Docker 的多种网络模式中,bridge的网络模式是用于同一台宿主机上的docker之间的互通,如果要实现多台宿主机上docker之间跨节点的通讯就需要借助overlay网络


docker swarm 模式中,通过 docker service create 创建的容器默认会使用名为ingressoverlay网络模式,在这种网络模式下,service会在不同节点(宿主机)上建立容器,不同节点上容器的ip会处在同一子网内;


同样的,如果建立多个service,比如,同时建了nginx viz两个service,那么这两个service下的容器也都会在同一子网下,如下所示,同一节点上,serivce nginx 的容器ip 为10.255.0.4,service viz 容器的ip为10.255.0.6,两者都在ingress网络中


#docker network inspect ingress
       "Internal": false,
       "Attachable": false,
       "Ingress": true,
        "Containers":{
           "00bf0cc88d8363581b10a6a64a34cc2864d51926ecaa445fba7af0bc488d553d":{
                "Name":"nginxtest.1.5yukmeotwnl2v0smmhy26bwkg",
               "EndpointID":"064080c4efc9048bf0b0a44ab1d52d63c627f277d9d589be8cc9723c081e2616",
               "MacAddress": "02:42:0a:ff:00:04",
                "IPv4Address":"10.255.0.4/16",
               "IPv6Address": ""
            },
           "ac7ec55f931e1a4c1ece6e56a935ac0871ab6fe88e9eae35e1671513c9204b77":{
                "Name":"viz.1.zhmcw7mtvzzrma31l3letnmxp",
               "EndpointID":"0477642232e30c34c9bdc6cb8e83b0d2726a5169df8daa8c47225b8d16163ec7",
               "MacAddress": "02:42:0a:ff:00:06",
                "IPv4Address":"10.255.0.6/16",
               "IPv6Address": ""
            },
           "ingress-sbox": {
               "Name": "ingress-endpoint",
               "EndpointID":"61ae637e13284274480a1f9928bd7c627543336875a64dbdd272850285252136",
               "MacAddress": "02:42:0a:ff:00:02",
               "IPv4Address": "10.255.0.2/16",
               "IPv6Address": ""
            }
        },
       "Options": {
           "com.docker.network.driver.overlay.vxlanid_list":"256"
…………………………………………………..


如果不想让多个service 在同一子网内,比如多租户的场景,在这种情况下,就需要另外创建自定义overlay 网络,实现不同用户的服务在各自的子网内



创建名为mynetoverlay网络

  docker network create mynet -d overlay

7njqr6p45krfw6msq8wgxdqu3


查看mynet基本信息

# docker network inspect mynet
[
    {
       "Name": "mynet",
       "Id": "7njqr6p45krfw6msq8wgxdqu3",
       "Created": "0001-01-01T00:00:00Z",
       "Scope": "swarm",
       "Driver": "overlay",
       "EnableIPv6": false,
       "IPAM": {
           "Driver": "default",
           "Options": null,
           "Config": []
        },
       "Internal": false,
       "Attachable": false,
       "Ingress": false,
       "Containers": null,
       "Options": {
            "com.docker.network.driver.overlay.vxlanid_list":"4096"
        },
       "Labels": null
}


如上所示,新创建的mynet network vxlan id 为 4096,不同于 ingress 的 vxlan id 256 ,同时,由于还没有容器被加入到mynet网络,因此 mynet还没有被分配ip地址段


创建一个使用mynet网络的service

docker service create --replicas 2 --name nginx_test01 --network mynet  nginx

服务起来后,再次查看mynet网络


docker network inspect mynet
…………………………………………………….
           "Options": null,
           "Config": [
                {
                   "Subnet": "10.0.0.0/24",
                   "Gateway": "10.0.0.1"
                }
            ]
        },
       "Internal": false,
       "Attachable": false,
       "Ingress": false,
       "Containers": {
           "a67b21bdc3d1bb144816e436f5cc5a303539ae3db8a7564236740fc46233a665":{
               "Name": "nginx_test01.1.xscom3xofubdgzp1xixt69r93",
               "EndpointID": "0dbd0fca51d0c477ee653e6f0f12048e38acb6e1a404fe1f9ae4e6506563cfce",
               "MacAddress": "02:42:0a:00:00:03",
               "IPv4Address": "10.0.0.3/24",
               "IPv6Address": ""
            }
        },
       "Options": {
           "com.docker.network.driver.overlay.vxlanid_list":"4096"
 ……………………..


可以看到mynet加入了一个容器,它的网段随之也变成了10.0.0.0/24


验证下不同网段下容器是否能否互通

进入使用mynet网络的容器

docker exec –it  a67b21bdc3d1 bash

[root@ a67b21bdc3d1 /]# ping 10.255.0.6  #ping ingress 网络下的容器

PING 10.255.0.6 (10.255.0.6) 56(84) bytes of data. 

无法ping通,说明vxlan隔离作用生效了,如果是相通的,你可能需要升级下系统内核