docker网络模式
作者:互联网
安装docker时,它会自动创建3个网络。使用docker network ls查看
[root@bogon ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
e5c6989d795f bridge bridge local
66a8ee851e14 host host local
696108b5d7d8 none null local
运行一个容器时,可以使用--network参数指定希望在哪个网络上运行该容器
一、none模式
这个模式表示不为容器配置任何网络功能,只有回环地址。启用该模式只需要在启动容器时添加--net=none即可。使用该命令启动的容器完全失去网络的功能,即便设置了网络参数。
[root@bogon ~]# docker run -d -p 8000:80 --name php --net=none abiosoft/caddy:php
03b8e1e195f7a7ab6ae88d6b9a4f21b1cd063ae1264930918460baa6a2281b10
[root@bogon ~]# docker exec -it php ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
[root@bogon ~]# curl -kv 127.0.0.1:8000
* About to connect() to 127.0.0.1 port 8000 (#0)
* Trying 127.0.0.1...
* Connection refused
* Failed connect to 127.0.0.1:8000; Connection refused
* Closing connection 0
curl: (7) Failed connect to 127.0.0.1:8000; Connection refused
可以看到:只有一个l0回环接口,而且没有网络能力。但是用户可以手动为容器配置网络。
1)创建net命名空间
[root@bogon ~]# PID=$(docker inspect -f '{{.State.Pid}}' php)
[root@bogon ~]# mkdir -p /var/run/netns
[root@bogon ~]# ln -s /proc/$PID/ns/net /var/run/netns/$PID
2)创建一对veth接口A和B,绑定A到自定义的网桥docker0。注:每运行一个docker容器都会生成一个veth设备对,这个veth一个接口在容器里,一个接口在物理机上
网桥管理工具(brctl【安装此命令软件:bridge-utils】)
[root@bogon ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242233ff36d no
[root@bogon ~]# ip link add A type veth peer name B
[root@bogon ~]# brctl addif docker0 A
[root@bogon ~]# ip link set A up
[root@bogon ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242233ff36d no A
查看到有一个docker0的网桥设备
3)将B放入容器中,命名为eth0,启动并配置ip与默认网关
[root@bogon ~]# ip link set B netns $PID
[root@bogon ~]# ip netns exec $PID ip link set dev B name eth0
[root@bogon ~]# ip netns exec $PID ip link set eth0 up
[root@bogon ~]# ip netns exec $PID ip addr add 172.17.10.25/24 dev eth0 #ip地址与docker0在同一网段
[root@bogon ~]# ip netns exec $PID ip route add default via 172.17.10.1
4)通过容器的ifconfig命令查看
[root@bogon ~]# docker exec -it php ifconfig
eth0 Link encap:Ethernet HWaddr EE:F7:87:92:3D:16
inet addr:172.17.10.25 Bcast:0.0.0.0 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:648 (648.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
二、container模式
这个模式表示与另一个运行中的容器共享一个Network Namespace,拥有相同的网络视图。
如下图所示,右方黄色新创建的container,其网卡共享左边容器。因此就不会拥有自己独立的 IP,而是共享左边容器的 IP 172.17.0.2,端口范围等网络资源,两个容器的进程通过 lo 网卡设备通信。
[root@bogon ~]# docker run -itd --dns 8.8.8.8 -h testhost --name nginx nginx:alpine
f156c6eff60fd32589651305e14d777ef5bda976585803cc3a5a1d5e97551e99
[root@bogon ~]# docker exec -it nginx ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:648 (648.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
再启动一个容器,使用container模式的网络
[root@bogon ~]# docker run --net=container:nginx -it nginx:alpine sh
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:648 (648.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ #
对比两个容器的eth0信息,发现网络配置完全相同,因为它们使用的是同一个Network Namespace。
查看host信息,发现使用相同的hostname
/ # cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 testhost
三、host模式
共享宿主机网络,容器有完整的权限操作主机的网络配置。
[root@bogon ~]# docker run --rm --net=host -it nginx:alpine sh
/ # ifconfig
A Link encap: Ethernet HWaddr C6:02:C2:D3:0C:8E
inet6 addr: fe80::c402:c2ff:fed3:c8e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:648 (648.0 B)
docker0 Link encap:Ethernet HWaddr 02:42:23:3F:F3:6D
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
inet6 addr: fe80::42:23ff:fe3f:f36d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:106 errors:0 dropped:0 overruns:0 frame:0
TX packets:111 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10143 (9.9 KiB) TX bytes:9361 (9.1 KiB)
eth0 Link encap:Ethernet HWaddr 00:0C:29:43:F7:66
inet addr:10.0.0.128 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe43:f766/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:496809 errors:0 dropped:0 overruns:0 frame:0
TX packets:92511 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:681685477 (650.1 MiB) TX bytes:7359418 (7.0 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:96 errors:0 dropped:0 overruns:0 frame:0
TX packets:96 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:13077 (12.7 KiB) TX bytes:13077 (12.7 KiB)
veth4f9fa26 Link encap:Ethernet HWaddr DE:B5:DD:40:09:7A
inet6 addr: fe80::dcb5:ddff:fe40:97a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:648 (648.0 B)
/ #
容器使用host模式,可以操作宿主机的网络配置。但这是一种比较危险的事情,慎用!
四、bridge模式
bridge 模式是Docker默认的网络模式,属于NAT网络模型。Docker deamon在启动的时候会创建一个docker0网桥,每个容器使用bridge模式启动时,docker都会为容器创建一对虚拟网络接口(veth pair)设备,这对设备一端在容器的Network Namespace,另一端在docker0,这样就实现了容器与宿主机之间的通信。
在bridge模式下,Docker容器与外部网络通信都是通过iptables规则控制的,这也是docker网络性能低下的一个重要原因。使用iptables -vnL -t nat可以查看Nat表,在Chain DOCKER中可以看到容器桥接的规则。
[root@bogon ~]# docker run --rm --net=bridge -it nginx:alpine sh
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03
inet addr:172.17.0.3 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:508 (508.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
标签:errors,0.0,RX,网络,模式,overruns,bytes,dropped,docker 来源: https://www.cnblogs.com/jiawei2527/p/16513747.html