docker——4、容器虚拟化网络
6种名称空间:UTS,User,Mount,IPC,Pid,Net
一、服务器网络直接模拟容器命名空间
# ip netns add r1
# ip netns add r2
# ip netns list
r2
r1
[root@node1 /]# ip netns exec r1 ifconfig -a
lo: flags=8 mtu 65536
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#创建虚拟网卡
[root@node1 /]# ip link add name veth1.1 type veth peer name veth1.2
[root@node1 /]# ip link show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 00:0c:29:78:84:b3 brd ff:ff:ff:ff:ff:ff
3: docker0: mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 02:42:83:28:ae:72 brd ff:ff:ff:ff:ff:ff
9: veth75d9888@if8: mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether f6:58:0f:8c:2f:e2 brd ff:ff:ff:ff:ff:ff link-netnsid 0
10: [email protected]: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether c2:d4:e2:d1:ea:f5 brd ff:ff:ff:ff:ff:ff
11: [email protected]: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 42:56:7d:67:0d:d5 brd ff:ff:ff:ff:ff:ff
#将1.2网卡挪到网络名称r1上面
[root@node1 /]# ip link set dev veth1.2 netns r1
[root@node1 /]# ip link show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 00:0c:29:78:84:b3 brd ff:ff:ff:ff:ff:ff
3: docker0: mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 02:42:83:28:ae:72 brd ff:ff:ff:ff:ff:ff
9: veth75d9888@if8: mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether f6:58:0f:8c:2f:e2 brd ff:ff:ff:ff:ff:ff link-netnsid 0
11: veth1.1@if10: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 42:56:7d:67:0d:d5 brd ff:ff:ff:ff:ff:ff link-netnsid 1
#查看r1网络
[root@node1 /]# ip netns exec r1 ifconfig -a
lo: flags=8 mtu 65536
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth1.2: flags=4098 mtu 1500
ether c2:d4:e2:d1:ea:f5 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#修改r1的网卡名称
[root@node1 /]# ip netns exec r1 ip link set dev veth1.2 name eth0
[root@node1 /]# ip netns exec r1 ifconfig -a
eth0: flags=4098 mtu 1500
ether c2:d4:e2:d1:ea:f5 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=8 mtu 65536
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#激活网卡
[root@node1 /]# ifconfig veth1.1 172.16.92.34/24 up
[root@node1 /]# ifconfig veth1.1
veth1.1: flags=4099 mtu 1500
inet 172.16.92.34 netmask 255.255.255.0 broadcast 172.16.92.255
ether 42:56:7d:67:0d:d5 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@node1 /]# ip netns exec r1 ifconfig eth0 172.16.92.35/24 up
[root@node1 /]# ip netns exec r1 ifconfig
eth0: flags=4163 mtu 1500
inet 172.16.92.35 netmask 255.255.255.0 broadcast 172.16.92.255
inet6 fe80::c0d4:e2ff:fed1:eaf5 prefixlen 64 scopeid 0x20
ether c2:d4:e2:d1:ea:f5 txqueuelen 1000 (Ethernet)
RX packets 64 bytes 3000 (2.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 648 (648.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#将veth1.1挪到r2
[root@node1 /]# ip link set dev veth1.1 netns r2
[root@node1 ~]# ip netns exec r2 ifconfig -a
lo: flags=8 mtu 65536
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth1.1: flags=4098 mtu 1500
ether 42:56:7d:67:0d:d5 txqueuelen 1000 (Ethernet)
RX packets 12 bytes 984 (984.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 234 bytes 10308 (10.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@node1 ~]# ip netns exec r2 ifconfig veth1.1 172.16.92.36/24 up
[root@node1 ~]# ip netns exec r2 ifconfig
