff42c6d67fbce8ce268f5d8b517e435a077996a7d7e7807ac0a81/diff", "MergedDir": "/var/lib/docker/overlay2/38ebb17863516ff4dfa147160436d3574642748bbd06ba1461cd2ac5306aefbb/merged", "UpperDir": "/var/lib/docker/overlay2/38ebb17863516ff4dfa147160436d3574642748bbd06ba1461cd2ac5306aefbb/diff", "WorkDir": "/var/lib/docker/overlay2/38ebb17863516ff4dfa147160436d3574642748bbd06ba1461cd2ac5306aefbb/work" }, "Name": "overlay2" }, "Mounts": [], "Config": { "Hostname": "Docker-Ubu1804-p11.janzen.com", "Domainname": "", "User": "", "AttachStdin": true, "AttachStdout": true, "AttachStderr": true, "Tty": true, "OpenStdin": true, "StdinOnce": true, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ], "Cmd": [ "bash" ], "Image": "janzen/centos7:v1.0", "Volumes": null, "WorkingDir": "", "Entrypoint": null, "OnBuild": null, "Labels": { "author": "janzen<janzen.com>", "description": "BaseImage by centos7,used repo [Base] [EPEL7] from aliyun", "org.label-schema.build-date": "20201113", "org.label-schema.license": "GPLv2", "org.label-schema.name": "CentOS Base Image", "org.label-schema.schema-version": "1.0", "org.label-schema.vendor": "CentOS", "org.opencontainers.image.created": "2020-11-13 00:00:00+00:00", "org.opencontainers.image.licenses": "GPL-2.0-only", "org.opencontainers.image.title": "CentOS Base Image", "org.opencontainers.image.vendor": "CentOS", "version": "v1.0" } }, "NetworkSettings": { "Bridge": "", "SandboxID": "", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": {}, "SandboxKey": "", "SecondaryIPAddresses": null, "SecondaryIPv6Addresses": null, "EndpointID": "", "Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "", "IPPrefixLen": 0, "IPv6Gateway": "", "MacAddress": "", "Networks": {} } } ]
配置Container模式容器(共享none模式容器网络)
#创建容器nginx-none,使用none网络模式 [root@Docker-Ubu1804-p11:~]# docker run -d --name nginx-none --network none janzen/nginx-centos7:1.20.1-v2.0 6a52c72b7741fd0fbdb994c8bfb2e161fd7d00d6a72469ec5e2436104ee2e83d [root@Docker-Ubu1804-p11:~]# docker exec -it nginx-none bash [root@6a52c72b7741 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever [root@6a52c72b7741 /]# ss -ntlp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* users:(("nginx",pid=1,fd=6)) LISTEN 0 128 [::]:80 [::]:* users:(("nginx",pid=1,fd=7)) [root@6a52c72b7741 /]# curl 127.0.0.1 <h1>nginx-1.20.1 base centOS 7 on docker</h1> [root@6a52c72b7741 /]# exit exit [root@Docker-Ubu1804-p11:~]# docker inspect nginx-none [ { "Id": "6a52c72b7741fd0fbdb994c8bfb2e161fd7d00d6a72469ec5e2436104ee2e83d", "Created": "2023-05-02T17:36:48.594135331Z", "Path": "nginx", "Args": [], "State": { "Status": "running", "Running": true, "Paused": false, "Restarting": false, "OOMKilled": false, "Dead": false, "Pid": 17395, "ExitCode": 0, "Error": "", "StartedAt": "2023-05-02T17:36:49.030458044Z", "FinishedAt": "0001-01-01T00:00:00Z" }, "Image": "sha256:4919aacb5ea0aa5d93a5f386f0df115c74cf774ff2df2bd68caf12b66fee3fe7", "ResolvConfPath": "/var/lib/docker/containers/6a52c72b7741fd0fbdb994c8bfb2e161fd7d00d6a72469ec5e2436104ee2e83d/resolv.conf", "HostnamePath": "/var/lib/docker/containers/6a52c72b7741fd0fbdb994c8bfb2e161fd7d00d6a72469ec5e2436104ee2e83d/hostname", "HostsPath": "/var/lib/docker/containers/6a52c72b7741fd0fbdb994c8bfb2e161fd7d00d6a72469ec5e2436104ee2e83d/hosts", "LogPath": "/var/lib/docker/containers/6a52c72b7741fd0fbdb994c8bfb2e161fd7d00d6a72469ec5e2436104ee2e83d/6a52c72b7741fd0fbdb994c8bfb2e161fd7d00d6a72469ec5e2436104ee2e83d-json.log", "Name": "/nginx-none", "RestartCount": 0, "Driver": "overlay2", "Platform": "linux", "MountLabel": "", "ProcessLabel": "", "AppArmorProfile": "docker-default", "ExecIDs": null, "HostConfig": { "Binds": null, "ContainerIDFile": "", "LogConfig": { "Type": "json-file", "Config": {} }, "NetworkMode": "none", "PortBindings": {}, "RestartPolicy": { "Name": "no", "MaximumRetryCount": 0 }, "AutoRemove": false, "VolumeDriver": "", "VolumesFrom": null, "CapAdd": null, "CapDrop": null, "Capabilities": null, "Dns": [], "DnsOptions": [], "DnsSearch": [], "ExtraHosts": null, "GroupAdd": null, "IpcMode": "private", "Cgroup": "", "Links": null, "OomScoreAdj": 0, "PidMode": "", "Privileged": false, "PublishAllPorts": false, "ReadonlyRootfs": false, "SecurityOpt": null, "UTSMode": "", "UsernsMode": "", "ShmSize": 67108864, "Runtime": "runc", "ConsoleSize": [ 0, 0 ], "Isolation": "", "CpuShares": 0, "Memory": 0, "NanoCpus": 0, "CgroupParent": "", "BlkioWeight": 0, "BlkioWeightDevice": [], "BlkioDeviceReadBps": null, "BlkioDeviceWriteBps": null, "BlkioDeviceReadIOps": null, "BlkioDeviceWriteIOps": null, "CpuPeriod": 0, "CpuQuota": 0, "CpuRealtimePeriod": 0, "CpuRealtimeRuntime": 0, "CpusetCpus": "", "CpusetMems": "", "Devices": [], "DeviceCgroupRules": null, "DeviceRequests": null, "KernelMemory": 0, "KernelMemoryTCP": 0, "MemoryReservation": 0, "MemorySwap": 0, "MemorySwappiness": null, "OomKillDisable": false, "PidsLimit": null, "Ulimits": null, "CpuCount": 0, "CpuPercent": 0, "IOMaximumIOps": 0, "IOMaximumBandwidth": 0, "MaskedPaths": [ "/proc/asound", "/proc/acpi", "/proc/kcore", "/proc/keys", "/proc/latency_stats", "/proc/timer_list", "/proc/timer_stats", "/proc/sched_debug", "/proc/scsi", "/sys/firmware" ], "ReadonlyPaths": [ "/proc/bus", "/proc/fs", "/proc/irq", "/proc/sys", "/proc/sysrq-trigger" ] }, "GraphDriver": { "Data": { "LowerDir": "/var/lib/docker/overlay2/006632eeee685bae39d1681fdc50c32701a92f74d8334c562a36d02520f9febb-init/diff:/var/lib/docker/overlay2/f8d7a1d5eb0d8502ae92b147370ca2f98a04f499ca8d15b9d64e93f77ddf4f60/diff:/var/lib/docker/overlay2/5d97937e774ff42c6d67fbce8ce268f5d8b517e435a077996a7d7e7807ac0a81/diff", "MergedDir": "/var/lib/docker/overlay2/006632eeee685bae39d1681fdc50c32701a92f74d8334c562a36d02520f9febb/merged", "UpperDir": "/var/lib/docker/overlay2/006632eeee685bae39d1681fdc50c32701a92f74d8334c562a36d02520f9febb/diff", "WorkDir": "/var/lib/docker/overlay2/006632eeee685bae39d1681fdc50c32701a92f74d8334c562a36d02520f9febb/work" }, "Name": "overlay2" }, "Mounts": [], "Config": { "Hostname": "6a52c72b7741", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "ExposedPorts": { "443/tcp": {}, "80/tcp": {} }, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ], "Cmd": null, "Image": "janzen/nginx-centos7:1.20.1-v2.0", "Volumes": null, "WorkingDir": "", "Entrypoint": [ "nginx" ], "OnBuild": null, "Labels": { "author": "janzen<janzen.com>", "description": "Installed nginx-1.20.1-10.el7 by yum", "org.label-schema.build-date": "20201113", "org.label-schema.license": "GPLv2", "org.label-schema.name": "CentOS Base Image", "org.label-schema.schema-version": "1.0", "org.label-schema.vendor": "CentOS", "org.opencontainers.image.created": "2020-11-13 00:00:00+00:00", "org.opencontainers.image.licenses": "GPL-2.0-only", "org.opencontainers.image.title": "CentOS Base Image", "org.opencontainers.image.vendor": "CentOS", "version": "v2.0" } }, "NetworkSettings": { "Bridge": "", "SandboxID": "10f8607e15d919e030e92a60003140aa67c8e530e84f86e8f7077cc3b7f5f885", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": {}, "SandboxKey": "/var/run/docker/netns/10f8607e15d9", "SecondaryIPAddresses": null, "SecondaryIPv6Addresses": null, "EndpointID": "", "Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "", "IPPrefixLen": 0, "IPv6Gateway": "", "MacAddress": "", "Networks": { "none": { "IPAMConfig": null, "Links": null, "Aliases": null, "NetworkID": "71f67764316856316f5c032b8ca69544ed263116280c421094e407dd7d1714f5", "EndpointID": "d0a5fef6438d37efe21a94be63e502ab34eb60b6e3c661a4e78588decbd7c7ed", "Gateway": "", "IPAddress": "", "IPPrefixLen": 0, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "", "DriverOpts": null } } } } ] [root@Docker-Ubu1804-p11:~]# ss -ntlp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 127.0.0.1:6011 0.0.0.0:* users:(("sshd",pid=17610,fd=10)) LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=905,fd=13)) LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1105,fd=3)) LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* users:(("sshd",pid=1979,fd=10)) LISTEN 0 128 [::1]:6011 [::]:* users:(("sshd",pid=17610,fd=9)) LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1105,fd=4)) LISTEN 