docker入门之容器网络

docker入门之容器网络

一、网络命名空间

1）IP命令

查看ip命令所属软件包是否已经安装

[root@node2 ~]# rpm -qa iproute
iproute-3.10.0-87.el7.x86_64
[root@node2 ~]# 

1.ip netns命令

ip netns ，查看 ip netns 命令的帮助。

[root@node2 ~]# ip netns help
Usage: ip netns list
       ip netns add NAME
       ip netns set NAME NETNSID
       ip [-all] netns delete [NAME]
       ip netns identify [PID]
       ip netns pids NAME
       ip [-all] netns exec [NAME] cmd ...
       ip netns monitor
       ip netns list-id
[root@node2 ~]# 

ip netns list ：查看命名空间

ip netns add Name ：添加命名空间

ip netns set Name Netnsid ：设置命名空间

ip netns exec Name command ：在命名空间中执行命令

2.ip link命令

ip link 命令可以用来创建虚拟的网卡对，一个命名空间如果没有网卡，那么就只有一个lo接口存在。

[root@node2 ~]# ip link help
Usage: ip link add [link DEV] [ name ] NAME
                   [ txqueuelen PACKETS ]
                   [ address LLADDR ]
                   [ broadcast LLADDR ]
                   [ mtu MTU ]
                   [ numtxqueues QUEUE_COUNT ]
                   [ numrxqueues QUEUE_COUNT ]
                   type TYPE [ ARGS ]
       ip link delete { DEVICE | dev DEVICE | group DEVGROUP } type TYPE [ ARGS ]

       ip link set { DEVICE | dev DEVICE | group DEVGROUP }
                      [ { up | down } ]
                      [ type TYPE ARGS ]
                      [ arp { on | off } ]
                      [ dynamic { on | off } ]
                      [ multicast { on | off } ]
                      [ allmulticast { on | off } ]
                      [ promisc { on | off } ]
                      [ trailers { on | off } ]
                      [ txqueuelen PACKETS ]
                      [ name NEWNAME ]
                      [ address LLADDR ]
                      [ broadcast LLADDR ]
                      [ mtu MTU ]
                      [ netns { PID | NAME } ]
                      [ link-netnsid ID ]
              [ alias NAME ]
                      [ vf NUM [ mac LLADDR ]
                   [ vlan VLANID [ qos VLAN-QOS ] ]
                   [ rate TXRATE ]
                   [ max_tx_rate TXRATE ]
                   [ min_tx_rate TXRATE ]
                   [ spoofchk { on | off} ]
                   [ query_rss { on | off} ]
                   [ state { auto | enable | disable} ] ]
                   [ trust { on | off} ] ]
              [ master DEVICE ]
              [ nomaster ]
              [ addrgenmode { eui64 | none } ]
                      [ protodown { on | off } ]
       ip link show [ DEVICE | group GROUP ] [up] [master DEV] [type TYPE]
       ip link help [ TYPE ]

TYPE := { vlan | veth | vcan | dummy | ifb | macvlan | macvtap |
          bridge | bond | ipoib | ip6tnl | ipip | sit | vxlan |
          gre | gretap | ip6gre | ip6gretap | vti | nlmon |
          bond_slave | geneve | bridge_slave | macsec }
[root@node2 ~]# 

ip link show ：查看所有的链路

ip link add ：创建虚拟网卡对

ip link set ：设置链路

2）实例

1.创建两个命名空间 r1 和 r2 ：

[root@node2 ~]# ip netns add r1
[root@node2 ~]# ip netns add r2
[root@node2 ~]# ip netns list
r2
r1
[root@node2 ~]# 

2.查看命名空间 r1 的ip地址

[root@node2 ~]# ip netns exec r1 ifconfig
[root@node2 ~]# ip netns exec r1 ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@node2 ~]# 

3.创建一个网卡对 veth1.1 和 veth1.2

[root@node2 ~]# ip link add name veth1.1 type veth peer name veth1.2
[root@node2 ~]# ip link show | grep veth
5: veth1.2@veth1.1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
6: veth1.1@veth1.2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
[root@node2 ~]# 

4.将 veth1.1 加入网络命名空间 r1

[root@node2 ~]# ip link set dev veth1.1 netns r1
[root@node2 ~]# ip netns exec r1 ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth1.1: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether c6:06:a4:0f:ba:91  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@node2 ~]# 

