Analysis of Docker's four network modes
Detailed network resources-Docker0 network card and four network modes
After installing Docker, you will find that the system automatically created a docker0 network card and other Docker network modes:
Docker0 network card and four network modes
After the Docker installation is complete, a Linux bridge will be used to virtualize a Docker container bridge (docker0) on the host. When the container is started, an IP address will be assigned to the container from this network segment, which is called container-ip. At the same time, the Docker bridge is The default gateway of each container. Because the containers in the same host are all connected to the same bridge, the containers can communicate directly through the container-ip of the container.
However, because the Docker0 network card is virtualized, the external network cannot communicate directly, and can only access the container through port mapping, that is, when docker run creates the container, it is enabled through the -p or -P parameter, and when the container is accessed, it is宿主机IP:容器端口accessed container
| docker network mode | Configuration | Description |
|---|---|---|
| host mode | –net=host | The container and the host share the Network namespace. |
| container mode | –net=container:name or id | A container and another container share a Network namespace, and a pod in kubernetes means that multiple containers share a Network namespace. |
| none mode | –net=none | The container has an independent Network namespace, but does not perform any network settings on it, such as assigning veth pair and network bridge connection, configuring IP, etc. |
| bridge mode | –net=bridge | (The default is this mode) |
host mode
- The container and the host share the network namespace
- The container will use the host's IP address and port, but other aspects of the container, such as the file system, are still isolated from the host
- The advantage is that the network performance is good, without nat conversion
- The disadvantage is that the isolation of the network is not good, and the used ports can no longer be used.
container mode
- The container mode is to share a network namespace with an existing container. The newly created container will not create its own network card and IP. The two containers can communicate through the lo network card device.
- But like the host mode, the file system, process list, etc. are still isolated
none mode
- The none mode turns off the network function of the container,
- The container will have its own network namespace, but the container will not have other network configuration, such as network card, IP, routing and other information, need to be added manually
- The advantage is that the network is closed and the container has high security
bridge mode
- The bridge mode assigns and sets an IP address for each container, and connects the container to a Docker0 virtual bridge through the veth pair, and communicates with the host through the docker0 bridge and the iptables nat table configuration
- The bridge mode is Docker
默认模式, generally Docker will use the network segment 172.17.0.0/16
How to use the network mode-designated mode and designated ip
**The bridge mode is the default and does not need to be specified. If you want to specify the mode, you need to add –net=none, –net=host, –net=container:name or id **
For example:
docker run -it centos:7 /bin/bash #这个默认就是桥接模式
The bridge mode cannot directly specify the ip. If you want to specify the ip, you need to create a network by yourself. The created network is at the same level as the Docker0 network.
docker network create --subnet=172.18.0.0/24 network01
docker run -itd --name test --net network01 --ip 172.18.0.10 centos:7 /bin/bash
docker ps -a