0 128 [::1]:6010 [::]:* users:(("sshd",pid=1979,fd=9)) #创建容器centos,引用nginx-none的网络 [root@Docker-Ubu1804-p11:~]# docker run -it --name centos --network container:nginx-none janzen/centos7:v1.0 bash [root@6a52c72b7741 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever [root@6a52c72b7741 /]# ss -ntlp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* LISTEN 0 128 [::]:80 [::]:* [root@6a52c72b7741 /]# ip route [root@6a52c72b7741 /]# curl 127.0.0.1 <h1>nginx-1.20.1 base centOS 7 on docker</h1> [root@6a52c72b7741 /]# ping 10.0.0.11 connect: Network is unreachable [root@6a52c72b7741 /]# ping 192.168.17.1 connect: Network is unreachable [root@6a52c72b7741 /]# exit exit [root@Docker-Ubu1804-p11:~]# docker inspect centos [ { "Id": "5c1d373f2ba769e7740a0203cfb9407c1159740f13e1ef35ad57a3115572ae34", "Created": "2023-05-02T17:41:21.17664639Z", "Path": "bash", "Args": [], "State": { "Status": "exited", "Running": false, "Paused": false, "Restarting": false, "OOMKilled": false, "Dead": false, "Pid": 0, "ExitCode": 2, "Error": "", "StartedAt": "2023-05-02T17:41:21.406835425Z", "FinishedAt": "2023-05-02T17:42:14.560135375Z" }, "Image": "sha256:b9d392225b3e0e7a409f577c7100e38c7f3928aa2f38890e1f839c2aa1147335", "ResolvConfPath": "/var/lib/docker/containers/6a52c72b7741fd0fbdb994c8bfb2e161fd7d00d6a72469ec5e2436104ee2e83d/resolv.conf", "HostnamePath": "/var/lib/docker/containers/6a52c72b7741fd0fbdb994c8bfb2e161fd7d00d6a72469ec5e2436104ee2e83d/hostname", "HostsPath": "/var/lib/docker/containers/6a52c72b7741fd0fbdb994c8bfb2e161fd7d00d6a72469ec5e2436104ee2e83d/hosts", "LogPath": "/var/lib/docker/containers/5c1d373f2ba769e7740a0203cfb9407c1159740f13e1ef35ad57a3115572ae34/5c1d373f2ba769e7740a0203cfb9407c1159740f13e1ef35ad57a3115572ae34-json.log", "Name": "/centos", "RestartCount": 0, "Driver": "overlay2", "Platform": "linux", "MountLabel": "", "ProcessLabel": "", "AppArmorProfile": "docker-default", "ExecIDs": null, "HostConfig": { "Binds": null, "ContainerIDFile": "", "LogConfig": { "Type": "json-file", "Config": {} }, "NetworkMode": "container:6a52c72b7741fd0fbdb994c8bfb2e161fd7d00d6a72469ec5e2436104ee2e83d", "PortBindings": {}, "RestartPolicy": { "Name": "no", "MaximumRetryCount": 0 }, "AutoRemove": false, "VolumeDriver": "", "VolumesFrom": null, "CapAdd": null, "CapDrop": null, "Capabilities": null, "Dns": [], "DnsOptions": [], "DnsSearch": [], "ExtraHosts": null, "GroupAdd": null, "IpcMode": "private", "Cgroup": "", "Links": null, "OomScoreAdj": 0, "PidMode": "", "Privileged": false, "PublishAllPorts": false, "ReadonlyRootfs": false, "SecurityOpt": null, "UTSMode": "", "UsernsMode": "", "ShmSize": 67108864, "Runtime": "runc", "ConsoleSize": [ 0, 0 ], "Isolation": "", "CpuShares": 0, "Memory": 0, "NanoCpus": 0, "CgroupParent": "", "BlkioWeight": 0, "BlkioWeightDevice": [], "BlkioDeviceReadBps": null, "BlkioDeviceWriteBps": null, "BlkioDeviceReadIOps": null, "BlkioDeviceWriteIOps": null, "CpuPeriod": 0, "CpuQuota": 0, "CpuRealtimePeriod": 0, "CpuRealtimeRuntime": 0, "CpusetCpus": "", "CpusetMems": "", "Devices": [], "DeviceCgroupRules": null, "DeviceRequests": null, "KernelMemory": 0, "KernelMemoryTCP": 0, "MemoryReservation": 0, "MemorySwap": 0, "MemorySwappiness": null, "OomKillDisable": false, "PidsLimit": null, "Ulimits": null, "CpuCount": 0, "CpuPercent": 0, "IOMaximumIOps": 0, "IOMaximumBandwidth": 0, "MaskedPaths": [ "/proc/asound", "/proc/acpi", "/proc/kcore", "/proc/keys", "/proc/latency_stats", "/proc/timer_list", "/proc/timer_stats", "/proc/sched_debug", "/proc/scsi", "/sys/firmware" ], "ReadonlyPaths": [ "/proc/bus", "/proc/fs", "/proc/irq", "/proc/sys", "/proc/sysrq-trigger" ] }, "GraphDriver": { "Data": { "LowerDir": "/var/lib/docker/overlay2/e57543b46cfdae13f6c7705c541f01a73b868ea98bfd50d0e707a767a54a8d70-init/diff:/var/lib/docker/overlay2/29086581ca9e32cb946203f99b9831141854a8b22a59ecd79148eb7bbf43ca5d/diff:/var/lib/docker/overlay2/5d97937e774ff42c6d67fbce8ce268f5d8b517e435a077996a7d7e7807ac0a81/diff", "MergedDir": "/var/lib/docker/overlay2/e57543b46cfdae13f6c7705c541f01a73b868ea98bfd50d0e707a767a54a8d70/merged", "UpperDir": "/var/lib/docker/overlay2/e57543b46cfdae13f6c7705c541f01a73b868ea98bfd50d0e707a767a54a8d70/diff", "WorkDir": "/var/lib/docker/overlay2/e57543b46cfdae13f6c7705c541f01a73b868ea98bfd50d0e707a767a54a8d70/work" }, "Name": "overlay2" }, "Mounts": [], "Config": { "Hostname": "6a52c72b7741", "Domainname": "", "User": "", "AttachStdin": true, "AttachStdout": true, "AttachStderr": true, "Tty": true, "OpenStdin": true, "StdinOnce": true, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ], "Cmd": [ "bash" ], "Image": "janzen/centos7:v1.0", "Volumes": null, "WorkingDir": "", "Entrypoint": null, "OnBuild": null, "Labels": { "author": "janzen<janzen.com>", "description": "BaseImage by centos7,used repo [Base] [EPEL7] from aliyun", "org.label-schema.build-date": "20201113", "org.label-schema.license": "GPLv2", "org.label-schema.name": "CentOS Base Image", "org.label-schema.schema-version": "1.0", "org.label-schema.vendor": "CentOS", "org.opencontainers.image.created": "2020-11-13 00:00:00+00:00", "org.opencontainers.image.licenses": "GPL-2.0-only", "org.opencontainers.image.title": "CentOS Base Image", "org.opencontainers.image.vendor": "CentOS", "version": "v1.0" } }, "NetworkSettings": { "Bridge": "", "SandboxID": "", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": {}, "SandboxKey": "", "SecondaryIPAddresses": null, "SecondaryIPv6Addresses": null, "EndpointID": "", "Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "", "IPPrefixLen": 0, "IPv6Gateway": "", "MacAddress": "", "Networks": {} } } ]
6、none 网络模式
配置none模式创建的容器,容器进行任何网络相关配置,不会创建网卡,不会配置IP,没有路由,因此容器无法与外界进行任何通信,需要手动添加网卡,配置IP和路由,因此极少使用
none 网络模式特点
- 使用 --network none 参数指定
- 默认无网络功能,无法与外界通信
配置none模式容器
[root@Docker-Ubu1804-p11:~]# docker run --rm -it --network none janzen/centos7:v1.0 bash [root@d0dfd132f35e /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever [root@d0dfd132f35e /]# ss -ntlp State Recv-Q Send-Q Local Address:Port Peer Address:Port [root@d0dfd132f35e /]# ip route [root@d0dfd132f35e /]# ping 192.168.17.1 connect: Network is unreachable [root@d0dfd132f35e /]# exit exit
#none模式端口映射无效(-P 自动映射) [root@Docker-Ubu1804-p11:~]# docker run -d --name nginx-none --network none -P janzen/nginx-centos7:1.20.1-v2.0 2ca8847746fbd56eff8636beca92728d66dc63df9ef44ab264357ba05a716bd4 [root@Docker-Ubu1804-p11:~]# docker port nginx-none [root@Docker-Ubu1804-p11:~]# docker exec -it nginx-none bash [root@2ca8847746fb /]# ss -ntlp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* users:(("nginx",pid=1,fd=6)) LISTEN 0 128 [::]:80 [::]:* users:(("nginx",pid=1,fd=7)) [root@2ca8847746fb /]# exit exit #none模式端口映射无效(-p 指定映射) [root@Docker-Ubu1804-p11:~]# docker run -d --name nginx1-none --network none -p 80:80 janzen/nginx-centos7:1.20.1-v2.0 3ad25870f6fa6e91da590a30adba8524d3a6128d5a4f5a9439e9b1925ae02d70 [root@Docker-Ubu1804-p11:~]# docker port nginx1-none [root@Docker-Ubu1804-p11:~]# ss -ntlp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 127.0.0.1:6011 0.0.0.0:* users:(("sshd",pid=17610,fd=10)) LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=905,fd=13)) LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1105,fd=3)) LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* users:(("sshd",pid=1979,fd=10)) LISTEN 0 128 [::1]:6011 [::]:* users:(("sshd",pid=17610,fd=9)) LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1105,fd=4)) LISTEN 0 128 [::1]:6010 [::]:* users:(("sshd",pid=1979,fd=9))
7、自定义网络模式
除了内置的网络模式外,可以自定义网络模式,使用自定义的网络和网关等信息
注意:在 自定义网络内的容器之间可以直接使用容器名进行访问,而无需添加 --link 参数
使用自定义网络模式,实现不同集群应用的独立网络管理,而互不影响,而且在一个网络内可以使用容器名进行容器间的相互访问
Usage: docker network COMMAND Manage networks Commands: connect Connect a container to a network create Create a network disconnect Disconnect a container from a network inspect Display detailed information on one or more networks ls List networks prune Remove all unused networks rm Remove one or more networks Run 'docker network COMMAND --help' for more information on a command.