5.重命名r1中的veth1.1为eth0

[root@node2 ~]# ip netns exec r1 ip link set dev veth1.1 name eth0
[root@node2 ~]# ip netns exec r1  ifconfig -a
eth0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether c6:06:a4:0f:ba:91  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@node2 ~]# 

6.为命名空间r1中的eth0设置ip地址，并激活

[root@node2 ~]# ip netns exec r1 ifconfig eth0 192.168.0.1/24 up
[root@node2 ~]# ip netns exec r1 ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.0.1  netmask 255.255.255.0  broadcast 192.168.0.255
        ether c6:06:a4:0f:ba:91  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@node2 ~]# 

7.为veth1.1的对端veth1.2配置ip地址并激活

[root@node2 ~]# ip link show | grep veth
5: veth1.2@if6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
[root@node2 ~]# ifconfig veth1.2 192.168.0.2/24 up
[root@node2 ~]# ifconfig veth1.2
veth1.2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.2  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::c873:1fff:fe9e:90f6  prefixlen 64  scopeid 0x20<link>
        ether ca:73:1f:9e:90:f6  txqueuelen 1000  (Ethernet)
        RX packets 8  bytes 648 (648.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 26  bytes 3856 (3.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@node2 ~]# 

8.在命名空间r1中，测试是否能ping宿主机的地址

[root@node2 ~]# ip netns exec r1 ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.051 ms
64 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=0.032 ms
64 bytes from 192.168.0.2: icmp_seq=3 ttl=64 time=0.039 ms
^C
--- 192.168.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.032/0.040/0.051/0.010 ms
[root@node2 ~]#  

二、网络模型

1.封闭式容器 — 只有lo接口

2.桥接式容器 — 默认模式 有lo接口，有eth0接口，可以对外通信

3.联盟式容器 — 两个名称空间共享net ipc

联盟式网络创建：

[root@localhost ~]# docker run --name b1 -it --rm busybox
/ # 
[root@localhost ~]# docker run --name b2 --network container:b1 -it --rm busybox
/ # 

查看b1和b2时，会发现ip是一样的

三、容器中常见的网络操作

1）指定网络模式

–network

[root@localhost ~]# docker network help

Usage:    docker network COMMAND

Manage networks

Commands:
  connect     Connect a container to a network
  create      Create a network
  disconnect  Disconnect a container from a network
  inspect     Display detailed information on one or more networks
  ls          List networks
  prune       Remove all unused networks
  rm          Remove one or more networks

Run 'docker network COMMAND --help' for more information on a command.
[root@localhost ~]# 

指定容器t1的网络模式为桥接模式

[root@localhost ~]# docker run --name t1 -it --network bridge --rm busybox
/ # ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
27: eth0@if28: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:c0:a8:01:02 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # 

2）指定容器的dns地址和hosts解析

查看容器t1的hosts文件

/ # cat /etc/hosts
127.0.0.1    localhost
::1    localhost ip6-localhost ip6-loopback
fe00::0    ip6-localnet
ff00::0    ip6-mcastprefix
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
192.168.1.2    f2fb5f32bdb2
/ # 

查看容器t1的dns服务器地址

/ # cat /etc/resolv.conf 
nameserver 8.8.8.8
/ # 

在创建容器时指定hostname和dns地址以及hosts解析地址

[root@localhost ~]# docker run --name t1 --hostname t1 --add-host www.arppinging.com:1.1.1.1 --dns 114.114.114.114 -it --network bridge --rm busybox
/ # cat /etc/resolv.conf 
nameserver 114.114.114.114
/ # cat /etc/hosts
127.0.0.1    localhost
::1    localhost ip6-localhost ip6-loopback
fe00::0    ip6-localnet
ff00::0    ip6-mcastprefix
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
1.1.1.1    www.arppinging.com
192.168.1.2    t1
/ # 

3）端口映射

如果容器中的应用需要被访问，那么可以使用通过以下方式实现：

1.network模式使用host

2.端口映射

指定network模式使用host

[root@localhost ~]# docker run --name t1 -it -d --network host --rm nginx
524349e018aabe9702c3f033cdd28f92c8970d41632a90820356474dcf843e13
[root@localhost ~]# 

使用node2访问容器服务

[root@node2 ~]# curl -o  - -p 192.168.100.75
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@node2 ~]# 

端口映射

-p选项：

-p 将指定的容器端口映射至主机所有地址的一个动态端口

[root@localhost ~]# docker run --name t1 --hostname t1 -it --rm -d -p 80 nginx
a9ed176632769450e1a652ae45461680a3e48d9af6b91da2c2dfd20dfdb6f727

