Docker笔记 -- 网络模型
文章目录
| 类型 | 说明 | 与主机通信 | 联网 | 容器间通信 | 不同主机容器间通信 |
|---|---|---|---|---|---|
| bridge* | 网桥模式 | Y | Y | Y | N |
| host | 主机模式 | - | Y | - | N |
| none | 隔离模式 | N | N | N | N |
| container | 容器模式 | - | - | - | - |
| macvlan | 通道模式 | N | N | Y | Y |
| overlay*** | 层接模式 | Y | Y | Y | Y |
- bridge
类似于NAT,新开辟了一块网卡docker0通过网桥模式连接到本机ens160网卡进行上网。
[root@docker01 ~]# hostname -I
13.13.3.3 172.17.0.1
[root@docker01 ~]# docker container run -it centos
[root@ac0926d86274 /]# ping 172.17.0.1
PING 172.17.0.1 (172.17.0.1) 56(84) bytes of data.
64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.062 ms
[root@ac0926d86274 /]# ping 114.114.114.114
PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.
64 bytes from 114.114.114.114: icmp_seq=1 ttl=127 time=31.6 ms
[root@ac0926d86274 /]# hostname -I
172.17.0.2
[root@ac0926d86274 /]# read escape sequence # Ctrl+P+Q 退出
[root@docker01 ~]# docker container run -it centos
[root@614efa62ecb0 /]# hostname -I
172.17.0.3
[root@614efa62ecb0 /]# ping 172.17.0.3
PING 172.17.0.3 (172.17.0.3) 56(84) bytes of data.
64 bytes from 172.17.0.3: icmp_seq=1 ttl=64 time=0.036 ms
[root@614efa62ecb0 /]#
- host
与宿主机共享网络信息(ip, hostname, port …)
[root@docker01 ~]# docker container run -it --network=host centos
[root@docker01 /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:17:cf:2e brd ff:ff:ff:ff:ff:ff
inet 13.13.3.3/16 brd 13.13.255.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::7e59:6bd6:253a:213f/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:6f:a1:27:13 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:6fff:fea1:2713/64 scope link
valid_lft forever preferred_lft forever
15: vetha66c2d2@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 6a:31:73:67:64:b5 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::6831:73ff:fe67:64b5/64 scope link
valid_lft forever preferred_lft forever
[root@docker01 /]# hostname -I
13.13.3.3 172.17.0.1
[root@docker01 /]#
- none
没有网卡,无网络可言。
[root@docker01 ~]# docker container run -it --network=none centos
[root@8ab1bb5c3707 /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
[root@8ab1bb5c3707 /]#
- container
与已有的容器共享网络信息,连通性取决于其依附的宿主机器。
[root@docker01 ~]# docker container run -it --name=master centos
[root@3f28bb6e8654 /]# hostname -I
172.17.0.3
[root@3f28bb6e8654 /]# read escape sequence
[root@docker01 ~]# docker container run -it --network=container:master centos
[root@3f28bb6e8654 /]# hostname -I
172.17.0.3
[root@3f28bb6e8654 /]#
- macvlan
以MAC地址充当IP地址,实现不同主机上容器间的通信。
[root@docker01 ~]# docker network create --driver=macvlan --subnet=172.16.0.0/16 --gateway=172.16.254.254 -o parent=ens160 macvlan-16
fffdd8a75f060d3801f96ff4517c8608a5a1fe4d0fffcdf93898c361562bd8e5
[root@docker01 ~]# docker container run -it --network=macvlan-16 --ip=172.16.3.3 centos
[root@5519f991355d /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
20: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:10:03:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.16.3.3/16 brd 172.16.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@5519f991355d /]#
两台主机都要设置新的网络,且容器IP地址不能冲突。
[root@docker02 ~]# docker network create --driver=macvlan --subnet=172.16.0.0/16 --gateway=172.16.254.254 -o parent=ens160 macvlan-16
c9d305635e3a473fb374e8a8d9d276600c2f52d58fd1a8d5f502604841293e4f
[root@docker02 ~]# docker container run -it --network=macvlan-16 --ip=172.16.4.4 centos
[root@3e0cab1d674d /]# hostname -I
172.16.4.4
[root@3e0cab1d674d /]#
[root@5519f991355d /]# ping 172.16.4.4
PING 172.16.4.4 (172.16.4.4) 56(84) bytes of data.
64 bytes from 172.16.4.4: icmp_seq=1 ttl=64 time=0.495 ms
[root@5519f991355d /]#
- overlay
- 开放防火墙端口
TCP port 2377 for cluster management communications
TCP and UDP port 7946 for communication among nodes
UDP port 4789 for overlay network traffic
[root@registry ~]# firewall-cmd --permanent --add-port=2377/tcp
success
[root@registry ~]# firewall-cmd --permanent --add-port=7946/tcp
success
[root@registry ~]# firewall-cmd --permanent --add-port=7946/udp
success
[root@registry ~]# firewall-cmd --permanent --add-port=4789/udp
success
[root@registry ~]# firewall-cmd --reload
success
[root@registry ~]#
[root@docker01 ~]# firewall-cmd --permanent --add-port=7946/tcp
success
[root@docker01 ~]# firewall-cmd --permanent --add-port=7946/udp
success
[root@docker01 ~]# firewall-cmd --permanent --add-port=4789/udp
success
[root@docker01 ~]# firewall-cmd --reload
success
[root@docker01 ~]#
[root@docker02 ~]# firewall-cmd --permanent --add-port=7946/tcp
success
[root@docker02 ~]# firewall-cmd --permanent --add-port=7946/udp
success
[root@docker02 ~]# firewall-cmd --permanent --add-port=4789/udp
success
[root@docker02 ~]# firewall-cmd --reload
success
[root@docker02 ~]#
- 构建overlay主群关系
[root@registry ~]# docker swarm init --advertise-addr=13.13.2.2
Swarm initialized: current node (oqkd6om42kmglt1mujf57vml7) is now a manager.