创建自定义网络
Usage: docker network create [OPTIONS] NETWORK Create a network Options: --attachable Enable manual container attachment --aux-address map Auxiliary IPv4 or IPv6 addresses used by Network driver (default map[]) --config-from string The network from which copying the configuration --config-only Create a configuration only network -d, --driver string Driver to manage the Network (default "bridge") --gateway strings IPv4 or IPv6 Gateway for the master subnet --ingress Create swarm routing-mesh network --internal Restrict external access to the network --ip-range strings Allocate container ip from a sub-range --ipam-driver string IP Address Management Driver (default "default") --ipam-opt map Set IPAM driver specific options (default map[]) --ipv6 Enable IPv6 networking --label list Set metadata on a network -o, --opt map Set driver specific options (default map[]) --scope string Control the network's scope --subnet strings Subnet in CIDR format that represents a network segment
查看自定义网络信息
Usage: docker network inspect [OPTIONS] NETWORK [NETWORK...] Display detailed information on one or more networks Options: -f, --format string Format the output using the given Go template -v, --verbose Verbose output for diagnostics
引用自定义网络
Usage: docker run --network <自定义网络名称> IMAGE [COMMAND] [ARG...] Run a command in a new container Options: --network network Connect a container to a network --network-alias list Add network-scoped alias for the container
容器连接自定义网络
Usage: docker network connect [OPTIONS] NETWORK CONTAINER Connect a container to a network Options: --alias strings Add network-scoped alias for the container --driver-opt strings driver options for the network --ip string IPv4 address (e.g., 172.30.100.104) --ip6 string IPv6 address (e.g., 2001:db8::33) --link list Add link to another container --link-local-ip strings Add a link-local address for the container
Usage: docker network disconnect [OPTIONS] NETWORK CONTAINER
Disconnect a container from a network
Options:
-f, --force Force the container to disconnect from a network
删除自定义网络
Usage: docker network rm NETWORK [NETWORK...] Remove one or more networks Aliases: rm, remove
Usage: docker network prune [OPTIONS] Remove all unused networks Options: --filter filter Provide filter values (e.g. 'until=<timestamp>') -f, --force Do not prompt for confirmation
创建自定义网络,提供给Redis Cluster使用
#创建 redis-bridge 自定义网络 [root@Docker-Ubu1804-p11:~]# docker network create redis-bridge --subnet 172.19.0.0/16 be4e852e66e275fe723a76a81a272c567e9a0831a5e614583b17de959c9889af [root@Docker-Ubu1804-p11:~]# docker network inspect redis-bridge [ { "Name": "redis-bridge", "Id": "be4e852e66e275fe723a76a81a272c567e9a0831a5e614583b17de959c9889af", "Created": "2023-05-03T02:52:26.940859911+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "172.19.0.0/16" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": {}, "Options": {}, "Labels": {} } ] [root@Docker-Ubu1804-p11:~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d7:ff:18 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed7:ff18/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:b4:3a:65:43 brd ff:ff:ff:ff:ff:ff inet 192.168.17.1/24 brd 192.168.17.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:b4ff:fe3a:6543/64 scope link valid_lft forever preferred_lft forever 30: br-be4e852e66e2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:49:4d:d5:42 brd ff:ff:ff:ff:ff:ff inet 172.19.0.1/16 brd 172.19.255.255 scope global br-be4e852e66e2 valid_lft forever preferred_lft forever [root@Docker-Ubu1804-p11:~]# brctl show bridge name bridge id STP enabled interfaces br-be4e852e66e2 8000.0242494dd542 no docker0 8000.0242b43a6543 no
#准备redis配置文件 [root@Docker-Ubu1804-p11:~]# for port in {1..6};do > mkdir -p /data/redis/node-${port}/conf > cat >> /data/redis/node-${port}/conf/redis.conf << EOF > bind 0.0.0.0 > protected-mode yes > port 6379 > tcp-backlog 511 > timeout 0 > tcp-keepalive 300 > daemonize no > supervised no > loglevel notice > databases 16 > always-show-logo no > save 900 1 > save 300 10 > save 60 10000 > stop-writes-on-bgsave-error yes > rdbcompression yes > rdbchecksum yes > masterauth redis > requirepass redis > appendonly yes > cluster-enabled yes > cluster-config-file nodes-6379.conf > cluster-require-full-coverage yes > EOF > done [root@Docker-Ubu1804-p11:~]# tree /data/redis/ /data/redis/ ├── node-1 │ └── conf │ └── redis.conf ├── node-2 │ └── conf │ └── redis.conf ├── node-3 │ └── conf │ └── redis.conf ├── node-4 │ └── conf │ └── redis.conf ├── node-5 │ └── conf │ └── redis.conf └── node-6 └── conf └── redis.conf 12 directories, 6 files [root@Docker-Ubu1804-p11:~]# cat /data/redis/node-1/conf/redis.conf bind 0.0.0.0 protected-mode yes port 6379 tcp-backlog 511 timeout 0 tcp-keepalive 300 daemonize no supervised no loglevel notice databases 16 always-show-logo no save 900 1 save 300 10 save 60 10000 stop-writes-on-bgsave-error yes rdbcompression yes rdbchecksum yes masterauth redis requirepass redis appendonly yes cluster-enabled yes cluster-config-file nodes-6379.conf cluster-require-full-coverage yes
#创建6个redis容器 [root@Docker-Ubu1804-p11:~]# for port in {1..6};do docker run --name redis-${port} -p 637${port}:6379 -p 1637${port}:16379 \ -v /data/redis/node-${port}:/data \ -v /data/redis/node-${port}/conf/redis.conf:/etc/redis/redis.conf \ -d --network redis-bridge --ip 172.19.0.1${port} \ redis:5.0.14-alpine3.14 /usr/local/bin/redis-server /etc/redis/redis.conf done 24a73aa11d8f4bd1fa4417447bc4fa0521dc8792e2afea78ba5d739fe0a17879 585b4d062be0cbbba85741d0c473f24a3563667eff7d6ac7b0d8b5d93b400b13 0b6e026365b350812d1474a28405c2174e61c87381831957e3f08240eb061ee6 33774a5f6a879915d82566deb8bb8dc54a5a4955dbb9aa2c3c9e3ea01e1248eb 73a5815e188d25d7b7b7bbf232fe8275bf39b91aa63fdcced42d1c5b1f02c382 1ecb32d70066fee5bf3d4a789af9615dc7fedd4be117423e3d0306db310465cf [root@Docker-Ubu1804-p11:~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 1ecb32d70066 redis:5.0.14-alpine3.14 "docker-entrypoint.s…" 4 seconds ago Up 3 seconds 0.0.0.0:6376->6379/tcp, 0.0.0.0:16376->16379/tcp redis-6 73a5815e188d redis:5.0.14-alpine3.14 "docker-entrypoint.s…" 5 seconds ago Up 3 seconds 0.0.0.0:6375->6379/tcp, 0.0.0.0:16375->16379/tcp redis-5 33774a5f6a87 redis:5.0.14-alpine3.14 "docker-entrypoint.s…" 5 seconds ago Up 4 seconds 0.0.0.0:6374->6379/tcp, 0.0.0.0:16374->16379/tcp redis-4 0b6e026365b3 redis:5.0.14-alpine3.14 "docker-entrypoint.s…" 6 seconds ago Up 5 seconds 0.0.0.0:6373->6379/tcp, 0.0.0.0:16373->16379/tcp redis-3 585b4d062be0 redis:5.0.14-alpine3.14 "docker-entrypoint.s…" 7 seconds ago Up 5 seconds 0.0.0.0:6372->6379/tcp, 0.0.0.0:16372->16379/tcp redis-2 24a73aa11d8f redis:5.0.14-alpine3.14 "docker-entrypoint.s…" 7 seconds ago Up 6 seconds 0.0.0.0:6371->6379/tcp, 0.0.0.0:16371->16379/tcp redis-1
#创建集群 [root@Docker-Ubu1804-p11:~]# docker exec -it redis-1 sh /data # redis-cli -a redis --cluster create 172.19.0.11:6379 172.19.0.12:6379 172.19.0.13:6379 172.19.0.14:6379 172.19.0.15:6379 172.19.0.16:637 9 --cluster-replicas 1 Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe. >>> Performing hash slots allocation on 6 nodes... Master[0] -> Slots 0 - 5460 Master[1] -> Slots 5461 - 10922 Master[2] -> Slots 10923 - 16383 Adding replica 172.19.0.15:6379 to 172.19.0.11:6379 Adding replica 172.19.0.16:6379 to 172.19.0.12:6379 Adding replica 172.19.0.14:6379 to 172.19.0.13:6379 M: f578fe23248df984c233f1673e29b0cacf56beab 172.19.0.11:6379 slots:[0-5460] (5461 slots) master M: 9b3142d0e075c46cd7793deabf94438adfc38be4 172.19.0.12:6379 slots:[5461-10922] (5462 slots) master M: e83e6914d17a2e36fc8fdf5c840c4476215e4100 172.19.0.13:6379 slots:[10923-16383] (5461 slots) master S: 82c804f83cf76cf4d55452fb60ce8c9f90cce032 172.19.0.14:6379 replicates e83e6914d17a2e36fc8fdf5c840c4476215e4100 S: 73564b278ec648e2b7f6fbb8f43e0eacc5dad117 172.19.0.15:6379 replicates f578fe23248df984c233f1673e29b0cacf56beab S: 480c27be1f17180ebaba1f6e09d69165555babc5 172.19.0.16:6379 replicates 9b3142d0e075c46cd7793deabf94438adfc38be4 Can I set the above configuration? (type 'yes' to accept): yes >>> Nodes configuration updated >>> Assign a different config epoch to each node >>> Sending CLUSTER MEET messages to join the cluster Waiting for the cluster to join . >>> Performing Cluster Check (using node 172.19.0.11:6379) M: f578fe23248df984c233f1673e29b0cacf56beab 172.19.0.11:6379 slots:[0-5460] (5461 slots) master 1 additional replica(s) S: 82c804f83cf76cf4d55452fb60ce8c9f90cce032 172.19.0.14:6379 slots: (0 slots) slave replicates e83e6914d17a2e36fc8fdf5c840c4476215e4100 M: e83e6914d17a2e36fc8fdf5c840c4476215e4100 172.19.0.13:6379 slots:[10923-16383] (5461 slots) master 1 additional replica(s) S: 73564b278ec648e2b7f6fbb8f43e0eacc5dad117 172.19.0.15:6379 slots: (0 slots) slave replicates f578fe23248df984c233f1673e29b0cacf56beab M: 9b3142d0e075c46cd7793deabf94438adfc38be4 172.19.0.12:6379 slots:[5461-10922] (5462 slots) master 1 additional replica(s) S: 480c27be1f17180ebaba1f6e09d69165555babc5 172.19.0.16:6379 slots: (0 slots) slave replicates 9b3142d0e075c46cd7793deabf94438adfc38be4 [OK] All nodes agree about slots configuration. >>> Check for open slots... >>> Check slots coverage... [OK] All 16384 slots covered. /data #
