Docker Docker network
One, understand docker0
Delete all mirrors first, then
~ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:fc:57:e2 brd ff:ff:ff:ff:ff:ff
inet 172.31.202.45/24 brd 172.31.202.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fefc:57e2/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:98:04:68:a9 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:98ff:fe04:68a9/64 scope link
valid_lft forever preferred_lft forever
docker0 is the default network card of docker
- Principle
1. Every time we start a docker container, docker will assign an ip to the docker container. As long as we follow docker, there will be a docker0 bridge mode. The technology used is veth-pair technology!
docker run -d -P --name tomcat01 tomcat
83b4703873b5213054e7e506e721a5d68f1ca40521ac68b363616a7f333fa981
#查看容器内ip
[root@Latteitcjz /]# docker exec -it tomcat01 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@Latteitcjz /]# docker run -d -P --name tomcat02 tomcat
56bb3fef856fa86b39bd862c5227893fad81b2cc64daaabd67f54680e6708782
[root@Latteitcjz /]# docker exec -it tomcat02 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
16: eth0@if17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
#发现linux能ping通容器内部
[root@Latteitcjz /]# ping 172.17.0.3
PING 172.17.0.3 (172.17.0.3) 56(84) bytes of data.
64 bytes from 172.17.0.3: icmp_seq=1 ttl=64 time=0.207 ms
64 bytes from 172.17.0.3: icmp_seq=2 ttl=64 time=0.065 ms
1. Every time a docker container is started, docker will assign an ip to the docker container, as long as docker is installed, a docker0 network card will be assigned
2. When starting a container test, it is found that there is another pair of network cards
[root@Latteitcjz /]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:fc:57:e2 brd ff:ff:ff:ff:ff:ff
inet 172.31.202.45/24 brd 172.31.202.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fefc:57e2/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:98:04:68:a9 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:98ff:fe04:68a9/64 scope link
valid_lft forever preferred_lft forever
15: veth77b0c46@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 22:b3:44:bf:da:48 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::20b3:44ff:febf:da48/64 scope link
valid_lft forever preferred_lft forever
17: veth6dbc1f1@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether be:44:4f:0f:dd:ea brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::bc44:4fff:fe0f:ddea/64 scope link
valid_lft forever preferred_lft forever
#我们发现这个容器带来网卡都是一对一对的
veth-pair 就是一对的虚拟设备接口,他们都是成对出现的,一端连着协议,一端彼此相连
正因为有这个特性 veth-pair 充当一个桥梁,连接各种虚拟网络设备的
OpenStac,Docker容器之间的连接,OVS的连接,都是使用evth-pair技术
Let's test whether tomcat01 and tomcat02 can be pinged
$ docker-tomcat docker exec -it tomcat01 ip addr #获取tomcat01的ip 172.17.0.2
550: eth0@if551: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
$ docker-tomcat docker exec -it tomcat02 ping 172.17.0.2#让tomcat02ping tomcat01
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.098 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.071 ms
# 可以ping通
The linux bridge used by docke is as follows
Conclusion: Tomcat01 and tomcat02 share a router, docker0.
As long as the container is deleted, the corresponding pair of bridges will be lost.
All containers are routed by docker0 if they do not specify a network. Docker will assign a default usable IP to our container.
Summary: Docker uses a Linux bridge, and the host is a Docker container bridge docker0
Two, -link
#Sometimes, we are facing the situation of service IP replacement, how to access the container through the service name?
$ docker exec -it tomcat02 ping tomca01 # ping不通
ping: tomca01: Name or service not known
# 运行一个tomcat03 --link tomcat02
$ docker run -d -P --name tomcat03 --link tomcat02 tomcat
5f9331566980a9e92bc54681caaac14e9fc993f14ad13d98534026c08c0a9aef
# 用tomcat03 ping tomcat02 可以ping通
$ docker exec -it tomcat03 ping tomcat02
PING tomcat02 (172.17.0.3) 56(84) bytes of data.
