Docker高级网络配置

一.docker基本网络配置

docker安装后会自动创建3种网络:bridge、host、none

[root@server1 ~]# docker network  ls
NETWORK ID          NAME                DRIVER              SCOPE
bea6146cd261        bridge              bridge              local
d15dafa47115        host                host                local
75f84ed836bd        none                null                local

1.bridge网络

docker安装时会创建一个名为 docker0 的Linux bridge,新建的容器
会自动桥接到这个接口

[root@server1 ~]# ip addr show docker0 
3: docker0:  mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:62:8d:d4:11 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:62ff:fe8d:d411/64 scope link 
       valid_lft forever preferred_lft forever
[root@server1 ~]# brctl  show
bridge name	bridge id		STP enabled	interfaces
docker0		8000.0242628dd411	no		veth41d79c9
[root@server1 ~]# docker run  -d nginx
0a7646ff924a8c237ebac9ddac7e190f678e62e9db642898526fd1add6e2f072
[root@server1 ~]# brctl  show
bridge name	bridge id		STP enabled	interfaces
docker0		8000.0242628dd411	no		veth32787c0
							veth41d79c9

bridge模式下容器没有一个公有ip,只有宿主机可以直接访问,外部主机是不可见的,但容器通过宿主机的NAT规则后可以访问外网

2.host网络

host网络模式需要在容器创建时指定–network=host

[root@server1 ~]# docker run -it --network=host ubuntu

host模式可以让容器共享宿主机网络栈,这样的好处是外部主
机与容器直接通信,但是容器的网络缺少隔离性。

3.none网络

none模式是指禁用网络功能,只有lo接口,在容器创建时使用–network=none指定。

[root@server1 ~]# docker run  -it --network=none ubuntu
root@86f6440a715c:/# ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
root@86f6440a715c:/# exit
exit

Container 网络模式是 Docker 中一种较为特别的网络的模式。在容器创建时使用–network=container:vm1指定。(vm1指定的是运行的容器名)

[root@server1 ~]# docker run -it --name  vm3 ubuntu
[root@server1 ~]# docker run  -it --network=container:vm3 ubuntu

处于这个模式下的 Docker 容器会共享一个网络栈,这样两个 容器之间可以使用localhost高效快速通信。

二 . 高级网络配置

自定义网络模式,docker提供了三种自定义网络驱动:

• bridge
• overlay
• macvlan

bridge驱动类似默认的bridge网络模式,但增加了一些新的功能,
overlay和macvlan是用于创建跨主机网络。

1.创建自定义网桥

[root@server1 ~]# docker network  create my_net1
ddae7c9ff5de1d1a6f592d39e0f7455a2888194792902e4f721c04eaba10d768
[root@server1 ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
bea6146cd261        bridge              bridge              local
d15dafa47115        host                host                local
ddae7c9ff5de        my_net1             bridge              local
75f84ed836bd        none                null                lo

cal

创建两个容器,并桥接到相同的网桥上,彼此是可以通信的

[root@server1 ~]# docker run  -it --name vm1 --network=my_net1 ubuntu
root@e3f35e9529aa:/# ping vm1
PING vm1 (172.18.0.2) 56(84) bytes of data.
64 bytes from e3f35e9529aa (172.18.0.2): icmp_seq=1 ttl=64 time=0.010 ms
64 bytes from e3f35e9529aa (172.18.0.2): icmp_seq=2 ttl=64 time=0.031 ms
64 bytes from e3f35e9529aa (172.18.0.2): icmp_seq=3 ttl=64 time=0.021 ms
64 bytes from e3f35e9529aa (172.18.0.2): icmp_seq=4 ttl=64 time=0.021 ms
^C
--- vm1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.010/0.020/0.031/0.009 ms
root@e3f35e9529aa:/# [root@server1 ~]# 
[root@server1 ~]# docker run  -it --name vm2 --network=my_net1 ubuntu
root@45874b4d7c36:/# ping vm1
PING vm1 (172.18.0.2) 56(84) bytes of data.
64 bytes from vm1.my_net1 (172.18.0.2): icmp_seq=1 ttl=64 time=0.033 ms
64 bytes from vm1.my_net1 (172.18.0.2): icmp_seq=2 ttl=64 time=0.032 ms
^C
--- vm1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.032/0.032/0.033/0.005 ms