#验证效果 [root@Docker-Ubu1804-p11:~]# docker exec -it redis-1 sh /data # redis-cli -a redis -c Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe. 127.0.0.1:6379> CLUSTER INFO cluster_state:ok cluster_slots_assigned:16384 cluster_slots_ok:16384 cluster_slots_pfail:0 cluster_slots_fail:0 cluster_known_nodes:6 cluster_size:3 cluster_current_epoch:6 cluster_my_epoch:1 cluster_stats_messages_ping_sent:256 cluster_stats_messages_pong_sent:251 cluster_stats_messages_sent:507 cluster_stats_messages_ping_received:246 cluster_stats_messages_pong_received:256 cluster_stats_messages_meet_received:5 cluster_stats_messages_received:507 127.0.0.1:6379> 127.0.0.1:6379> cluster nodes 82c804f83cf76cf4d55452fb60ce8c9f90cce032 172.19.0.14:6379@16379 slave e83e6914d17a2e36fc8fdf5c840c4476215e4100 0 1683064053000 4 connected f578fe23248df984c233f1673e29b0cacf56beab 172.19.0.11:6379@16379 myself,master - 0 1683064053000 1 connected 0-5460 e83e6914d17a2e36fc8fdf5c840c4476215e4100 172.19.0.13:6379@16379 master - 0 1683064054461 3 connected 10923-16383 73564b278ec648e2b7f6fbb8f43e0eacc5dad117 172.19.0.15:6379@16379 slave f578fe23248df984c233f1673e29b0cacf56beab 0 1683064052000 5 connected 9b3142d0e075c46cd7793deabf94438adfc38be4 172.19.0.12:6379@16379 master - 0 1683064053000 2 connected 5461-10922 480c27be1f17180ebaba1f6e09d69165555babc5 172.19.0.16:6379@16379 slave 9b3142d0e075c46cd7793deabf94438adfc38be4 0 1683064053451 6 connected 127.0.0.1:6379> 127.0.0.1:6379> set key1 value1 -> Redirected to slot [9189] located at 172.19.0.12:6379 OK 172.19.0.12:6379> set key2 value2 -> Redirected to slot [4998] located at 172.19.0.11:6379 OK 172.19.0.11:6379> get key2 "value2" 172.19.0.11:6379>
#模拟故障转移 [root@Docker-Ubu1804-p11:~]# docker stop redis-2 redis-2 [root@Docker-Ubu1804-p11:~]# docker exec -it redis-1 sh /data # redis-cli -a redis -c Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe. 127.0.0.1:6379> cluster nodes 82c804f83cf76cf4d55452fb60ce8c9f90cce032 172.19.0.14:6379@16379 slave e83e6914d17a2e36fc8fdf5c840c4476215e4100 0 1683064282186 4 connected f578fe23248df984c233f1673e29b0cacf56beab 172.19.0.11:6379@16379 myself,master - 0 1683064280000 1 connected 0-5460 e83e6914d17a2e36fc8fdf5c840c4476215e4100 172.19.0.13:6379@16379 master - 0 1683064280171 3 connected 10923-16383 73564b278ec648e2b7f6fbb8f43e0eacc5dad117 172.19.0.15:6379@16379 slave f578fe23248df984c233f1673e29b0cacf56beab 0 1683064281180 5 connected 9b3142d0e075c46cd7793deabf94438adfc38be4 172.19.0.12:6379@16379 master - 1683064277954 1683064275000 2 connected 5461-10922 480c27be1f17180ebaba1f6e09d69165555babc5 172.19.0.16:6379@16379 slave 9b3142d0e075c46cd7793deabf94438adfc38be4 0 1683064279164 6 connected 127.0.0.1:6379> cluster nodes 82c804f83cf76cf4d55452fb60ce8c9f90cce032 172.19.0.14:6379@16379 slave e83e6914d17a2e36fc8fdf5c840c4476215e4100 0 1683064286000 4 connected f578fe23248df984c233f1673e29b0cacf56beab 172.19.0.11:6379@16379 myself,master - 0 1683064285000 1 connected 0-5460 e83e6914d17a2e36fc8fdf5c840c4476215e4100 172.19.0.13:6379@16379 master - 0 1683064288234 3 connected 10923-16383 73564b278ec648e2b7f6fbb8f43e0eacc5dad117 172.19.0.15:6379@16379 slave f578fe23248df984c233f1673e29b0cacf56beab 0 1683064287227 5 connected 9b3142d0e075c46cd7793deabf94438adfc38be4 172.19.0.12:6379@16379 master - 1683064277954 1683064275000 2 connected 5461-10922 480c27be1f17180ebaba1f6e09d69165555babc5 172.19.0.16:6379@16379 slave 9b3142d0e075c46cd7793deabf94438adfc38be4 0 1683064287000 6 connected 127.0.0.1:6379> cluster nodes 82c804f83cf76cf4d55452fb60ce8c9f90cce032 172.19.0.14:6379@16379 slave e83e6914d17a2e36fc8fdf5c840c4476215e4100 0 1683064292262 4 connected f578fe23248df984c233f1673e29b0cacf56beab 172.19.0.11:6379@16379 myself,master - 0 1683064292000 1 connected 0-5460 e83e6914d17a2e36fc8fdf5c840c4476215e4100 172.19.0.13:6379@16379 master - 0 1683064291000 3 connected 10923-16383 73564b278ec648e2b7f6fbb8f43e0eacc5dad117 172.19.0.15:6379@16379 slave f578fe23248df984c233f1673e29b0cacf56beab 0 1683064291254 5 connected 9b3142d0e075c46cd7793deabf94438adfc38be4 172.19.0.12:6379@16379 master - 1683064277954 1683064275000 2 connected 5461-10922 480c27be1f17180ebaba1f6e09d69165555babc5 172.19.0.16:6379@16379 slave 9b3142d0e075c46cd7793deabf94438adfc38be4 0 1683064290246 6 connected 127.0.0.1:6379> cluster nodes 82c804f83cf76cf4d55452fb60ce8c9f90cce032 172.19.0.14:6379@16379 slave e83e6914d17a2e36fc8fdf5c840c4476215e4100 0 1683064297000 4 connected f578fe23248df984c233f1673e29b0cacf56beab 172.19.0.11:6379@16379 myself,master - 0 1683064297000 1 connected 0-5460 e83e6914d17a2e36fc8fdf5c840c4476215e4100 172.19.0.13:6379@16379 master - 0 1683064300329 3 connected 10923-16383 73564b278ec648e2b7f6fbb8f43e0eacc5dad117 172.19.0.15:6379@16379 slave f578fe23248df984c233f1673e29b0cacf56beab 0 1683064299320 5 connected 9b3142d0e075c46cd7793deabf94438adfc38be4 172.19.0.12:6379@16379 master,fail - 1683064277954 1683064275000 2 connected 5461-10922 480c27be1f17180ebaba1f6e09d69165555babc5 172.19.0.16:6379@16379 slave 9b3142d0e075c46cd7793deabf94438adfc38be4 0 1683064298313 6 connected 127.0.0.1:6379> cluster nodes 480c27be1f17180ebaba1f6e09d69165555babc5 172.19.0.16:6379@16379 myself,master - 0 1683064434000 8 connected 5461-10922
f578fe23248df984c233f1673e29b0cacf56beab 172.19.0.11:6379@16379 master - 0 1683064434000 1 connected 0-5460
9b3142d0e075c46cd7793deabf94438adfc38be4 172.19.0.12:6379@16379 master,fail - 1683064277874 1683064275000 2 connected
e83e6914d17a2e36fc8fdf5c840c4476215e4100 172.19.0.13:6379@16379 master - 0 1683064434275 3 connected 10923-16383
82c804f83cf76cf4d55452fb60ce8c9f90cce032 172.19.0.14:6379@16379 slave e83e6914d17a2e36fc8fdf5c840c4476215e4100 0 1683064433267 4 connected
73564b278ec648e2b7f6fbb8f43e0eacc5dad117 172.19.0.15:6379@16379 slave f578fe23248df984c233f1673e29b0cacf56beab 0 1683064435283 5 connected 127.0.0.1:6379> 127.0.0.1:6379> set key12 value12 -> Redirected to slot [13976] located at 172.19.0.13:6379 OK 172.19.0.13:6379> set key13 value13 -> Redirected to slot [9913] located at 172.19.0.16:6379 OK
#模拟故障恢复 [root@Docker-Ubu1804-p11:~]# docker start redis-2 redis-2 [root@Docker-Ubu1804-p11:~]# docker exec -it redis-1 sh /data # redis-cli -a redis -c Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe. 127.0.0.1:6379> cluster nodes 82c804f83cf76cf4d55452fb60ce8c9f90cce032 172.19.0.14:6379@16379 slave e83e6914d17a2e36fc8fdf5c840c4476215e4100 0 1683064801225 4 connected f578fe23248df984c233f1673e29b0cacf56beab 172.19.0.11:6379@16379 myself,master - 0 1683064802000 1 connected 0-5460 e83e6914d17a2e36fc8fdf5c840c4476215e4100 172.19.0.13:6379@16379 master - 0 1683064804246 3 connected 10923-16383 73564b278ec648e2b7f6fbb8f43e0eacc5dad117 172.19.0.15:6379@16379 slave f578fe23248df984c233f1673e29b0cacf56beab 0 1683064803239 5 connected 9b3142d0e075c46cd7793deabf94438adfc38be4 172.19.0.12:6379@16379 slave 480c27be1f17180ebaba1f6e09d69165555babc5 0 1683064802000 8 connected 480c27be1f17180ebaba1f6e09d69165555babc5 172.19.0.16:6379@16379 master - 0 1683064802233 8 connected 5461-10922 127.0.0.1:6379>
8、同一宿主机之间不同网络的容器通信
创建一个自定义网络 test-net ,使用网段192.168.17.0/24,网关 192.168.17.1/24,开启两个容器分别连接默认网络和自定义网络。由于两个虚拟网桥之间并没有配置相应的访问策略及路由,因此同一宿主机不同网络中的容器无法互相通信
[root@Docker-Ubu1804-p11:~]# docker network create test-net --subnet 192.168.17.1/24 0750c22bc20e92c96a7db7c99c1a3d4d464d7d3c7b9ccd76dc0735389646dbba [root@Docker-Ubu1804-p11:~]# docker network ls NETWORK ID NAME DRIVER SCOPE aed44038b9c9 bridge bridge local e33dad33c534 host host local 71f677643168 none null local 0750c22bc20e test-net bridge local [root@Docker-Ubu1804-p11:~]# docker inspect test-net [ { "Name": "test-net", "Id": "0750c22bc20e92c96a7db7c99c1a3d4d464d7d3c7b9ccd76dc0735389646dbba", "Created": "2023-05-03T17:21:51.837431752+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "192.168.17.1/24" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": {}, "Options": {}, "Labels": {} } ]