查看映射

[root@localhost ~]# docker port t1 
80/tcp -> 0.0.0.0:32768
[root@localhost ~]# 

使用node2查看网页

[root@node2 ~]# curl -o  - -p 192.168.100.75:32768
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@node2 ~]# 

-p : 将容器端口 映射至指定的主机端口

[root@localhost ~]# docker run --name t1 --hostname t1 -it --rm -d -p 80:80 nginx
9083bc33157f01b3b2e0d4d3acd2da7fc2eba2d976f0d3cf2b99a987fef8a6df
[root@localhost ~]# docker port t1
80/tcp -> 0.0.0.0:80
[root@localhost ~]# 

-p :: 将指定的容器的端口 映射至主机指定 的动态端口

[root@localhost ~]# docker run --name t1 --hostname t1 -it --rm -d -p 192.168.100.75::80 nginx
1fefd9bde32a157e24eb7838bd349d196f860f6017ba1154125e3a1b8893afce
[root@localhost ~]# docker port t1 
80/tcp -> 192.168.100.75:32768
[root@localhost ~]# 

-p : : 将指定的容器端口 映射至主机指定 的端口

[root@localhost ~]# docker run --name t1 --hostname t1 -it --rm -d -p 192.168.100.75:80:80 nginx
fbedd72124302f2b95de33d3799cf44a236e2c5e475358e868b114c8a0faa2e6
[root@localhost ~]# docker port t1 
80/tcp -> 192.168.100.75:80
[root@localhost ~]# 

四、网桥配置

修改网桥的ip等信息

停止 docker 服务

[root@localhost ~]# systemctl stop docker
[root@localhost ~]# 

编辑docker文件

/etc/docker/daemon.json
{
    "bip":"192.168.1.1/24",  # 桥的ip
    "fixed-cidr":"10.20.0.0/16",
    "fixed-cidr-v6":"2001:db8::/64",
    "mtu":1500,
    "default-gateway":"10.20.1.1",
    "default-gateway-v6":"2001:db8:abcd::89",
    "dns":["10.20.1.2","10.20.1.3"]
}

核心选项为bip，即bridge ip之意，用于指定docker0桥自身的IP地址；其他选项可通过此地址计算得出。

启动服务

[root@localhost ~]# systemctl start docker
[root@localhost ~]# 

创建网桥

[root@localhost ~]# docker network create -d bridge --subnet "10.1.1.0/24" --gateway "10.1.1.1" mybr0
75e5401680b9790d5fa91e688271a4f7722ed7e7cb5a0d6ef91a475d25dd0329
[root@localhost ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
8247c91941d0        bridge              bridge              local
6b108679bb90        host                host                local
75e5401680b9        mybr0               bridge              local
fbeb24fe71fb        none                null                local
[root@localhost ~]# ip add 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:1a:4a:16:01:69 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.75/24 brd 192.168.100.255 scope global dynamic eth0

      valid_lft 80748sec preferred_lft 80748sec
    inet6 fe80::46bb:80cd:da25:717/64 scope link 
       valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000
    link/ether 52:54:00:06:89:69 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN qlen 1000
    link/ether 52:54:00:06:89:69 brd ff:ff:ff:ff:ff:ff
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN 
    link/ether 02:42:33:82:61:44 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:33ff:fe82:6144/64 scope link 
       valid_lft forever preferred_lft forever
22: br-75e5401680b9: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN 
    link/ether 02:42:8f:cd:19:40 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.1/24 brd 10.1.1.255 scope global br-75e5401680b9
       valid_lft forever preferred_lft forever
[root@localhost ~]# 

创建容器t1，指定网络使用mybr0

[root@localhost ~]# docker run --name t1 -it --network mybr0 --rm busybox
/ # ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
23: eth0@if24: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:0a:01:01:02 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.2/24 brd 10.1.1.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # 

创建容器t2，使用默认网络

[root@localhost ~]# docker run --name t2 -it --rm busybox
/ # ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
57: eth0@if58: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:c0:a8:01:02 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # 

两个桥上的容器是否能通信？

开启核心转发

[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@localhost ~]# 

测试

/ # ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
57: eth0@if58: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:c0:a8:01:02 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2): 56 data bytes
64 bytes from 10.1.1.2: seq=0 ttl=63 time=0.228 ms
64 bytes from 10.1.1.2: seq=1 ttl=63 time=0.185 ms
^C
--- 10.1.1.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.185/0.206/0.228 ms
/ # 

如果不通，请查看防火墙等信息。