64 bytes from tomcat02 (172.17.0.3): icmp_seq=1 ttl=64 time=0.115 ms
64 bytes from tomcat02 (172.17.0.3): icmp_seq=2 ttl=64 time=0.080 ms
# 用tomcat02 ping tomcat03 ping不通
#我们通过docker ipspect查看容器网卡内容
#其实是tomcat03本地配置了一个tomcat02的配置,而tomcat02并没有配置
[root@Latteitcjz ~]# docker exec -it tomcat03 cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.0.3 tomcat02 29ef94c31a6e
172.18.0.4 b23fb6cb9f41
[root@Latteitcjz ~]# docker exec -it tomcat02 cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.0.3 29ef94c31a6e
—link其实是在hosts中配置了一个172.17.0.3的名字映射,docker0并不支持容器名访问
Three, custom network
View all networks
[root@Latteitcjz /]# docker network --help
Usage: docker network COMMAND
Manage networks
Commands:
connect Connect a container to a network
create Create a network
disconnect Disconnect a container from a network
inspect Display detailed information on one or more networks
ls List networks
prune Remove all unused networks
rm Remove one or more networks
Run 'docker network COMMAND --help' for more information on a command.
[root@Latteitcjz /]# docker network ls
NETWORK ID NAME DRIVER SCOPE
fd194d6c2403 bridge bridge local
5c545079dbb6 host host local
2a10cbcdd91c none null local
Network mode
- bridge: bridge (default, self-created is also in bridge mode)
- none: do not configure the network
- host: share the network with the host
- container: container network connectivity (less used)
#我们直接启动命令 --netwok bridge
docker run -d -P --name tomcat01 tomcat
docker run -d -P --name tomcat01 --net bridge tomcat
#docker0特点:默认,但是域名不能访问,--link可以打通连接
#我们可以定义一个网络
[root@Latteitcjz/]# docker network create --driver bridge --subnet 192.168.0.0/16 --gateway 192.168.0.1 mynet
0f87b54b4ddb7fb5176cf6374eba394137bc779e371cbcf1ff48725cf63b7e3c
[root@Latteitcjz /]# docker network ls
NETWORK ID NAME DRIVER SCOPE
22afa40fd7c0 bridge bridge local
459c2f2fb892 host host local
0f87b54b4ddb mynet bridge local
a2db766f6b7d none null local
#发现我们增加的一张网卡mynet有了
#查看我们自己的网卡
[root@Latteitcjz /]# docker network inspect mynet
[
{
"Name": "mynet",
"Id": "0f87b54b4ddb7fb5176cf6374eba394137bc779e371cbcf1ff48725cf63b7e3c",
"Created": "2021-03-06T20:02:43.62232566918Z",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "192.168.0.0/16",
"Gateway": "192.168.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]
In a custom network, services can ping each other without using –link
our custom network docker. After we maintain the corresponding relationship, we recommend that we usually use the network like this!
benefit:
redis-Different clusters use different networks to ensure that the cluster is safe and healthy
mysql-Different clusters use different networks to ensure that the cluster is safe and healthy
Fourth, network connectivity
Use docker network connect to bridge the container to another network card, because at this time tomcat01 is actually bridged to docker0
[root@Latteitcjz /]# docker network connect mynet tomcat01
[root@Latteitcjz /]# docker exec -it tomcat02 ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.121 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.059 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=0.080 ms
64 bytes from 192.168.0.1: icmp_seq=4 ttl=64 time=0.106 ms
^C
--- 192.168.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 0.059/0.091/0.121/0.025 ms
[root@Latteitcjz /]# docker exec -it tomcat02 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
16: eth0@if17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
#其实此时就相当于tomcat01有两个ip,一个公网一个私网
[root@Latteitcjz /]# docker exec -it tomcat01 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
25: eth1@if26: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c0:a8:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.0.4/16 brd 192.168.255.255 scope global eth1
valid_lft forever preferred_lft foreve
[root@Latteitcjz /]# docker exec -it tomcat01 ping tomcat-net-01
PING tomcat-net-01 (192.168.0.2) 56(84) bytes of data.
64 bytes from tomcat-net-01.mynet (192.168.0.2): icmp_seq=1 ttl=64 time=0.136 ms
64 bytes from tomcat-net-01.mynet (192.168.0.2): icmp_seq=2 ttl=64 time=0.070 ms
^C
--- tomcat-net-01 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1ms
rtt min/avg/max/mdev = 0.070/0.103/0.136/0.033 ms
[root@Latteitcjz /]# docker exec -it tomcat02 ping tomcat-net-01
ping: tomcat-net-01: Name or service not known
#因为02没有打通到mynet网卡 所以不通!
Conclusion: If you want to operate across the network, you need to use docker network connect to connect
