Docker 的多种网络模式中,bridge的网络模式是用于同一台宿主机上的docker之间的互通,如果要实现多台宿主机上docker之间跨节点的通讯就需要借助overlay网络
在 docker swarm 模式中,通过 docker service create 创建的容器默认会使用名为ingress的overlay网络模式,在这种网络模式下,service会在不同节点(宿主机)上建立容器,不同节点上容器的ip会处在同一子网内;
同样的,如果建立多个service,比如,同时建了nginx 和 viz两个service,那么这两个service下的容器也都会在同一子网下,如下所示,同一节点上,serivce nginx 的容器ip 为10.255.0.4,service viz 容器的ip为10.255.0.6,两者都在ingress网络中
#docker network inspect ingress "Internal": false, "Attachable": false, "Ingress": true, "Containers":{ "00bf0cc88d8363581b10a6a64a34cc2864d51926ecaa445fba7af0bc488d553d":{ "Name":"nginxtest.1.5yukmeotwnl2v0smmhy26bwkg", "EndpointID":"064080c4efc9048bf0b0a44ab1d52d63c627f277d9d589be8cc9723c081e2616", "MacAddress": "02:42:0a:ff:00:04", "IPv4Address":"10.255.0.4/16", "IPv6Address": "" }, "ac7ec55f931e1a4c1ece6e56a935ac0871ab6fe88e9eae35e1671513c9204b77":{ "Name":"viz.1.zhmcw7mtvzzrma31l3letnmxp", "EndpointID":"0477642232e30c34c9bdc6cb8e83b0d2726a5169df8daa8c47225b8d16163ec7", "MacAddress": "02:42:0a:ff:00:06", "IPv4Address":"10.255.0.6/16", "IPv6Address": "" }, "ingress-sbox": { "Name": "ingress-endpoint", "EndpointID":"61ae637e13284274480a1f9928bd7c627543336875a64dbdd272850285252136", "MacAddress": "02:42:0a:ff:00:02", "IPv4Address": "10.255.0.2/16", "IPv6Address": "" } }, "Options": { "com.docker.network.driver.overlay.vxlanid_list":"256" …………………………………………………..
如果不想让多个service 在同一子网内,比如多租户的场景,在这种情况下,就需要另外创建自定义overlay 网络,实现不同用户的服务在各自的子网内
创建名为mynet的overlay网络
docker network create mynet -d overlay
7njqr6p45krfw6msq8wgxdqu3
查看mynet基本信息
# docker network inspect mynet [ { "Name": "mynet", "Id": "7njqr6p45krfw6msq8wgxdqu3", "Created": "0001-01-01T00:00:00Z", "Scope": "swarm", "Driver": "overlay", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [] }, "Internal": false, "Attachable": false, "Ingress": false, "Containers": null, "Options": { "com.docker.network.driver.overlay.vxlanid_list":"4096" }, "Labels": null }
如上所示,新创建的mynet network vxlan id 为 4096,不同于 ingress 的 vxlan id 256 ,同时,由于还没有容器被加入到mynet网络,因此 mynet还没有被分配ip地址段
创建一个使用mynet网络的service
docker service create --replicas 2 --name nginx_test01 --network mynet nginx
服务起来后,再次查看mynet网络
docker network inspect mynet ……………………………………………………. "Options": null, "Config": [ { "Subnet": "10.0.0.0/24", "Gateway": "10.0.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "Containers": { "a67b21bdc3d1bb144816e436f5cc5a303539ae3db8a7564236740fc46233a665":{ "Name": "nginx_test01.1.xscom3xofubdgzp1xixt69r93", "EndpointID": "0dbd0fca51d0c477ee653e6f0f12048e38acb6e1a404fe1f9ae4e6506563cfce", "MacAddress": "02:42:0a:00:00:03", "IPv4Address": "10.0.0.3/24", "IPv6Address": "" } }, "Options": { "com.docker.network.driver.overlay.vxlanid_list":"4096" ……………………..
可以看到mynet加入了一个容器,它的网段随之也变成了10.0.0.0/24
验证下不同网段下容器是否能否互通
进入使用mynet网络的容器
docker exec –it a67b21bdc3d1 bash
[root@ a67b21bdc3d1 /]# ping 10.255.0.6 #ping ingress 网络下的容器
PING 10.255.0.6 (10.255.0.6) 56(84) bytes of data.
无法ping通,说明vxlan隔离作用生效了,如果是相通的,你可能需要升级下系统内核