[root@Docker-Ubu1804-p11:~]# docker inspect bridge [ { "Name": "bridge", "Id": "aed44038b9c93034aa1369ed67ee185e83d36f1b0b30d5fdfae8bb0cad7bc2f6", "Created": "2023-05-03T17:20:27.242865491+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16", "IPRange": "172.17.0.0/16", "Gateway": "172.17.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": {}, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ]
#创建连接默认 bridge 的容器 [root@Docker-Ubu1804-p11:~]# docker run --rm -it -h centos-docker0 janzen/centos7:v1.0 bash [root@centos-docker0 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever [root@centos-docker0 /]# ping 192.168.17.1 PING 192.168.17.1 (192.168.17.1) 56(84) bytes of data. 64 bytes from 192.168.17.1: icmp_seq=1 ttl=64 time=0.249 ms 64 bytes from 192.168.17.1: icmp_seq=2 ttl=64 time=0.041 ms 64 bytes from 192.168.17.1: icmp_seq=3 ttl=64 time=0.043 ms 64 bytes from 192.168.17.1: icmp_seq=4 ttl=64 time=0.041 ms ^C --- 192.168.17.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3038ms rtt min/avg/max/mdev = 0.041/0.093/0.249/0.090 ms [root@centos-docker0 /]# ping 192.168.17.2 PING 192.168.17.2 (192.168.17.2) 56(84) bytes of data. ^C --- 192.168.17.2 ping statistics --- 7 packets transmitted, 0 received, 100% packet loss, time 6124ms #创建连接自定义网络 test-net 的容器 [root@Docker-Ubu1804-p11:~]# docker run --rm -it -h centos-test --network test-net janzen/centos7:v1.0 bash [root@centos-test /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:c0:a8:11:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.168.17.2/24 brd 192.168.17.255 scope global eth0 valid_lft forever preferred_lft forever [root@centos-test /]# ping 172.17.0.1 PING 172.17.0.1 (172.17.0.1) 56(84) bytes of data. 64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.203 ms 64 bytes from 172.17.0.1: icmp_seq=2 ttl=64 time=0.044 ms 64 bytes from 172.17.0.1: icmp_seq=3 ttl=64 time=0.064 ms 64 bytes from 172.17.0.1: icmp_seq=4 ttl=64 time=0.045 ms ^C --- 172.17.0.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3052ms rtt min/avg/max/mdev = 0.044/0.089/0.203/0.066 ms [root@centos-test /]# ping 172.17.0.2 PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data. ^C --- 172.17.0.2 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3079ms #查看宿主机网络状态 [root@Docker-Ubu1804-p11:~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d7:ff:18 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed7:ff18/64 scope link valid_lft forever preferred_lft forever 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:6b:1a:f7:78 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:6bff:fe1a:f778/64 scope link valid_lft forever preferred_lft forever 5: br-0750c22bc20e: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:0e:25:c6:14 brd ff:ff:ff:ff:ff:ff inet 192.168.17.1/24 brd 192.168.17.255 scope global br-0750c22bc20e valid_lft forever preferred_lft forever inet6 fe80::42:eff:fe25:c614/64 scope link valid_lft forever preferred_lft forever 11: veth3fe9ced@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether da:03:01:df:93:6b brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::d803:1ff:fedf:936b/64 scope link valid_lft forever preferred_lft forever 13: veth4a677fa@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-0750c22bc20e state UP group default link/ether 62:64:89:bc:71:7c brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet6 fe80::6064:89ff:febc:717c/64 scope link valid_lft forever preferred_lft forever [root@Docker-Ubu1804-p11:~]# brctl show bridge name bridge id STP enabled interfaces br-0750c22bc20e 8000.02420e25c614 no veth4a677fa docker0 8000.02426b1af778 no veth3fe9ced
8.1、通过 iptables规则 实现同宿主机不同网络容器通信
#查看当前宿主机网络规则
[root@Docker-Ubu1804-p11:~]# cat /proc/sys/net/ipv4/ip_forward 1 [root@Docker-Ubu1804-p11:~]# brctl show bridge name bridge id STP enabled interfaces br-0750c22bc20e 8000.02420e25c614 no veth4a677fa docker0 8000.02426b1af778 no veth3fe9ced [root@Docker-Ubu1804-p11:~]# iptables -vnL Chain INPUT (policy ACCEPT 1223 packets, 89127 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 11 924 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 11 924 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-0750c22bc20e !br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-0750c22bc20e br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 957 packets, 98000 bytes) pkts bytes target prot opt in out source destination Chain DOCKER (2 references) pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 4 336 DOCKER-ISOLATION-STAGE-2 all -- br-0750c22bc20e !br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 7 588 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (2 references) pkts bytes target prot opt in out source destination 7 588 DROP all -- * br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 4 336 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 11 924 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 [root@Docker-Ubu1804-p11:~]# iptables-save # Generated by iptables-save v1.6.1 on Wed May 3 17:37:18 2023 *filter :INPUT ACCEPT [1284:92891] :FORWARD DROP [0:0] :OUTPUT ACCEPT [1016:106068] :DOCKER - [0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o br-0750c22bc20e -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o br-0750c22bc20e -j DOCKER -A FORWARD -i br-0750c22bc20e ! -o br-0750c22bc20e -j ACCEPT -A FORWARD -i br-0750c22bc20e -o br-0750c22bc20e -j ACCEPT -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i br-0750c22bc20e ! -o br-0750c22bc20e -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o br-0750c22bc20e -j DROP -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN COMMIT # Completed on Wed May 3 17:37:18 2023 # Generated by iptables-save v1.6.1 on Wed May 3 17:37:18 2023 *nat :PREROUTING ACCEPT [15:1399] :INPUT ACCEPT [4:475] :OUTPUT ACCEPT [15:1140] :POSTROUTING ACCEPT [15:1140] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.17.0/24 ! -o br-0750c22bc20e -j MASQUERADE -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A DOCKER -i br-0750c22bc20e -j RETURN -A DOCKER -i docker0 -j RETURN COMMIT # Completed on Wed May 3 17:37:18 2023 #修改iptables策略
##方法一:使用导出规则,修改后重新导入 [root@Docker-Ubu1804-p11:~]# iptables-save > iptables.rule [root@Docker-Ubu1804-p11:~]# sed -i.bak -e "/-A DOCKER-ISOLATION-STAGE-2 -o br-0750c22bc20e -j DROP/c -A DOCKER-ISOLATION-STAGE-2 -o br-0750c22bc20e -j ACCEPT" -e "/-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP/c -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j ACCEPT" iptables.rule [root@Docker-Ubu1804-p11:~]# cat iptables.rule # Generated by iptables-save v1.6.1 on Wed May 3 17:38:47 2023 *filter :INPUT ACCEPT [1336:96193] :FORWARD DROP [0:0] :OUTPUT ACCEPT [1055:111456] :DOCKER - [0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o br-0750c22bc20e -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o br-0750c22bc20e -j DOCKER -A FORWARD -i br-0750c22bc20e ! -o br-0750c22bc20e -j ACCEPT -A FORWARD -i br-0750c22bc20e -o br-0750c22bc20e -j ACCEPT -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i br-0750c22bc20e ! -o br-0750c22bc20e -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o br-0750c22bc20e -j ACCEPT -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j ACCEPT -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN COMMIT # Completed on Wed May 3 17:38:47 2023 # Generated by iptables-save v1.6.1 on Wed May 3 17:38:47 2023 *nat :PREROUTING ACCEPT [16:1477] :INPUT ACCEPT [5:553] :OUTPUT ACCEPT [15:1140] :POSTROUTING ACCEPT [15:1140] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.17.0/24 ! -o br-0750c22bc20e -j MASQUERADE -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A DOCKER -i br-0750c22bc20e -j RETURN -A DOCKER -i docker0 -j RETURN COMMIT # Completed on Wed May 3 17:38:47 2023 [root@Docker-Ubu1804-p11:~]# iptables-restore < iptables.rule [root@Docker-Ubu1804-p11:~]# iptables -vnL Chain INPUT (policy ACCEPT 24 packets, 1584 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-0750c22bc20e !br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-0750c22bc20e br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 14 