To add a worker to this swarm, run the following command:
docker swarm join --token SWMTKN-1-059wzs92yk8g4dx4wyfl3467v5dps6qpqjs4l0lzm1o35jgx60-8al1hre98hzn3hobwy4p2bh8q 13.13.2.2:2377
To add a manager to this swarm, run 'docker swarm join-token manager' and follow the instructions.
[root@registry ~]#
[root@docker01 ~]# docker swarm join --token SWMTKN-1-059wzs92yk8g4dx4wyfl3467v5dps6qpqjs4l0lzm1o35jgx60-8al1hre98hzn3hobwy4p2bh8q 13.13.2.2:2377
This node joined a swarm as a worker.
[root@docker01 ~]#
[root@docker02 ~]# docker swarm join --token SWMTKN-1-059wzs92yk8g4dx4wyfl3467v5dps6qpqjs4l0lzm1o35jgx60-8al1hre98hzn3hobwy4p2bh8q 13.13.2.2:2377
This node joined a swarm as a worker.
[root@docker02 ~]#
- 创建overlay网络(registry)
[root@registry ~]# docker network create -d overlay --attachable my-overlay
o37dri76wa5qi78juf1goo6od
[root@registry ~]#
- 创建测试容器(docker01、docker02)
[root@docker01 ~]# docker container run -it --network my-overlay --name=over01 centos
[root@d78eb0e34c91 /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
34: eth0@if35: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
link/ether 02:42:0a:00:02:0e brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.2.14/24 brd 10.0.2.255 scope global eth0
valid_lft forever preferred_lft forever
36: eth1@if37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:12:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet 172.18.0.3/16 brd 172.18.255.255 scope global eth1
valid_lft forever preferred_lft forever
[root@d78eb0e34c91 /]#
[root@docker02 ~]# docker container run -it --network my-overlay --name=over02 centos
[root@3188a341b7d2 /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
60: eth0@if61: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
link/ether 02:42:0a:00:02:10 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.2.16/24 brd 10.0.2.255 scope global eth0
valid_lft forever preferred_lft forever
62: eth1@if63: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:12:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet 172.18.0.3/16 brd 172.18.255.255 scope global eth1
valid_lft forever preferred_lft forever
[root@3188a341b7d2 /]#
- 测试连通性
[root@d78eb0e34c91 /]# ping -c 1 over02
PING over02 (10.0.2.16) 56(84) bytes of data.
64 bytes from over02.my-overlay (10.0.2.16): icmp_seq=1 ttl=64 time=0.291 ms
--- over02 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.291/0.291/0.291/0.000 ms
[root@d78eb0e34c91 /]# ping -c 1 114.114.114.114
PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.
64 bytes from 114.114.114.114: icmp_seq=1 ttl=127 time=31.7 ms
--- 114.114.114.114 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 31.715/31.715/31.715/0.000 ms
[root@d78eb0e34c91 /]#
[root@3188a341b7d2 /]# ping -c 1 over01
PING over01 (10.0.2.14) 56(84) bytes of data.
64 bytes from over01.my-overlay (10.0.2.14): icmp_seq=1 ttl=64 time=0.487 ms
--- over01 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.487/0.487/0.487/0.000 ms
[root@3188a341b7d2 /]# ping -c 1 114.114.114.114
PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.
64 bytes from 114.114.114.114: icmp_seq=1 ttl=127 time=31.4 ms
--- 114.114.114.114 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 31.358/31.358/31.358/0.000 ms
[root@3188a341b7d2 /]#
- 原理
参考:https://www.cnblogs.com/xiangsikai/p/9898174.html
[root@registry ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
24958f9404d1 bridge bridge local
ca6834a6ede2 docker_gwbridge bridge local
6a2feb0265d9 host host local
fiayrdt9zw9d ingress overlay swarm
o37dri76wa5q my-overlay overlay swarm
3b85ff0e6d36 none null local
[root@registry ~]# docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS ENGINE VERSION
soqisifjiu1nk5n4xnc5a0rhp docker01 Ready Active 19.03.13
gq2n71xegjzqr4fxfbn95fvw7 docker02 Ready Active 19.03.13
oqkd6om42kmglt1mujf57vml7 * registry Ready Active Leader 19.03.13
[root@registry ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:a6:96:20 brd ff:ff:ff:ff:ff:ff
inet 13.13.2.2/16 brd 13.13.255.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::1153:d8b4:2854:c3d0/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:e0:a5:26:5e brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
4: docker_gwbridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:53:a7:c4:2b brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global docker_gwbridge
valid_lft forever preferred_lft forever
inet6 fe80::42:53ff:fea7:c42b/64 scope link
valid_lft forever preferred_lft forever
10: veth528013c@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker_gwbridge state UP group default
link/ether 5e:dc:93:f3:10:c9 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::5cdc:93ff:fef3:10c9/64 scope link
valid_lft forever preferred_lft forever
[root@registry ~]#