docker网络--跨主机容器通信

1.实现跨主机网络解决方案：
（1）docker原生的overlay和macvlan
（2）第三方的flannel、weave、calico
2.众多网络方案与docker集成方法：
（1）ibnetwork docker容器网络库
（2）CNM 对容器网络进行抽象
CNM的三类组件
Sandbox：容器网络线，包括容器接口、dns、路由表
Endpoint：将sandbox接入network
Network：包含一组endpoint，同一network的endpoint可以进行通信
3.macvlan网络方案实现
Linux内核提供的一种网卡虚拟化技术
无需linux bridge，直接使用物理接口，性能极好
实验前提：
两台虚拟机
172.25.4.111 server1
172.25.4.112 server2
两台虚拟机各自再添加一块物理网卡

[root@server1 ~]# ip addr show
6: eth1:  mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 52:54:00:70:4e:0d brd ff:ff:ff:ff:ff:ff

[root@server2 ~]# ip addr show
5: eth1:  mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 52:54:00:bf:79:b8 brd ff:ff:ff:ff:ff:ff

打开网络混杂模式

[root@server1 ~]# ip link set up eth1  ##激活网卡
[root@server1 ~]# ip link set eth1 promisc on  ##开启混杂模式
[root@server1 ~]# ip addr show eth1
7: eth1:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:42:36:bd brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5054:ff:fe42:36bd/64 scope link 
       valid_lft forever preferred_lft forever

[root@server2 ~]# ip link set up eth1
[root@server1 ~]# ip link set eth1 promisc on
[root@server2 ~]# ip addr show eth1
8: eth1:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:ac:57:64 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5054:ff:feac:5764/64 scope link 
       valid_lft forever preferred_lft forever

两台docker主机各自创建macvlan网络并创建容器

[root@server1 ~]# docker network create -d macvlan --subnet 172.20.0.0/24 --gateway   172.20.0.1 -o parent=eth1 macvlan1  ##创建macvlan网络指定网卡为eth1
04d229c2729c0be3ac2188dbe0f789fc3bb59db4c21e8e03476ef02edcbb1b00
[root@server1 ~]# docker run -it --name vm1 --network macvlan1 --ip 172.20.0.11 ubuntu
root@f6921a826dfa:/# ip addr show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
11: eth0@if7:  mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/ether 02:42:ac:14:00:0b brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.11/24 brd 172.20.0.255 scope global eth0
       valid_lft forever preferred_lft forever
root@f6921a826dfa:/# ping 172.20.0.12
PING 172.20.0.12 (172.20.0.12) 56(84) bytes of data.
64 bytes from 172.20.0.12: icmp_seq=1 ttl=64 time=0.678 ms


[root@server2 ~]# docker network create -d macvlan --subnet 172.20.0.0/24 --gateway 172.20.0.1 -o parent=eth1 macvlan1
8746407d7ed8263575c4ba572bdd8e66e47a147224bd799f10a850a3eef7b14c
[root@server2 ~]# docker run -it --name vm2 --network macvlan1 --ip 172.20.0.12 ubuntu
root@96d62389f2e5:/# ip addr show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
12: eth0@if8:  mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/ether 02:42:ac:14:00:0c brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.12/24 brd 172.20.0.255 scope global eth0
       valid_lft forever preferred_lft forever
root@96d62389f2e5:/# ping 172.20.0.11
PING 172.20.0.11 (172.20.0.11) 56(84) bytes of data.
64 bytes from 172.20.0.11: icmp_seq=1 ttl=64 time=0.361 ms
64 bytes from 172.20.0.11: icmp_seq=2 ttl=64 time=0.313 ms

查看桥接

[root@server1 ~]# brctl show  ##查看桥接
bridge name	bridge id		STP enabled	interfaces
docker0		8000.024252a51104	no		

[root@server2 ~]# brctl show
bridge name	bridge id		STP enabled	interfaces
docker0		8000.0242978fae68	no	

两跨主机容器进行通信时，并没有走桥接口，而是容器接口直接与主机的物理网卡连接，无需NAT及端口映射
4.macvlan的工作机制
macvlan会独占主机网卡，但可以使用vlan子接口实现多macvlan网络
vlan可以将物理二层网络划分为4094个逻辑网络，并且彼此分离，vlan id的取值范围为1～4094

[root@server1 ~]# docker network create -d macvlan --subnet 172.21.0.0/24 --gateway 172.21.0.1 -o parent=eth1.1 macvlan2
7c6f8b7878ea8977c8cf9ee78afc5e43a804864f7db4f7fb22c25b4889f5aa82
[root@server1 ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
5d0d0f1a280e        bridge              bridge              local
66a8ce5625c5        host                host                local
04d229c2729c        macvlan1            macvlan             local
7c6f8b7878ea        macvlan2            macvlan             local
ebc2c1a28d75        none     
[root@server1 ~]# docker run -it --name vm3 --network macvlan2 --ip 172.21.0.11 ubuntu
root@38d96425d74e:/# ip addr show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
13: eth0@if12:  mtu 1500 qdisc noqueue state UNKNOWN group default 
    link/ether 02:42:ac:15:00:0b brd ff:ff:ff:ff:ff:ff
    inet 172.21.0.11/24 brd 172.21.0.255 scope global eth0
       valid_lft forever preferred_lft forever
root@38d96425d74e:/# ping 172.20.0.11  ##与macvlan1创建的容器无份额进行通信，因为不同容器之间彼此隔离
PING 172.20.0.11 (172.20.0.11) 56(84) bytes of data.

[root@server2 ~]# docker network create -d macvlan --subnet 172.21.0.0/24 --gateway 172.21.0.1 -o parent=eth1.1 macvlan2
9ece6d57a653601f4040da4f0d9fa654b1f9f2329b92568761bfe742e930af28
[root@server2 ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
c5884a195193        bridge              bridge              local
89419321849d        host                host                local
8746407d7ed8        macvlan1            macvlan             local
9ece6d57a653        macvlan2            macvlan             local
6aeb7580bc0f        none                null                local
[root@server2 ~]# docker run -it --name vm4 --network macvlan2 --ip 172.21.0.12 ubuntu
root@8653253b460d:/# ping 172.21.0.11  ##跨主机容器之间通过主机网卡实现通信
PING 172.21.0.11 (172.21.0.11) 56(84) bytes of data.
64 bytes from 172.21.0.11: icmp_seq=1 ttl=64 time=0.446 ms
64 bytes from 172.21.0.11: icmp_seq=2 ttl=64 time=0.267 ms
64 bytes from 172.21.0.11: icmp_seq=3 ttl=64 time=0.255 ms
^C
--- 172.21.0.11 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.255/0.322/0.446/0.089 ms
root@8653253b460d:/# ping 172.20.0.12  ##不同macvlan之间无法通信，需要通信则可以通过网关的方式实现通信
PING 172.20.0.12 (172.20.0.12) 56(84) bytes of data.

由此可知：
macvlan网络在二层上是隔离的，所以不同的macvlan之间容器不可能实现通信
可以在三层上通过网关将macvlan网络连同起来
docker本身不做任何限制，像传统的vlan网络那样管理

docker network子命令
connect： 连接容器到指定网络
create： 创建网络
disconnect： 断开容器与指定网络连接
inspect： 显示指定网络的详细信息
ls： 显示所有网络
rm： 删除网络