packets, 1352 bytes) pkts bytes target prot opt in out source destination Chain DOCKER (2 references) pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-0750c22bc20e !br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ##方法二:使用命令模式修改iptables配置 [root@Docker-Ubu1804-p11:~]# iptables -I DOCKER-ISOLATION-STAGE-2 -j ACCEPT [root@Docker-Ubu1804-p11:~]# iptables -vnL Chain INPUT (policy ACCEPT 6 packets, 428 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-0750c22bc20e !br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-0750c22bc20e br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 3 packets, 420 bytes) pkts bytes target prot opt in out source destination Chain DOCKER (2 references) pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-0750c22bc20e !br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 [root@Docker-Ubu1804-p11:~]# iptables -vnL Chain INPUT (policy ACCEPT 29 packets, 1864 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 16 1344 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 16 1344 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-0750c22bc20e !br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-0750c22bc20e br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 20 packets, 5784 bytes) pkts bytes target prot opt in out source destination Chain DOCKER (2 references) pkts bytes target prot opt in out source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 8 672 DOCKER-ISOLATION-STAGE-2 all -- br-0750c22bc20e !br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 8 672 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (2 references) pkts bytes target prot opt in out source destination 16 1344 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * br-0750c22bc20e 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 16 1344 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
#容器centos-docker0 [root@centos-docker0 /]# ping 192.168.17.2 PING 192.168.17.2 (192.168.17.2) 56(84) bytes of data. 64 bytes from 192.168.17.2: icmp_seq=1 ttl=63 time=0.097 ms 64 bytes from 192.168.17.2: icmp_seq=2 ttl=63 time=0.054 ms 64 bytes from 192.168.17.2: icmp_seq=3 ttl=63 time=0.054 ms 64 bytes from 192.168.17.2: icmp_seq=4 ttl=63 time=0.057 ms ^C --- 192.168.17.2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3065ms rtt min/avg/max/mdev = 0.054/0.065/0.097/0.019 ms #容器centos-test [root@centos-test /]# ping 172.17.0.2 PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data. 64 bytes from 172.17.0.2: icmp_seq=1 ttl=63 time=0.051 ms 64 bytes from 172.17.0.2: icmp_seq=2 ttl=63 time=0.068 ms 64 bytes from 172.17.0.2: icmp_seq=3 ttl=63 time=0.140 ms 64 bytes from 172.17.0.2: icmp_seq=4 ttl=63 time=0.053 ms ^C --- 172.17.0.2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3075ms rtt min/avg/max/mdev = 0.051/0.078/0.140/0.036 ms
8.2、通过 docker network connect 实现同宿主机不同容器网络通信
可以使用 docker network connect 将容器连接至其他网络中,实现同宿主机跨网络容器通信
#将容器接入指定网络中,此时该容器可与目标网络中的容器通信 Usage: docker network connect [OPTIONS] NETWORK CONTAINER Connect a container to a network Options: --alias strings Add network-scoped alias for the container --driver-opt strings driver options for the network --ip string IPv4 address (e.g., 172.30.100.104) --ip6 string IPv6 address (e.g., 2001:db8::33) --link list Add link to another container --link-local-ip strings Add a link-local address for the container #断开容器已接入的指定网络中,此时该容器与目标网络中的容器无法通信 Usage: docker network disconnect [OPTIONS] NETWORK CONTAINER Disconnect a container from a network Options: -f, --force Force the container to disconnect from a network
#查看当前docker网络信息 [root@Docker-Ubu1804-p11:~]# docker inspect bridge [ { "Name": "bridge", "Id": "aed44038b9c93034aa1369ed67ee185e83d36f1b0b30d5fdfae8bb0cad7bc2f6", "Created": "2023-05-03T17:20:27.242865491+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16", "IPRange": "172.17.0.0/16", "Gateway": "172.17.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "20461eb1dd605eae1556b79293315715443171e4d9d09b7fe161484943be756d": { "Name": "brave_nash", "EndpointID": "9c1b08da3cb9f0b0afcd79bf725a8682295f612b8c475b9d7b0071ab46138323", "MacAddress": "02:42:ac:11:00:02", "IPv4Address": "172.17.0.2/16", "IPv6Address": "" } }, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] [root@Docker-Ubu1804-p11:~]# docker inspect test-net [ { "Name": "test-net", "Id": "0750c22bc20e92c96a7db7c99c1a3d4d464d7d3c7b9ccd76dc0735389646dbba", "Created": "2023-05-03T17:21:51.837431752+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "192.168.17.1/24" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "e806c605a0359251b2f1a77e7dcf9207d0669947f91825826a3ef4e196a7ee68": { "Name": "interesting_clarke", "EndpointID": "c23bf545016fe4f9b5602516da617ba210a7faf345ac9f6f56dee0c3ecd48b90", "MacAddress": "02:42:c0:a8:11:02", "IPv4Address": "192.168.17.2/24", "IPv6Address": "" } }, "Options": {}, "Labels": {} } ]
#将容器 centos-docker0 加入网络test-net [root@Docker-Ubu1804-p11:~]# docker network connect test-net 20461eb1dd60 [root@Docker-Ubu1804-p11:~]# docker inspect test-net [ { "Name": "test-net", "Id": "0750c22bc20e92c96a7db7c99c1a3d4d464d7d3c7b9ccd76dc0735389646dbba", "Created": "2023-05-03T17:21:51.837431752+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "192.168.17.1/24" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "20461eb1dd605eae1556b79293315715443171e4d9d09b7fe161484943be756d": { "Name": "brave_nash", "EndpointID": "dff4ba125f1ff51830bc575bcac51850170109223678144b077b319ebeca9c43", "MacAddress": "02:42:c0:a8:11:03", "IPv4Address": "192.168.17.3/24", "IPv6Address": "" }, "e806c605a0359251b2f1a77e7dcf9207d0669947f91825826a3ef4e196a7ee68": { "Name": "interesting_clarke", "EndpointID": "c23bf545016fe4f9b5602516da617ba210a7faf345ac9f6f56dee0c3ecd48b90", "MacAddress": "02:42:c0:a8:11:02", "IPv4Address": "192.168.17.2/24", "IPv6Address": "" } }, "Options": {}, "Labels": {} } ] [root@Docker-Ubu1804-p11:~]# #容器centos-docker0 中新增一张 192.168.18.3 网卡 [root@centos-docker0 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever 14: eth1@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:c0:a8:11:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.168.17.3/24 brd 192.168.17.255 scope global eth1 valid_lft forever preferred_lft forever [root@centos-docker0 /]# ping 192.168.17.2 PING 192.168.17.2 (192.168.17.2) 56(84) bytes of data. 64 bytes from 192.168.17.2: icmp_seq=1 ttl=64 time=0.331 ms 64 bytes from 192.168.17.2: icmp_seq=2 ttl=64 time=0.048 ms 64 bytes from 192.168.17.2: icmp_seq=3 ttl=64 time=0.051 ms 64 bytes from 192.168.17.2: icmp_seq=4 ttl=64 time=0.102 ms ^C --- 192.168.17.2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3066ms rtt min/avg/max/mdev = 0.048/0.133/0.331/0.116 ms #容器centos-test 没有发生变化,依旧无法访问 172.17.0.2 [root@centos-test /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:c0:a8:11:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.168.17.2/24 brd 192.168.17.255 scope global eth0 valid_lft forever preferred_lft forever [root@centos-test /]# ping 172.17.0.2 PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data. ^C --- 172.17.0.2 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4082ms
#将容器 centos-test 接入bridge网络 [root@Docker-Ubu1804-p11:~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e806c605a035 janzen/centos7:v1.0 "bash" 51 minutes ago Up 51 minutes interesting_clarke 20461eb1dd60 janzen/centos7:v1.0 "bash" 52 minutes ago Up 52 minutes brave_nash [root@Docker-Ubu1804-p11:~]# docker network connect bridge e806c605a035 [root@Docker-Ubu1804-p11:~]# docker inspect bridge [ { "Name": "bridge", "Id": "aed44038b9c93034aa1369ed67ee185e83d36f1b0b30d5fdfae8bb0cad7bc2f6", "Created": "2023-05-03T17:20:27.242865491+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16", "IPRange": "172.17.0.0/16", "Gateway": "172.17.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "20461eb1dd605eae1556b79293315715443171e4d9d09b7fe161484943be756d": { "Name": "brave_nash", "EndpointID": "9c1b08da3cb9f0b0afcd79bf725a8682295f612b8c475b9d7b0071ab46138323", "MacAddress": "02:42:ac:11:00:02", "IPv4Address": "172.17.0.2/16", "IPv6Address": "" }, "e806c605a0359251b2f1a77e7dcf9207d0669947f91825826a3ef4e196a7ee68": { "Name": "interesting_clarke", "EndpointID": "0ea73b1e57c6ce86b4b1a095510a4822e0fd5e2726fee669c839c7d8a2682e53", "MacAddress": "02:42:ac:11:00:03", "IPv4Address": "172.17.0.3/16", "IPv6Address": "" } }, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] [root@Docker-Ubu1804-p11:~]# #容器centos-test生成 172.17.0.3 网卡 [root@centos-test /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:c0:a8:11:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.168.17.2/24 brd 192.168.17.255 scope global eth0 valid_lft forever preferred_lft forever 16: eth1@if17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.3/16 brd 172.17.255.255 scope global eth1 valid_lft forever preferred_lft forever [root@centos-test /]# ping 172.17.0.2 PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data. 64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.120 ms 64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.049 ms 64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.053 ms 64 bytes from 172.17.0.2: icmp_seq=4 ttl=64 time=0.054 ms ^C --- 172.17.0.2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3067ms rtt min/avg/max/mdev = 0.049/0.069/0.120/0.029 ms
