Docker配置网络

Docker默认使用bridge模式, 通过网桥连接到宿主机, 而容器内部的IP则从网桥所在的IP段取未用的IP。 这样做不方便的地方在于容器内部的ip不是固定的, 想要连接容器时只能通过映射到宿主机的端口, 因而有很多项目使用overlay来为docker提供网络的配置, 比如Pipework、Flannel、Kubernetes、Weave、opencontrail等。docker的网络模式中只有--net=none才可以为docker分配固定ip。

1. 创建br0网卡绑定eth0网卡

[root@docker ~]# cd /etc/sysconfig/network-scripts/

[root@docker network-scripts]# vim ifcfg-eth0

DEVICE=eth0
HWADDR=00:0C:29:7E:AA:ED
TYPE=Ethernet
UUID=77ea2b6a-a0fe-4300-98fc-fb62a64fed4e
ONBOOT=yes
NM_CONTROLLED=yes
#BOOTPROTO=static
#IPADDR=192.168.15.15
#NETMASK=255.255.255.0
#GATEWAY=192.168.15.2
#DNS1=114.114.114.114
BRIDGE=br0                         //绑定br0网卡

[root@docker network-scripts]# cp ifcfg-eth0 ifcfg-br0          //复制一块br0网卡

[root@docker network-scripts]# vim ifcfg-br0 

DEVICE=br0
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=192.168.15.15
NETMASK=255.255.255.0
GATEWAY=192.168.15.2
DNS1=114.114.114.114
MTU=1500
TYPE=Bridge
USERCTL=no

[root@docker network-scripts]# /etc/init.d/network restart          //重启网络服务

2. 创建容器

[root@docker network-scripts]# cd /usr/local/src/

[root@docker src]# yum -y install gcc gcc-c++ flex bison

[root@docker src]# wget https://www.kernel.org/pub/linux/utils/net/iproute2/iproute2-4.0.0.tar.gz

[root@docker src]# tar -zxvf iproute2-4.0.0.tar.gz

[root@docker src]# cd iproute2-4.0.0

[root@docker iproute2-4.0.0]# sed -i '/^TARGETS/s@arpd@@g' misc/Makefile

[root@docker iproute2-4.0.0]# ./configure

[root@docker iproute2-4.0.0]# make SBINDIR=/sbin/

[root@docker iproute2-4.0.00]# make SBINDIR=/sbin install

//创建容器脚本

[root@docker iproute2-4.0.0]# cd /root/docker

[root@docker docker]# vim docker_create.sh 

#!/bin/sh
#br0网桥
brName='br0'
vmName='docker-1'

#容器IP地址和网关
fixed_ip='192.168.15.41/24'
gateway='192.168.15.2'
# start new container
cid=$(docker run -d -i -h $vmName --name=$vmName --net=none -t jdeathe/centos-ssh)
pid=$(docker inspect -f '{{.State.Pid}}' $cid)
##容器配置网络namespace，并设置固定ip：
# set up netns
mkdir -p /var/run/netns
ln -s /proc/$pid/ns/net /var/run/netns/$pid
# set up bridge
ip link add q$pid type veth peer name r$pid
brctl addif $brName q$pid
ip link set q$pid up
# set up docker interface
ip link set r$pid netns $pid
ip netns exec $pid ip link set dev r$pid name eth0
ip netns exec $pid ip link set eth0 up
ip netns exec $pid ip addr add $fixed_ip dev eth0
ip netns exec $pid ip route add default via 192.168.15.2
echo "container $vmName cid: $cid" >> /root/docker/container_cid.txt
echo "Enter $vmName command: nsenter --target $pid --mount --uts --ipc --net --pid" >> /root/docker/enter_container_command.txt