veth1.1: flags=4163 mtu 1500
inet 172.16.92.36 netmask 255.255.255.0 broadcast 172.16.92.255
inet6 fe80::4056:7dff:fe67:dd5 prefixlen 64 scopeid 0x20
ether 42:56:7d:67:0d:d5 txqueuelen 1000 (Ethernet)
RX packets 12 bytes 984 (984.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 242 bytes 10956 (10.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#在r2中ping r1地址正常
[root@node1 ~]# ip netns exec r2 ping 172.16.92.35
二、 Bridged containers
可以为docker run命令使用
1、“–hostname HOSTNAME”选项为容器指定主机名,例如
# docker run --rm --netbridge --hostname bbox.change-can.com busybox:latest nslookup bbox.change-can.com
2、“–dns DNS_SERVER_IP”选项为容器指定所使用的dns服务器地址,例如
# docker run --rm --dns 114.114.114.114 busybox:lastest nslookup docker.com
3、“–add-host HOSTNAME:IP” 选项能够为容器指定本地主机名解析项,例如
#docker run --rm --dns 114.114.114.114 --add-host "docker.com:172.16.0.100" busybox:lastest nslookup docker.com
实验如下:
[root@node1 ~]# docker run --name t1 -it --network bridge -h t1.change-can.com --dns 114.114.114.114 --rm busybox:latest
/ # cat /etc/resolv.conf
nameserver 114.114.114.114
/ # hostname
t1.change-can.com
[root@node1 ~]# docker run --name t1 -it --network bridge -h t1.change-can.com --dns 114.114.114.114 --dns-search ilinux.io --add-host node2.change-can.com:172.16.92.32 --rm busybox:latest
/ # cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.16.92.32 node2.change-can.com
172.17.0.2 t1.change-can.com t1
三、Opening inbound communication
p选项的使用格式:
-p 将指定的容器端口映射至主机所有地址的一个动态端口
-p : 将容器端口映射至指定的主机端口
-p :: 将指定的容器端口映射至主机指定的动态端口
-p :: 将指定的容器端口映射至主机指定的端口
“动态端口”指随机端口,具体的映射结果可使用docker port命令查看
实验:
3.1、将指定的容器端口映射至主机所有地址的一个动态端口
[root@node1 ~]# docker run --name myweb --rm -p 80 changecan/httpd:v0.2
[root@node1 ~]# docker inspect myweb
[root@node1 ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 31 packets, 4734 bytes)
pkts bytes target prot opt in out source destination
2038 121K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 31 packets, 4734 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1736 packets, 104K bytes)
pkts bytes target prot opt in out source destination
2 168 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 1736 packets, 104K bytes)
pkts bytes target prot opt in out source destination
1 84 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:32768 to:172.17.0.2:80
[root@node1 ~]# docker port myweb
80/tcp -> 0.0.0.0:32768
浏览器访问http://172.16.92.31:32768正常
访问测试:
删除
[root@node1 ~]# docker kill myweb
3.2、-p 将容器端口
[root@node1 ~]# docker run --name myweb --rm -p 172.16.92.31::80 changecan/httpd:v0.2
[root@node1 ~]# docker port myweb
80/tcp -> 172.16.92.31:32768
浏览器访问http://172.16.92.31:32768正常
[root@node1 ~]# docker kill myweb
3.3、-p 将指定的容器端口
[root@node1 ~]# docker run --name myweb --rm -p 80:80 changecan/httpd:v0.2
[root@node1 ~]# docker port myweb
80/tcp -> 0.0.0.0:80
浏览器访问http://172.16.92.31正常
3.4、-p 将指定的容器端口
[root@node1 ~]# docker port myweb
80/tcp -> 172.16.92.31:8080
浏览器访问http://172.16.92.31:8080正常
四、Joined containers
联盟式容器是指使用某个已存在容器的网络接口的容器,接口被联盟内的各容器共享使用;因此,联盟式容器彼此间完全无隔离,例如:
(1)创建一个监听于2222端口的http服务容器
# docker run -d -it --rm -p 2222 busybox:latest /bin/httpd -p 2222 -f
(2)创建一个联盟式容器,并查看其监听的端口
# docker run -it --rm --net container:web --name joined busybox:latest netstat -tun
联盟式容器彼此间虽然共享同一个网络名称空间,但其它空间如User、Mount等还是隔离的