但是创建两个容器,并桥接到不同的网桥上,彼此是不通信的

使用–ip参数可以指定容器ip地址,但必须是在自定义网桥上,默认的bridge模式不支持,同一网桥上的容器是可以互通的。

[root@server1 ~]# docker network  create  --subnet=172.21.0.0/24 --gateway=172.21.0.1 my_net2
c03a60992badae2ea847b5daa8aa187301440687efbd3cd167dec28d573a6c2a
[root@server1 ~]# docker network  ls
NETWORK ID          NAME                DRIVER              SCOPE
bea6146cd261        bridge              bridge              local
d15dafa47115        host                host                local
ddae7c9ff5de        my_net1             bridge              local
c03a60992bad        my_net2             bridge              local
75f84ed836bd        none                null                local
[root@server1 ~]# docker run  -it --name  vm3 --network=my_net2 --ip=172.21.0.10 ubuntu
root@9ea86cb0a331:/# ping vm1
^C
root@9ea86cb0a331:/# ping vm3
PING vm3 (172.21.0.10) 56(84) bytes of data.
64 bytes from 9ea86cb0a331 (172.21.0.10): icmp_seq=1 ttl=64 time=0.012 ms
64 bytes from 9ea86cb0a331 (172.21.0.10): icmp_seq=2 ttl=64 time=0.022
root@9ea86cb0a331:/# ping 172.21.0.1
PING 172.21.0.1 (172.21.0.1) 56(84) bytes of data.
64 bytes from 172.21.0.1: icmp_seq=1 ttl=64 time=0.024 ms
64 bytes from 172.21.0.1: icmp_seq=2 ttl=64 time=0.030 ms
64 bytes from 172.21.0.1: icmp_seq=3 ttl=64 time=0.029 m

s

2.docker在设计上就是要隔离不同network的，如何使两个不同网桥的容器通信

使用 docker network connect命令为vm1添加一块my_net2 的网卡。

[root@server1 ~]# docker network connect my_net1 vm3
[root@server1 ~]# docker attach  vm3
root@9ea86cb0a331:/# 
root@9ea86cb0a331:/# ping vm1
PING vm1 (172.18.0.2) 56(84) bytes of data.
64 bytes from vm1.my_net1 (172.18.0.2): icmp_seq=1 ttl=64 time=0.039 ms
64 bytes from vm1.my_net1 (172.18.0.2): icmp_seq=2 ttl=64 time=0.033 ms
64 bytes from vm1.my_net1 (172.18.0.2): icmp_seq=3 ttl=64 time=0.034 ms
64 bytes from vm1.my_net1 (172.18.0.2): icmp_seq=4 ttl=64 time=0.033 ms
^C
--- vm1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.033/0.034/0.039/0.007 ms
root@9ea86cb0a331:/# ping vm2
PING vm2 (172.18.0.3) 56(84) bytes of data.
64 bytes from vm2.my_net1 (172.18.0.3): icmp_seq=1 ttl=64 time=0.046 ms
64 bytes from vm2.my_net1 (172.18.0.3): icmp_seq=2 ttl=64 time=0.033 ms
^C
--- vm2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.033/0.039/0.046/0.009 ms

3.容器如何访问外网是通过iptables的SNAT实现的

4.外网如何访问容器

端口映射

三.跨主机网络解决方案

acvlan网络方案实现

LInux kernel提供的一种网卡虚拟化技术

无需Linux bridge,直接使用物理接口,性能极好

1.准备两台docker主机,每台主机上添加一块网卡

[root@server1 network-scripts]# cp ifcfg-eth0 ifcfg-eth1
[root@server1 network-scripts]# vim ifcfg-eth1
[root@server1 network-scripts]# ifup eth1				##激活网卡

另一台主机做同样的操作

2.两台主机打开网卡混杂模式

[root@server1 network-scripts]# ip link set eth1 promisc on
[root@server1 network-scripts]# ip addr show eth1
64: eth1:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:ff:8f:d6 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5054:ff:feff:8fd6/64 scope link 
       valid_lft forever preferred_lft forever