[root@docker sbin]# chmod +x docker_create.sh

//运行创建容器脚本

[root@docker docker]# sh docker_create.sh

[root@docker docker]# docker ps
CONTAINER ID                  IMAGE                       COMMAND                CREATED             STATUS              PORTS             NAMES
82a1dedff146        jdeathe/centos-ssh:latest   "/usr/bin/supervisor    54 seconds ago      Up 3 seconds                            docker-42

//此时容器已经启动,连接容器命令如下

[root@docker docker]# PID=$(docker inspect --format "{{ .State.Pid }}" 82a1dedff146)

[root@docker docker]# nsenter --target $PID --mount --uts --ipc --net --pid

[root@docker /]# ip a|grep eth0
12: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    inet 192.168.15.41/24 scope global eth0

[root@docker /]# ping 90root.com
PING 90root.com (112.74.113.61) 56(84) bytes of data.
64 bytes from 112.74.113.61: icmp_seq=1 ttl=128 time=45.9 ms

3. 配置容器

//为容器eth0网卡配置静态IP地址(防止容器内部执行/etc/init.d/network restart后不分配IP地址从而断网)。接着上面的操作来

[root@docker /]# vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=static
ONBOOT=static
IPADDR=192.168.15.41
NETMASK=255.255.255.0
GATEWAY=192.168.15.2
DNS1=114.114.114.114

//为容器设置root密码

[root@docker /]# passwd

Changing password for user root.

New password:

/usr/share/cracklib/pw_dict.pwd: No such file or directory

PWOpen: No such file or directory

     解决办法如下:

[root@docker /]# vi /etc/ssh/sshd_config

PermitRootLogin yes     //no改为yes

[root@docker /]# /etc/init.d/sshd restart

[root@docker /]# yum -y reinstall cracklib-dicts

从其它服务器登入容器服务器报错:

[root@docker .ssh]# ssh [email protected]
The authenticity of host '192.168.15.42 (192.168.15.42)' can't be established.
RSA key fingerprint is 21:4c:52:ab:18:e2:d5:ef:56:e6:a6:e6:34:6d:b5:7d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.15.42' (RSA) to the list of known hosts.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

修改容器服务器

[root@docker ~]# vi /etc/ssh/sshd_config

 PasswordAuthentication yes          //no改为yes 

 PermitRootLogin yes                     //no改为yes

[root@docker ~]# /etc/init.d/sshd restart

4. 收尾工作

//当重启容器或服务器后,容器网卡会被删除, 此时需要重新建立网卡配置网络。

[root@docker ~]# cd /root/docker/start-docker

[root@docker start-docker]# vim start_docker-41.sh 

#!/bin/sh
#桥接网卡名称
BrName=br0

#启动容器
#docker start f354aacd4052
docker start docker-42 

#docker ps查看cid
cid=f354aacd4052
pid=$(docker inspect -f '{{.State.Pid}}' $cid)

##容器配置网络namespace，并设置固定ip：
# set up netns
mkdir -p /var/run/netns
ln -s /proc/$pid/ns/net /var/run/netns/$pid
# set up bridge
ip link add q$pid type veth peer name r$pid
brctl addif $BrName q$pid
ip link set q$pid up
# set up docker interface
fixed_ip='192.168.15.42/24'
gateway='192.168.15.2'
ip link set r$pid netns $pid
ip netns exec $pid ip link set dev r$pid name eth0
ip netns exec $pid ip link set eth0 up
ip netns exec $pid ip addr add $fixed_ip dev eth0
ip netns exec $pid ip route add default via 192.168.15.2
echo "Enter $vmName command: nsenter --target $pid --mount --uts --ipc --net --pid" >> /root/docker/enter_container_command.txt

//将脚本加入到开机启动项

[root@docker docker]# cat /etc/rc.local

 /bin/sh /root/docker/start-docker/start_docker-41.sh

重启物理机后, 进入docker容器IP地址仍然还在。

//脚本登录docker容器

[root@docker docker]# docker images

[root@docker docker]# sh -vx enter-docker.sh docker-42

docker启动、创建容器、登录容器脚本见附件.