Docker uses Linux bridging to virtualize a Docker container bridge (docker0) on the host. When Docker starts a container, it will assign an IP address to the container based on the network segment of the Docker bridge, called Container-IP. At the same time, the Docker bridge is The default gateway of each container. Because the containers in the same host are all connected to the same bridge, the containers can communicate directly through the Container-IP of the container.
The Docker bridge is virtualized by the host and is not a real network device. The external network cannot be addressed. This also means that the external network cannot access the container through the direct Container-IP. If the container wants external access to be accessible, you can map the container port to the host host (port mapping), that is, when docker run creates the container, you can use the -p or -P parameter to enable it. When accessing the container, you can use [Host IP]: [Container Port] Access the container.
Second, the network details
1. Analysis
docker 网络模式 (k8s CNI网络插件)
NAT 模式 (默认)
NAT宿主网络
None模式
有的网络不需要与网络进行通讯,没有协议栈的要求
k8s最适合编排没有状态的服务(交付到k8s里面的服务是没有状态的,最多只需要横向扩容)
Host模式
docker和宿主机在同一个网段(不隔离)
容器隔离了6个名称空间(namespace资源隔离-用容器化技术封装)
mount 文件系统,挂载点
user 操作
pid 进程编号
uts 主机名和主机域
ipc 信号量、消息队列、共享内存
net 网络设备、网络协议栈、端口等
2. Four network modes
docker network ls //查看网络列表
When docker is installed, it will automatically create three networks, bridge (the created container is connected to the network by default), none and host
Docker network mode
Configuration
Description
host mode
-net=host
The container and the host share the Network namespace.
container mode
-net=container:NAME_or_ID
The container and another container share the Network namespace. The pod in kubernetes is that multiple containers share a Network namespace.
none mode
-net=none
The container has an independent Network namespace, but does not perform any network settings on it, such as assigning veth pair and network bridge connection, configuring IP, etc.
bridge mode
-net=bridge
(The default is this mode)
1.host mode
The container will not get an independent network namespace, but will share a network namespace with the host. The container will not virtualize its own network card, configure its own IP, etc., but use the host's IP and port, (that is to say, if the container is a web, it will directly access the host port without NAT translation. The host runs the same as the web. Except for the network, everything else in the container is still isolated.)
Containers that use host mode can directly use the host's IP address to communicate with the outside world, and the service port inside the container can also use the host's port without NAT. The biggest advantage of host is that the network performance is better, but on the docker host The ports that have been used can no longer be used, and the isolation of the network is not good.
2.container mode
This mode specifies that the newly created container and an existing container share a network namespace instead of sharing with the host. The newly created container will not create its own network card, configure its own IP, but share the IP, port range, etc. with a specified container. Similarly, in addition to the network aspects of the two containers, other things such as file systems and process lists are still isolated. The processes of the two containers can communicate through the lo network card device
3.none mode
In the none mode, the Docker container has its own Network Namespace, but it does not perform any network configuration for the Docker container. In other words, this Docker container does not have information such as network card, IP, routing, etc. We need to add network cards and configure IP for the Docker container ourselves. This mode turns off the network function of the container
In this network mode, the container has only a lo loopback network and no other network cards. The none mode can be specified by --network=none when the container is created. There is no way to connect to this type of network, and a closed network can ensure the security of the container.
4.bridge mode
This mode will allocate and set IP for each container, connect the container to a docker0 virtual bridge, and communicate with the host through the docker0 bridge and iptables nat table configuration
When the Docker process starts, a virtual bridge named docker0 will be created on the host, and the Docker container started on this host will be connected to this virtual bridge. The virtual bridge works like a physical switch, so that all containers on the host are connected to a Layer 2 network through the switch.
Assign an IP to the container from the docker0 subnet, and set the IP address of docker0 as the default gateway of the container. Create a pair of virtual network card veth pair devices on the host. Docker puts one end of the veth pair device in the newly created container and named it eth0 (the container's network card), and the other end is placed in the host with a similar name like vethxxx Name and add this network device to the docker0 bridge. It can be viewed through the brctl show command.
The bridge mode is the default network mode of docker. Without the -net parameter, it is the bridge mode. When using docker run -p, docker actually makes DNAT rules in iptables to realize the port forwarding function. You can use iptables -t nat -vnL to view.
Three, network mode veth explanation
Four, custom network configuration
The bridge mode is used by default when creating a container, but using bridge does not support specifying an IP for the container
[root@localhost ~]# docker run -itd --name test1 --network bridge --ip 172.17.0.10 centos:7 /bin/bash
20dc45293929f81013a60391bef2626f581a8d3d4f29b8a87ac8b1f9b585ab2a
docker: Error response from daemon: user specified IP address is supported on user defined networks only. #提示想要为容器指定IP只能在用户自定义的网络中才行
Configure custom fixed IP
[root@localhost ~]# docker network create --subnet=172.31.0.0/24 test
#创建自定义网络test
[root@localhost ~]# docker run -itd --name web1 --net test --ip 172.31.0.10 centos:7 /bin/bash
Create a container, specify the network as test, and specify the IP address 172.31.0.10