[root@server2 network-scripts]# ip link set eth1 promisc on
[root@server2 network-scripts]# ip addr show eth1
3: eth1:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:fa:4d:2d brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5054:ff:fefa:4d2d/64 scope link 
       valid_lft forever preferred_lft forever

3.在两台docker主机上各创建macvlan网络

[root@server1 network-scripts]# docker network create -d macvlan --subnet=172.22.0.0/24 --gateway=172.22.0.1 -o parent=eth1  macvlan1

[root@server2 ~]# docker network create -d macvlan --subnet=172.22.0.0/24 --gateway=172.22.0.1 -o parent=eth1  macvlan1

4.测试网络连接

[root@server1 ~]# docker run -it --name vm1 --network=macvlan1 --ip=172.22.0.10 ubuntu
  docker run -it --name vm2 --network=macvlan1 --ip=172.22.0.11 ubuntu
  [root@server2 ~]#  docker run -it --name vm3 --network=macvlan1 --ip=172.22.0.12 ubuntu

server2可以连接到server1的网络，因为是同一网段

 root@9e191471d1d9:/# ping 172.22.0.10
PING 172.22.0.10 (172.22.0.10) 56(84) bytes of data.
64 bytes from 172.22.0.10: icmp_seq=1 ttl=64 time=0.493 ms
64 bytes from 172.22.0.10: icmp_seq=2 ttl=64 time=0.234 ms
64 bytes from 172.22.0.10: icmp_seq=3 ttl=64 time=0.319 ms
^C
--- 172.22.0.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.234/0.348/0.493/0.109 ms
root@9e191471d1d9:/# ping 172.22.0.11
PING 172.22.0.11 (172.22.0.11) 56(84) bytes of data.
64 bytes from 172.22.0.11: icmp_seq=1 ttl=64 time=0.632 ms
64 bytes from 172.22.0.11: icmp_seq=2 ttl=64 time=0.325 ms
64 bytes from 172.22.0.11: icmp_seq=3 ttl=64 time=0.331 ms

5.macvlan会独占主机网卡,但可以使用vlan子接口实现多macvlan网络

vlan可以将物理二层网络划分为4094个逻辑网络,彼此隔离,
vlan id取值为1~4094

[root@server1 ~]# docker network create -d macvlan --subnet=172.23.0.0/24 --gateway=172.23.0.1 -o parent=eth1.1  macvlan2
8fc3fc0e1b8985fd974f094b512d556c4f861235bb77c2e07b9e6c17cd1f8f2b
[root@server1 ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
bea6146cd261        bridge              bridge              local
d15dafa47115        host                host                local
2836c7d8a316        macvlan1            macvlan             local
8fc3fc0e1b89        macvlan2            macvlan             local
75f84ed836bd        none                null                local

6.macvlan网络间的隔离和连通

macvlan网络在二层上是隔离的,所以不同macvlan网络的容器是
不能通信的。
p 可以在三层上通过网关将macvlan网络连通起来

[root@server1 ~]# docker run -it --name vm3 --network=macvlan2 --ip=172.23.0.11 ubuntu
root@bbb4f6121fd0:/# ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
68: eth0@if67:  mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/ether 02:42:ac:17:00:0b brd ff:ff:ff:ff:ff:ff
    inet 172.23.0.11/24 brd 172.23.0.255 scope global eth0
       valid_lft forever preferred_lft forever
root@bbb4f6121fd0:/# ping 172.22.0.10
PING 172.22.0.10 (172.22.0.10) 56(84) bytes of data.
^C
--- 172.22.0.10 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms

root@bbb4f6121fd0:/# [root@server1 ~]# 
[root@server1 ~]# docker network  connect  macvlan1 vm3
[root@server1 ~]# docker attach vm3
root@bbb4f6121fd0:/# 
root@bbb4f6121fd0:/# ping 172.22.0.10
PING 172.22.0.10 (172.22.0.10) 56(84) bytes of data.
64 bytes from 172.22.0.10: icmp_seq=1 ttl=64 time=0.053 ms
64 bytes from 172.22.0.10: icmp_seq=2 ttl=64 time=0.028 ms
64 bytes from 172.22.0.10: icmp_seq=3 ttl=64 time=0.027 ms
^C
--- 172.22.0.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.027/0.036/0.053/0.012 ms
root@bbb4f6121fd0:/# read escape sequence