联盟式容器彼此间存在端口冲突的可能性,因此,通常只会在多个容器上的程序需要程序loopback接口相互通信、或对已存的容器的网络属性进行监控时才使用此种模式的网络模型
实验:
[root@node1 ~]# docker run --name b1 -it --rm busybox
/ # ifconfig eth0
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:648 (648.0 B) TX bytes:0 (0.0 B)
/ # mkdir /tmp/testdir
#b2共享b1的网络,存储目录是隔离的
[root@node1 ~]# docker run --name b2 --network container:b1 -it --rm busybox
/ # ifconfig eth0
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:648 (648.0 B) TX bytes:0 (0.0 B)
/ # echo "hello world" > /tmp/index.html
/ # httpd -h /tmp/
在b1上面访问测试:
/ # wget -O - -q 127.0.0.1
hello world
[root@node1 ~]# docker run --name b2 --network host -it --rm busybox
/ # echo "hello container" > /tmp/index.html
/ # httpd -h /tmp
/ # netstat -tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 ::ffff:172.16.92.31:9200 :::* LISTEN
tcp 0 0 ::ffff:172.16.92.31:9300 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 ::1:25 :::* LISTEN
#在浏览器访问http://172.16.92.31/ 显示“hello container”
dockerd守护进程的C/S,其默认仅监听Unix SOcket格式的地址,/var/run/docker.sock;如果使用TCP套接字,/etc/docker/daemon.json: "hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]
自定义docker0桥的网络属性信息:/etc/docker/daemon.json文件
{
"bip": "192.168.1.5/24",
"fixed-cidr": "10.20.0.0/16",
"fixed-cidr-v6": "2001:db8::/64",
"mtu": 1500,
"default-gateway": "10.20.1.1",
"default-gateway-v6": "2001:db8:abcd::89",
"dns": ["10.20.1.2","10.20.1.3"]
}
核心选项为bip,即bridge ip之意,用于指定docker0桥自身的IP地址;其它选项可通过此地址计算得出。
文档路径:
https://docs.docker.com/engine/userguide/networking/default_network/custom-docker0/
实验:
[root@node1 ~]# systemctl stop docker
[root@node1 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["http://hub-mirror.c.163.com"],
"bip": "10.0.0.1/16",
"hosts": ["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"]
}
[root@node1 ~]# systemctl start docker
[root@node1 ~]# ifconfig
docker0: flags=4099 mtu 1500
inet 10.0.0.1 netmask 255.255.0.0 broadcast 10.0.255.255
inet6 fe80::42:83ff:fe28:ae72 prefixlen 64 scopeid 0x20
ether 02:42:83:28:ae:72 txqueuelen 0 (Ethernet)
RX packets 71 bytes 5644 (5.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 79 bytes 8708 (8.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33: flags=4163 mtu 1500
inet 172.16.92.31 netmask 255.255.255.0 broadcast 172.16.92.255
inet6 fe80::20c:29ff:fe78:84b3 prefixlen 64 scopeid 0x20
ether 00:0c:29:78:84:b3 txqueuelen 1000 (Ethernet)
RX packets 3518529 bytes 337551301 (321.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2487615 bytes 1300887054 (1.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 188990 bytes 12372223 (11.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 188990 bytes 12372223 (11.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@node1 ~]# docker -H 172.16.92.31:2375 ps
创建网卡
[root@node1 ~]# docker network create -d bridge --subnet "172.16.92.0/24" --gateway "172.16.92.254" mybr0
cc98709b9d54258f4101a8ca5f69622948b1fba2520321313963b61e87cca125
[root@node1 ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
94d5df274648 bridge bridge local
6f1843f35ad1 host host local
cc98709b9d54 mybr0 bridge local
3b2291761f54 none null local
[root@node1 ~]# cat /proc/sys/net/ipv4/ip_forward #开启地址转发
1