docker4种网络
基于docker run创建容器时,可以使用--net选项指定容器的网络模式:Docker默认有以下4种网络模式:
- host模式,使用--net=host指定
- container模式,使用--net=container:NAME_or_ID指定
- none模式,使用--net=none指定
- bridge模式,使用--net=bridge指定,默认设置
bridge模式网络拓扑图如下:
查看插在docker0桥上的网卡名称
[root@jiaqi211 ~]# brctl show bridge name bridge id STP enabled interfaces docker0 8000.0242069be7d6 no veth11b0170
[root@jiaqi211 ~]# ip a .... 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:06:9b:e7:d6 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:6ff:fe9b:e7d6/64 scope link valid_lft forever preferred_lft forever 5: veth11b0170@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether ae:fd:08:2a:9a:90 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::acfd:8ff:fe2a:9a90/64 scope link valid_lft forever preferred_lft forever
host模式网络拓扑如下:
host网络在创建容器的时候由于用的就是宿主机的物理网卡,因此不需要指定端口就可以访问
[root@jiaqi211 ~]# docker run --name mynginx --network=host -itd nginx
c8bf2d1d7648ffaf4c0a9f2a2b258ddbb0f5e26b50978ed63d7442ee97cf42e7
验证
container模式网络拓扑图如下:
又称之为联盟式网络,即新创建出来的容器不会创建自己的网卡和端口而是和某个容器共享一个虚拟网络接口
示例,我们先创建一个busybox的容器,然后在创建一个nginx容器共享busybox的网卡
[root@jiaqi211 ~]# docker run --name mybusy -it -p 80 -p 22 -d busybox 4231a817446956b3fe09cb1a7a2da353bd126ddb6006e6704b5e069524c0dd4f
[root@jiaqi211 ~]# docker run --name mynginx -itd --network=container:mybusy nginx ff90c89ceff37f7a954bfd2924f27d5c735c2d1821d0e8d7a1d8348697a3af68
查看docker0桥上只有一张张网卡,并没有新创建
[root@jiaqi211 ~]# brctl show bridge name bridge id STP enabled interfaces docker0 8000.0242069be7d6 no vethe2b04bc
查看映射端口
[root@jiaqi211 ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e4d43c36f4cc nginx "nginx -g 'daemon of…" 13 seconds ago Up 12 seconds mynginx 4231a8174469 busybox "sh" 3 minutes ago Up 3 minutes 0.0.0.0:32773->22/tcp, 0.0.0.0:32772->80/tcp mybusy
验证,浏览器访问nginx服务
none网络模式
创建一个none网络的容器
[root@jiaqi211 ~]# docker run --name myos -itd --net=none busybox
8ae69d623339f8df03ce1d241204381121178a70771337cdc270167c6935826b
我们可以发现,确实只有一个lo接口,并没有其他网卡
[root@jiaqi211 ~]# docker exec -it myos /bin/sh / # ifconfig -a lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
端口映射
这里要注意的一点是,如果是nat网桥必须开启核心转发功能
[root@jiaqi211 ~]# cat /proc/sys/net/ipv4/ip_forward 1
第一种 随机映射
docker run -p PORT
示例,我们把容器的80端口随机映射到宿主机上,我们可以看到映射到的宿主机端口为32769
[root@jiaqi211 ~]# docker run --name mynginx -p 80 -itd --rm nginx 5bea3c77aaee1c4a3d7e7617838697a3745b9ae3e74e7088e30ad86fe7cdbecc
[root@jiaqi211 ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 5bea3c77aaee nginx "nginx -g 'daemon of…" 4 seconds ago Up 3 seconds 0.0.0.0:32769->80/tcp mynginx
我们来验证一下,打开浏览器HOST:PORT
第二种 指定映射
-p hostPort:containerPort -p ip:hostPort:containerPort -p ip::containerPort -p hostPort
我们也可以指定映射,比如,映射宿主机的80端口对应容器的80端口
[root@jiaqi211 ~]# docker run --name mynginx -p 80:80 -itd nginx 2326a68c58546ec19c4c5c971662f45d5166cb13bbc56f11d849f146fba6f473 [root@jiaqi211 ~]# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 2326a68c5854 nginx "nginx -g 'daemon of…" About a minute ago Up About a minute 0.0.0.0:80->80/tcp mynginx
验证
修改docker0桥的地址
[root@localhost ~]# vim /etc/docker/daemon.json { "registry-mirrors": ["https://l10nt4hq.mirror.aliyuncs.com"], "bip": "10.0.0.1/16", "default-gateway": "10.0.0.10", "dns": ["114.114.114.114","8.8.8.8"] } #核心选项为bip,即bridge ip之意,用于指定docker0桥自身的ip地址 [root@localhost ~]# ifconfig -a docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 10.0.0.1 netmask 255.255.0.0 broadcast 10.0.255.255 ether 02:42:9f:94:79:34 txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
远程访问
如果想让别的主机可以通过ip地址访问本机的docker服务需要以下配置:
第一步:
[root@localhost ~]# vim /usr/lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
第二步,重启,并验证
[root@localhost ~]# systemctl daemon-reload [root@localhost ~]# systemctl restart docker [root@localhost ~]# ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 :::2375 :::* LISTEN 0 80 :::3306 :::* LISTEN 0 128 :::22 :::* LISTEN 0 100 ::1:25 :::*
换另外一台机器: [root@bogon ~]# docker -H 192.168.254.17:2375 images REPOSITORY TAG IMAGE ID CREATED SIZE mynginx latest 476a30621ef2 9 days ago 16MB mybusy latest 8e4fbb821d36 9 days ago 7.42MB
自定义桥
创建自定义桥
[root@localhost ~]# docker network create -d bridge --subnet 20.20.0.0/16 --gateway 20.20.0.1 mybr 4320f4f33f6baec1c018b77272f506c7c9cd07a9162a44ae23a8a408c6167cd3 [root@localhost ~]# docker network ls NETWORK ID NAME DRIVER SCOPE 8ea6e1e8a153 bridge bridge local 0921628426bd host host local 4320f4f33f6b mybr bridge local fe7ac4d47fb1 none null local [root@localhost ~]# ifconfig -a br-4320f4f33f6b: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 20.20.0.1 netmask 255.255.0.0 broadcast 20.20.255.255 ether 02:42:2c:57:da:c8 txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#想要修改网卡名称用以下命令 [root@localhost ~]# ifconfig br-4320f4f33f6b down [root@localhost ~]# ip link set dev br-4320f4f33f6b name docker1 [root@localhost ~]# ifconfig -a docker1: flags=4098<BROADCAST,MULTICAST> mtu 1500 inet 20.20.0.1 netmask 255.255.0.0 broadcast 20.20.255.255 ether 02:42:2c:57:da:c8 txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
删除自定义桥
[root@localhost ~]# docker network rm mybr mybr