Docker笔记 -- 网络模型

文章目录

类型说明与主机通信联网容器间通信不同主机容器间通信bridge*网桥模式YYYNhost主机模式-Y-Nnone隔离模式NNNNcontainer容器模式----macvlan通道模式NNYYoverlay***层接模式YYYY bridge

类似于NAT，新开辟了一块网卡docker0通过网桥模式连接到本机ens160网卡进行上网。

[root@docker01 ~]# hostname -I 13.13.3.3 172.17.0.1 [root@docker01 ~]# docker container run -it centos [root@ac0926d86274 /]# ping 172.17.0.1 PING 172.17.0.1 (172.17.0.1) 56(84) bytes of data. 64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.062 ms [root@ac0926d86274 /]# ping 114.114.114.114 PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data. 64 bytes from 114.114.114.114: icmp_seq=1 ttl=127 time=31.6 ms [root@ac0926d86274 /]# hostname -I 172.17.0.2 [root@ac0926d86274 /]# read escape sequence # Ctrl+P+Q 退出 [root@docker01 ~]# docker container run -it centos [root@614efa62ecb0 /]# hostname -I 172.17.0.3 [root@614efa62ecb0 /]# ping 172.17.0.3 PING 172.17.0.3 (172.17.0.3) 56(84) bytes of data. 64 bytes from 172.17.0.3: icmp_seq=1 ttl=64 time=0.036 ms [root@614efa62ecb0 /]# host

与宿主机共享网络信息（ip, hostname, port …）

[root@docker01 ~]# docker container run -it --network=host centos [root@docker01 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:17:cf:2e brd ff:ff:ff:ff:ff:ff inet 13.13.3.3/16 brd 13.13.255.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever inet6 fe80::7e59:6bd6:253a:213f/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:6f:a1:27:13 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:6fff:fea1:2713/64 scope link valid_lft forever preferred_lft forever 15: vetha66c2d2@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether 6a:31:73:67:64:b5 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::6831:73ff:fe67:64b5/64 scope link valid_lft forever preferred_lft forever [root@docker01 /]# hostname -I 13.13.3.3 172.17.0.1 [root@docker01 /]# none

没有网卡，无网络可言。

[root@docker01 ~]# docker container run -it --network=none centos [root@8ab1bb5c3707 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever [root@8ab1bb5c3707 /]# container

与已有的容器共享网络信息，连通性取决于其依附的宿主机器。

[root@docker01 ~]# docker container run -it --name=master centos [root@3f28bb6e8654 /]# hostname -I 172.17.0.3 [root@3f28bb6e8654 /]# read escape sequence [root@docker01 ~]# docker container run -it --network=container:master centos [root@3f28bb6e8654 /]# hostname -I 172.17.0.3 [root@3f28bb6e8654 /]# macvlan

以MAC地址充当IP地址，实现不同主机上容器间的通信。

[root@docker01 ~]# docker network create --driver=macvlan --subnet=172.16.0.0/16 --gateway=172.16.254.254 -o parent=ens160 macvlan-16 fffdd8a75f060d3801f96ff4517c8608a5a1fe4d0fffcdf93898c361562bd8e5 [root@docker01 ~]# docker container run -it --network=macvlan-16 --ip=172.16.3.3 centos [root@5519f991355d /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 20: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:10:03:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.16.3.3/16 brd 172.16.255.255 scope global eth0 valid_lft forever preferred_lft forever [root@5519f991355d /]#

两台主机都要设置新的网络，且容器IP地址不能冲突。

[root@docker02 ~]# docker network create --driver=macvlan --subnet=172.16.0.0/16 --gateway=172.16.254.254 -o parent=ens160 macvlan-16 c9d305635e3a473fb374e8a8d9d276600c2f52d58fd1a8d5f502604841293e4f [root@docker02 ~]# docker container run -it --network=macvlan-16 --ip=172.16.4.4 centos [root@3e0cab1d674d /]# hostname -I 172.16.4.4 [root@3e0cab1d674d /]# [root@5519f991355d /]# ping 172.16.4.4 PING 172.16.4.4 (172.16.4.4) 56(84) bytes of data. 64 bytes from 172.16.4.4: icmp_seq=1 ttl=64 time=0.495 ms [root@5519f991355d /]# overlay 开放防火墙端口