#此时宿主机网络 [root@Docker-Ubu1804-p11:~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d7:ff:18 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed7:ff18/64 scope link valid_lft forever preferred_lft forever 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:6b:1a:f7:78 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:6bff:fe1a:f778/64 scope link valid_lft forever preferred_lft forever 5: br-0750c22bc20e: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:0e:25:c6:14 brd ff:ff:ff:ff:ff:ff inet 192.168.17.1/24 brd 192.168.17.255 scope global br-0750c22bc20e valid_lft forever preferred_lft forever inet6 fe80::42:eff:fe25:c614/64 scope link valid_lft forever preferred_lft forever 11: veth3fe9ced@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether da:03:01:df:93:6b brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::d803:1ff:fedf:936b/64 scope link valid_lft forever preferred_lft forever 13: veth4a677fa@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-0750c22bc20e state UP group default link/ether 62:64:89:bc:71:7c brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet6 fe80::6064:89ff:febc:717c/64 scope link valid_lft forever preferred_lft forever 15: vethe93068a@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-0750c22bc20e state UP group default link/ether 92:23:14:f4:3d:fe brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::9023:14ff:fef4:3dfe/64 scope link valid_lft forever preferred_lft forever 17: vethd761ab8@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether 82:a5:c9:f7:c4:c5 brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet6 fe80::80a5:c9ff:fef7:c4c5/64 scope link valid_lft forever preferred_lft forever [root@Docker-Ubu1804-p11:~]# brctl show bridge name bridge id STP enabled interfaces br-0750c22bc20e 8000.02420e25c614 no veth4a677fa vethe93068a docker0 8000.02426b1af778 no veth3fe9ced vethd761ab8
#断开容器与网络连接 [root@Docker-Ubu1804-p11:~]# docker network disconnect test-net 20461eb1dd60 [root@Docker-Ubu1804-p11:~]# docker network disconnect bridge e806c605a035 [root@Docker-Ubu1804-p11:~]# docker inspect test-net [ { "Name": "test-net", "Id": "0750c22bc20e92c96a7db7c99c1a3d4d464d7d3c7b9ccd76dc0735389646dbba", "Created": "2023-05-03T17:21:51.837431752+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "192.168.17.1/24" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "e806c605a0359251b2f1a77e7dcf9207d0669947f91825826a3ef4e196a7ee68": { "Name": "interesting_clarke", "EndpointID": "c23bf545016fe4f9b5602516da617ba210a7faf345ac9f6f56dee0c3ecd48b90", "MacAddress": "02:42:c0:a8:11:02", "IPv4Address": "192.168.17.2/24", "IPv6Address": "" } }, "Options": {}, "Labels": {} } ] [root@Docker-Ubu1804-p11:~]# docker inspect bridge [ { "Name": "bridge", "Id": "aed44038b9c93034aa1369ed67ee185e83d36f1b0b30d5fdfae8bb0cad7bc2f6", "Created": "2023-05-03T17:20:27.242865491+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16", "IPRange": "172.17.0.0/16", "Gateway": "172.17.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "20461eb1dd605eae1556b79293315715443171e4d9d09b7fe161484943be756d": { "Name": "brave_nash", "EndpointID": "9c1b08da3cb9f0b0afcd79bf725a8682295f612b8c475b9d7b0071ab46138323", "MacAddress": "02:42:ac:11:00:02", "IPv4Address": "172.17.0.2/16", "IPv6Address": "" } }, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] [root@Docker-Ubu1804-p11:~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d7:ff:18 brd ff:ff:ff:ff:ff:ff inet 10.0.0.11/24 brd 10.0.0.255 scope global ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed7:ff18/64 scope link valid_lft forever preferred_lft forever 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:6b:1a:f7:78 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:6bff:fe1a:f778/64 scope link valid_lft forever preferred_lft forever 5: br-0750c22bc20e: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:0e:25:c6:14 brd ff:ff:ff:ff:ff:ff inet 192.168.17.1/24 brd 192.168.17.255 scope global br-0750c22bc20e valid_lft forever preferred_lft forever inet6 fe80::42:eff:fe25:c614/64 scope link valid_lft forever preferred_lft forever 11: veth3fe9ced@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether da:03:01:df:93:6b brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::d803:1ff:fedf:936b/64 scope link valid_lft forever preferred_lft forever 13: veth4a677fa@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-0750c22bc20e state UP group default link/ether 62:64:89:bc:71:7c brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet6 fe80::6064:89ff:febc:717c/64 scope link valid_lft forever preferred_lft forever [root@Docker-Ubu1804-p11:~]# brctl show bridge name bridge id STP enabled interfaces br-0750c22bc20e 8000.02420e25c614 no veth4a677fa docker0 8000.02426b1af778 no veth3fe9ced #容器centos-docker [root@centos-docker0 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever [root@centos-docker0 /]# ping 192.168.17.2 PING 192.168.17.2 (192.168.17.2) 56(84) bytes of data. ^C --- 192.168.17.2 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1013ms [root@centos-docker0 /]# #容器centos-test [root@centos-test /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:c0:a8:11:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.168.17.2/24 brd 192.168.17.255 scope global eth0 valid_lft forever preferred_lft forever [root@centos-test /]# ping 172.17.0.2 PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data. ^C --- 172.17.0.2 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1019ms [root@centos-test /]#
四、跨宿主机容器互联
1、桥接模式实现跨宿主机容器通信
桥接模式是将宿主机网卡添加至 docker0 网桥中,实现宿主机
#安装 bridge-utils 工具
apt install -y bridge-utils
#将宿主机网卡ens33添加至docker0网桥中(此操作会导致宿主机原IP地址不可用) brctl addif docker0 ens33
#将宿主机网卡ens33移出docker0网桥
brctl delif docker0 ens33
2、NAT模式实现跨宿主机容器通信
实现原理是在宿主机上配置到对端容器网段的路由及iptables规则,适用小型环境内,大型环境请使用k8s
2.1、修改宿主机Docker默认网段
##修改ubuntu宿主机Docker默认网段配置 [root@Docker-Ubu1804-p11:~]# vim /etc/docker/daemon.json [root@Docker-Ubu1804-p11:~]# cat /etc/docker/daemon.json { "registry-mirrors": ["https://hub-mirror.c.163.com","https://po3g231a.mirror.aliyuncs.com","https://docker.mirrors.ustc.edu.cn"], "bip": "172.17.1.1/24", "fixed-cidr": "172.17.1.0/24" } [root@Docker-Ubu1804-p11:~]# systemctl restart docker [root@Docker-Ubu1804-p11:~]# docker inspect bridge [ { "Name": "bridge", "Id": "8c663d87bd5010eefaad6d49c5b21d4d4da4032a3e68a6ee67a319323a979739", "Created": "2023-05-03T21:22:37.077141317+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.1.0/24", "IPRange": "172.17.1.0/24", "Gateway": "172.17.1.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": {}, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] ##修改centos宿主机Docker默认网络配置 [root@Template-CentOS7-7 ~]# vim /etc/docker/daemon.json [root@Template-CentOS7-7 ~]# cat /etc/docker/daemon.json { "registry-mirrors": ["https://hub-mirror.c.163.com","https://po3g231a.mirror.aliyuncs.com","https://docker.mirrors.ustc.edu.cn"], "bip": "172.17.2.1/24", "fixed-cidr": "172.17.2.0/24" } [root@Template-CentOS7-7 ~]# systemctl restart docker [root@Template-CentOS7-7 ~]# docker inspect bridge [ { "Name": "bridge", "Id": "4580d8525f9457ccc157fd1d12bd9fc234712eedc5c4b4fea51867131e69ac6f", "Created": "2023-05-03T21:30:17.34039947+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.2.0/24", "IPRange": "172.17.2.0/24", "Gateway": "172.17.2.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": {}, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ]
2.2、在宿主机上运行容器
