Docker学习（五）docker的跨主机网络访问（不同宿主机上的容器之间的通信）

1. 跨主机容器网络解决方案

2. macvlan容器网络方案的实现

macvlan本身是linxu kernel的模块，本质上是一种网卡虚拟化技术。
其功能是允许在同一个物理网卡上虚拟出多个网卡，通过不同的MAC地址在数据链路层进行网络数据的转发，

一块网卡上配置多个 MAC 地址（即多个 interface），每个interface可以配置自己的IP，
Docker的macvlan网络实际上就是使用了Linux提供的macvlan驱动。
因为多个MAC地址的网络数据包都是从同一块网卡上传输，所以需要打开网卡的混杂模式ip link set eth1 promisc on。

3.实验操作

（1）两台虚拟机
（2）两台虚拟机上添加两块虚拟网卡，并安装好相应的docker服务（因为我们模拟的是docker容器的跨主机访问）并激活新添加的网卡

[root@server1 ~]# ip link set up eth1
[root@server1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:dc:b7:52 brd ff:ff:ff:ff:ff:ff
    inet 172.25.254.1/24 brd 172.25.254.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fedc:b752/64 scope link 
       valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:8a:aa:10:05 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:8aff:feaa:1005/64 scope link 
       valid_lft forever preferred_lft forever
12: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:13:34:8c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5054:ff:fe13:348c/64 scope link 
       valid_lft forever preferred_lft forever
[root@server1 ~]# 

[root@server2 ~]# ip link set up eth1
[root@server2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:82:ca:3f brd ff:ff:ff:ff:ff:ff
    inet 172.25.254.2/24 brd 172.25.254.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe82:ca3f/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:48:a1:7f brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5054:ff:fe48:a17f/64 scope link tentative 
       valid_lft forever preferred_lft forever
[root@server2 ~]# 

[root@server2 ~]# ip link set eth1 promisc on 
[root@server2 ~]# ip a

[root@server1 ~]# ip link set eth1 promisc on 
[root@server1 ~]# ip a

注意：如果不开启混杂模式,会导致macvlan网络无法访问外界
不使用vlan时,表现为无法ping通路由,无法ping通同一网络内其他主机
在两台主机上各创建macvlan网络
创建macvlan网络不同于桥接模式，需要指定网段和网关（因为要保证跨主机上网段和网关是相同的），并且都得是真实存在的
server1:

[root@server1 ~]# docker network create -d macvlan --subnet 172.20.0.0/24 --gateway 172.20.0.1 -o parent=eth1 macvlan1
cebe912b17e02a129f9ee786ee9b7ad22dd2afcfb9d2d0974b60c9404419f9b8
[root@server1 ~]# docker run -it --name vm1 --network macvlan1 --ip 172.20.0.11 busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
13: eth0@if12: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:14:00:0b brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.11/24 brd 172.20.0.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # 
[root@server1 ~]# docker network ls

server2:

[root@server2 ~]# docker network create -d macvlan  --subnet 172.20.0.0/24 --gateway 172.20.0.1 -o parent=eth1 macvlan1
279dd35bfa6be567fd6d39b11efd279bdc3a933b1df0d294c98eb0009609aafd

[root@server2 ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
c96eee3f4daa        bridge              bridge              local
0f800d02b4f4        host                host                local
279dd35bfa6b        macvlan1            macvlan             local
321d7c0e41dc        none                null                local
[root@server2 ~]# 

测试：sever2容器vm2中ping server1的vm1容器

[root@server2 ~]# docker run -it --name vm2 --network macvlan1 --ip 172.20.0.12 busybox
/ # ping 172.20.0.11
PING 172.20.0.11 (172.20.0.11): 56 data bytes
64 bytes from 172.20.0.11: seq=0 ttl=64 time=0.952 ms
64 bytes from 172.20.0.11: seq=1 ttl=64 time=0.419 ms
64 bytes from 172.20.0.11: seq=2 ttl=64 time=0.383 ms
^C
--- 172.20.0.11 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.383/0.584/0.952 ms
/ # 

其实这就实现了不同宿主机上的容器之间的通信
macvlan模式不依赖网桥，所以brctl show查看并没有创建新的bridge

但是查看容器的网络，会看到虚拟网卡对应了一个interface是12

查看宿主机的网络，12正是虚机的eth1网卡

可见，容器的 eth0 就是宿主机的eth1通过macvlan虚拟出来的interface
容器的interface直接与主机的网卡连接，这种方案使得容器无需通过NAT和端口映射就能与外网直接通信（只要有网关）
在网络上看起来与其他独立主机没有区别