TCP port 2377 for cluster management communications

TCP and UDP port 7946 for communication among nodes

UDP port 4789 for overlay network traffic

[root@registry ~]# firewall-cmd --permanent --add-port=2377/tcp success [root@registry ~]# firewall-cmd --permanent --add-port=7946/tcp success [root@registry ~]# firewall-cmd --permanent --add-port=7946/udp success [root@registry ~]# firewall-cmd --permanent --add-port=4789/udp success [root@registry ~]# firewall-cmd --reload success [root@registry ~]# [root@docker01 ~]# firewall-cmd --permanent --add-port=7946/tcp success [root@docker01 ~]# firewall-cmd --permanent --add-port=7946/udp success [root@docker01 ~]# firewall-cmd --permanent --add-port=4789/udp success [root@docker01 ~]# firewall-cmd --reload success [root@docker01 ~]# [root@docker02 ~]# firewall-cmd --permanent --add-port=7946/tcp success [root@docker02 ~]# firewall-cmd --permanent --add-port=7946/udp success [root@docker02 ~]# firewall-cmd --permanent --add-port=4789/udp success [root@docker02 ~]# firewall-cmd --reload success [root@docker02 ~]# 构建overlay主群关系 [root@registry ~]# docker swarm init --advertise-addr=13.13.2.2 Swarm initialized: current node (oqkd6om42kmglt1mujf57vml7) is now a manager. To add a worker to this swarm, run the following command: docker swarm join --token SWMTKN-1-059wzs92yk8g4dx4wyfl3467v5dps6qpqjs4l0lzm1o35jgx60-8al1hre98hzn3hobwy4p2bh8q 13.13.2.2:2377 To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions. [root@registry ~]# [root@docker01 ~]# docker swarm join --token SWMTKN-1-059wzs92yk8g4dx4wyfl3467v5dps6qpqjs4l0lzm1o35jgx60-8al1hre98hzn3hobwy4p2bh8q 13.13.2.2:2377 This node joined a swarm as a worker. [root@docker01 ~]# [root@docker02 ~]# docker swarm join --token SWMTKN-1-059wzs92yk8g4dx4wyfl3467v5dps6qpqjs4l0lzm1o35jgx60-8al1hre98hzn3hobwy4p2bh8q 13.13.2.2:2377 This node joined a swarm as a worker. [root@docker02 ~]# 创建overlay网络（registry） [root@registry ~]# docker network create -d overlay --attachable my-overlay o37dri76wa5qi78juf1goo6od [root@registry ~]# 创建测试容器（docker01、docker02） [root@docker01 ~]# docker container run -it --network my-overlay --name=over01 centos [root@d78eb0e34c91 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 34: eth0@if35: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default link/ether 02:42:0a:00:02:0e brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.0.2.14/24 brd 10.0.2.255 scope global eth0 valid_lft forever preferred_lft forever 36: eth1@if37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:12:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet 172.18.0.3/16 brd 172.18.255.255 scope global eth1 valid_lft forever preferred_lft forever [root@d78eb0e34c91 /]# [root@docker02 ~]# docker container run -it --network my-overlay --name=over02 centos [root@3188a341b7d2 /]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 60: eth0@if61: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default link/ether 02:42:0a:00:02:10 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.0.2.16/24 brd 10.0.2.255 scope global eth0 valid_lft forever preferred_lft forever 62: eth1@if63: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:12:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet 172.18.0.3/16 brd 172.18.255.255 scope global eth1 valid_lft forever preferred_lft forever [root@3188a341b7d2 /]# 测试连通性 [root@d78eb0e34c91 /]# ping -c 1 over02 PING over02 (10.0.2.16) 56(84) bytes of data. 64 bytes from over02.my-overlay (10.0.2.16): icmp_seq=1 ttl=64 time=0.291 ms --- over02 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.291/0.291/0.291/0.000 ms [root@d78eb0e34c91 /]# ping -c 1 114.114.114.114 PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data. 64 bytes from 114.114.114.114: icmp_seq=1 ttl=127 time=31.7 ms --- 114.114.114.114 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 31.715/31.715/31.715/0.000 ms [root@d78eb0e34c91 /]# [root@3188a341b7d2 /]# ping -c 1 over01 PING over01 (10.0.2.14) 56(84) bytes of data. 64 bytes from over01.my-overlay (10.0.2.14): icmp_seq=1 ttl=64 time=0.487 ms --- over01 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.487/0.487/0.487/0.000 ms [root@3188a341b7d2 /]# ping -c 1 114.114.114.114 PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data. 64 bytes from 114.114.114.114: icmp_seq=1 ttl=127 time=31.4 ms --- 114.114.114.114 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 31.358/31.358/31.358/0.000 ms [root@3188a341b7d2 /]# 原理

参考：https://www.cnblogs.com/xiangsikai/p/9898174.html

[root@registry ~]# docker network ls NETWORK ID NAME DRIVER SCOPE 24958f9404d1 bridge bridge local ca6834a6ede2 docker_gwbridge bridge local 6a2feb0265d9 host host local fiayrdt9zw9d ingress overlay swarm o37dri76wa5q my-overlay overlay swarm 3b85ff0e6d36 none null local [root@registry ~]# docker node ls ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION soqisifjiu1nk5n4xnc5a0rhp docker01 Ready Active 19.03.13 gq2n71xegjzqr4fxfbn95fvw7 docker02 Ready Active 19.03.13 oqkd6om42kmglt1mujf57vml7 * registry Ready Active Leader 19.03.13 [root@registry ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:a6:96:20 brd ff:ff:ff:ff:ff:ff inet 13.13.2.2/16 brd 13.13.255.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever inet6 fe80::1153:d8b4:2854:c3d0/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:e0:a5:26:5e brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever 4: docker_gwbridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:53:a7:c4:2b brd ff:ff:ff:ff:ff:ff inet 172.18.0.1/16 brd 172.18.255.255 scope global docker_gwbridge valid_lft forever preferred_lft forever inet6 fe80::42:53ff:fea7:c42b/64 scope link valid_lft forever preferred_lft forever 10: veth528013c@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker_gwbridge state UP group default link/ether 5e:dc:93:f3:10:c9 brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet6 fe80::5cdc:93ff:fef3:10c9/64 scope link valid_lft forever preferred_lft forever [root@registry ~]#