##分别在两台宿主机上运行容器 [root@Docker-Ubu1804-p11:~]# docker run -d --name nginx-1 janzen/nginx-centos7:1.20.1-v2.0 5bef36b85ba92a06992060169632641a65bee347eabe98ce138b6377fd4b62dd [root@Docker-Ubu1804-p11:~]# docker exec -it nginx-1 bash [root@5bef36b85ba9 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:01:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.1.2/24 brd 172.17.1.255 scope global eth0 valid_lft forever preferred_lft forever [root@5bef36b85ba9 /]# ping 172.17.2.2 PING 172.17.2.2 (172.17.2.2) 56(84) bytes of data. ^C --- 172.17.2.2 ping statistics --- 12 packets transmitted, 0 received, 100% packet loss, time 11269ms [root@Template-CentOS7-7 ~]# docker run -d --name nginx-2 janzen/nginx-centos7:1.20.1-v2.0 ed9405026cba8e8723b61a58e04a2bbeb3499ca5dfbd492d75cd3a7c4562cca0 [root@Template-CentOS7-7 ~]# docker exec -it nginx-2 bash [root@ed9405026cba /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:02:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.2.2/24 brd 172.17.2.255 scope global eth0 valid_lft forever preferred_lft forever [root@ed9405026cba /]# ping 172.17.1.2 PING 172.17.1.2 (172.17.1.2) 56(84) bytes of data. ^C --- 172.17.1.2 ping statistics --- 7 packets transmitted, 0 received, 100% packet loss, time 6002ms
2.3、在宿主机上配置 路由和iptables策略
##在Ubuntu宿主机上配置route 和 iptables 规则 [root@Docker-Ubu1804-p11:~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.0.254 0.0.0.0 UG 0 0 0 ens33 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ens33 172.17.1.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0 [root@Docker-Ubu1804-p11:~]# route add -net 172.17.2.0/24 gw 10.0.0.7 [root@Docker-Ubu1804-p11:~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.0.254 0.0.0.0 UG 0 0 0 ens33 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ens33 172.17.1.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0 172.17.2.0 10.0.0.7 255.255.255.0 UG 0 0 0 ens33 [root@Docker-Ubu1804-p11:~]# iptables-save # Generated by iptables-save v1.6.1 on Wed May 3 21:41:08 2023 *filter :INPUT ACCEPT [499:33958] :FORWARD DROP [0:0] :OUTPUT ACCEPT [335:36456] :DOCKER - [0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN COMMIT # Completed on Wed May 3 21:41:08 2023 # Generated by iptables-save v1.6.1 on Wed May 3 21:41:08 2023 *nat :PREROUTING ACCEPT [5:698] :INPUT ACCEPT [4:614] :OUTPUT ACCEPT [3:228] :POSTROUTING ACCEPT [3:228] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.1.0/24 ! -o docker0 -j MASQUERADE -A DOCKER -i docker0 -j RETURN COMMIT # Completed on Wed May 3 21:41:08 2023 [root@Docker-Ubu1804-p11:~]# iptables -A FORWARD -s 10.0.0.0/8 -j ACCEPT [root@Docker-Ubu1804-p11:~]# iptables-save # Generated by iptables-save v1.6.1 on Wed May 3 21:42:18 2023 *filter :INPUT ACCEPT [6:428] :FORWARD DROP [0:0] :OUTPUT ACCEPT [4:512] :DOCKER - [0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -s 10.0.0.0/8 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN COMMIT # Completed on Wed May 3 21:42:18 2023 # Generated by iptables-save v1.6.1 on Wed May 3 21:42:18 2023 *nat :PREROUTING ACCEPT [5:698] :INPUT ACCEPT [4:614] :OUTPUT ACCEPT [3:228] :POSTROUTING ACCEPT [3:228] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.1.0/24 ! -o docker0 -j MASQUERADE -A DOCKER -i docker0 -j RETURN COMMIT # Completed on Wed May 3 21:42:18 2023
##在Centos宿主机上配置路由和iptables策略 [root@Template-CentOS7-7 ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.0.254 0.0.0.0 UG 100 0 0 ens33 10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33 172.17.2.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0 [root@Template-CentOS7-7 ~]# route add -net 172.17.1.0/24 gw 10.0.0.11 [root@Template-CentOS7-7 ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.0.254 0.0.0.0 UG 100 0 0 ens33 10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33 172.17.1.0 10.0.0.11 255.255.255.0 UG 0 0 0 ens33 172.17.2.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0 [root@Template-CentOS7-7 ~]# iptables-save # Generated by iptables-save v1.4.21 on Wed May 3 21:48:09 2023 *filter :INPUT ACCEPT [898:1198629] :FORWARD DROP [0:0] :OUTPUT ACCEPT [655:77221] :DOCKER - [0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN COMMIT # Completed on Wed May 3 21:48:09 2023 # Generated by iptables-save v1.4.21 on Wed May 3 21:48:09 2023 *nat :PREROUTING ACCEPT [3:391] :INPUT ACCEPT [2:307] :OUTPUT ACCEPT [8:552] :POSTROUTING ACCEPT [8:552] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.2.0/24 ! -o docker0 -j MASQUERADE -A DOCKER -i docker0 -j RETURN COMMIT # Completed on Wed May 3 21:48:09 2023 [root@Template-CentOS7-7 ~]# iptables -A FORWARD -s 10.0.0.0/8 -j ACCEPT [root@Template-CentOS7-7 ~]# iptables-save # Generated by iptables-save v1.4.21 on Wed May 3 21:48:49 2023 *filter :INPUT ACCEPT [6:428] :FORWARD DROP [0:0] :OUTPUT ACCEPT [3:452] :DOCKER - [0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -s 10.0.0.0/8 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN COMMIT # Completed on Wed May 3 21:48:49 2023 # Generated by iptables-save v1.4.21 on Wed May 3 21:48:49 2023 *nat :PREROUTING ACCEPT [3:391] :INPUT ACCEPT [2:307] :OUTPUT ACCEPT [8:552] :POSTROUTING ACCEPT [8:552] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.2.0/24 ! -o docker0 -j MASQUERADE -A DOCKER -i docker0 -j RETURN COMMIT # Completed on Wed May 3 21:48:49 2023
2.4、跨宿主机容器通信验证
#进入Ubuntu上的容器验证跨宿主机容器通信 [root@Docker-Ubu1804-p11:~]# docker exec -it nginx-1 bash [root@5bef36b85ba9 /]# ping -c5 172.17.2.2 PING 172.17.2.2 (172.17.2.2) 56(84) bytes of data. 64 bytes from 172.17.2.2: icmp_seq=1 ttl=62 time=3.06 ms 64 bytes from 172.17.2.2: icmp_seq=2 ttl=62 time=0.878 ms 64 bytes from 172.17.2.2: icmp_seq=3 ttl=62 time=2.96 ms 64 bytes from 172.17.2.2: icmp_seq=4 ttl=62 time=1.08 ms 64 bytes from 172.17.2.2: icmp_seq=5 ttl=62 time=1.44 ms --- 172.17.2.2 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4007ms rtt min/avg/max/mdev = 0.878/1.887/3.066/0.940 ms [root@5bef36b85ba9 /]# #进入Centos上的容器验证跨宿主机容器通信 [root@Template-CentOS7-7 ~]# docker exec -it nginx-2 bash [root@ed9405026cba /]# ping -c5 172.17.1.2 PING 172.17.1.2 (172.17.1.2) 56(84) bytes of data. 64 bytes from 172.17.1.2: icmp_seq=1 ttl=62 time=0.630 ms 64 bytes from 172.17.1.2: icmp_seq=2 ttl=62 time=0.482 ms 64 bytes from 172.17.1.2: icmp_seq=3 ttl=62 time=1.02 ms 64 bytes from 172.17.1.2: icmp_seq=4 ttl=62 time=0.514 ms 64 bytes from 172.17.1.2: icmp_seq=5 ttl=62 time=0.652 ms --- 172.17.1.2 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4005ms rtt min/avg/max/mdev = 0.482/0.660/1.023/0.193 ms [root@ed9405026cba /]#
使用tcpdump观察数据包
#使用tcpdump观察其他宿主机容器ping本机上的容器时的数据包 [root@Docker-Ubu1804-p11:~]# tcpdump -i ens33 -nn icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 21:55:29.872379 IP 10.0.0.7 > 172.17.1.2: ICMP echo request, id 49, seq 1, length 64 21:55:29.872628 IP 172.17.1.2 > 10.0.0.7: ICMP echo reply, id 49, seq 1, length 64 21:55:30.873955 IP 10.0.0.7 > 172.17.1.2: ICMP echo request, id 49, seq 2, length 64 21:55:30.874150 IP 172.17.1.2 > 10.0.0.7: ICMP echo reply, id 49, seq 2, length 64 21:55:31.876447 IP 10.0.0.7 > 172.17.1.2: ICMP echo request, id 49, seq 3, length 64 21:55:31.876895 IP 172.17.1.2 > 10.0.0.7: ICMP echo reply, id 49, seq 3, length 64 21:55:32.878403 IP 10.0.0.7 > 172.17.1.2: ICMP echo request, id 49, seq 4, length 64 21:55:32.878568 IP 172.17.1.2 > 10.0.0.7: ICMP echo reply, id 49, seq 4, length 64 21:55:33.880535 IP 10.0.0.7 > 172.17.1.2: ICMP echo request, id 49, seq 5, length 64 21:55:33.880691 IP 172.17.1.2 > 10.0.0.7: ICMP echo reply, id 49, seq 5, length 64 [root@Template-CentOS7-7 ~]# tcpdump -i ens33 -nn icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 21:57:49.861582 IP 10.0.0.11 > 172.17.2.2: ICMP echo request, id 86, seq 1, length 64 21:57:49.861766 IP 172.17.2.2 > 10.0.0.11: ICMP echo reply, id 86, seq 1, length 64 21:57:50.864162 IP 10.0.0.11 > 172.17.2.2: ICMP echo request, id 86, seq 2, length 64 21:57:50.864351 IP 172.17.2.2 > 10.0.0.11: ICMP echo reply, id 86, seq 2, length 64 21:57:51.865893 IP 10.0.0.11 > 172.17.2.2: ICMP echo request, id 86, seq 3, length 64 21:57:51.865991 IP 172.17.2.2 > 10.0.0.11: ICMP echo reply, id 86, seq 3, length 64 21:57:52.886136 IP 10.0.0.11 > 172.17.2.2: ICMP echo request, id 86, seq 4, length 64 21:57:52.886323 IP 172.17.2.2 > 10.0.0.11: ICMP echo reply, id 86, seq 4, length 64 21:57:53.888046 IP 10.0.0.11 > 172.17.2.2: ICMP echo request, id 86, seq 5, length 64 21:57:53.888166 IP 172.17.2.2 > 10.0.0.11: ICMP echo reply, id 86, seq 5, length 64