PS: Welcome everyone to pay attention to my public account: aCloudDeveloper, focus on technology sharing, and strive to build a dry goods sharing platform. The QR code can be scanned at the end of the article. Thank you.
When containers gradually evolve into container clusters and container cloud technology, one of the problems that has to be faced is the management of each container. Some containers need to interact, and some containers need to be isolated. How to ensure that these operations can be carried out smoothly? At this time, Many container management and orchestration platforms have emerged. First of all, of course, the cluster management suite of Swarm+Machine+Compose developed by the Docker community, and then there is Mesos, which is mainly promoted by Apache, and the most famous one should be Kubernetes, which is open sourced by Google.
These platforms integrate the problems of container cluster resource management, service discovery, expansion and shrinkage, and are an integrated solution, but in fact, these problems are essentially inseparable from the network. The scheduling of resources between containers requires the network, and service discovery requires the network. Therefore, it can be said that the network is the most basic part of the container cluster environment.
The Docker container network can be divided into a single-host network (host) and a multi-host network (multi-host) according to the deployment location of the container. This article first looks at the Docker host network.
Docker host network is divided into none, host, joined container and bridge network.
In none network mode, the Docker container has its own network namespace, but does not perform any network configuration for the container, that is to say, the container has nothing but the localback network card that comes with the network namespace itself, including network card, IP, routing and other information . How to use the none network, you need to add a specific network card and configure IP, routing and other information, but generally do not do this, the none network is well isolated, and is generally used to run those with extreme security requirements. Applications that are high and do not require an internet connection.
For example, the only purpose of a container is to generate random passwords, which can be placed in the none network to avoid password theft.
To make Docker use the none network, just add --network=none when creating the container.
The host network, as the name implies, is that the Docker container uses the host's network, which is equivalent to sharing the same network namespace with the host. The Docker container uses the host's network card, IP, and routing functions to communicate externally.
Although Docker does not create an independent network namespace in this mode, other namespaces are still isolated, such as the file system, process list, etc. The biggest advantage of the host network is that it makes the external communication of the Docker container simple. You can directly use the host's IP for communication, but the disadvantage is also obvious, that is, the isolation is reduced, and there will also be competition with other containers for network resources. conflict issues.
Also to use the host network, just create the container with --network=host.
The difference between the joined container network and the host network is that it shares a network namespace with other containers, and a network namespace can be shared by one or more Docker containers. In this mode, two containers can communicate through the localback loopback network card, which increases the convenience of communication between containers.
You can also use the parameter --network=container:another_container_name to share the network with another container when creating a container.
The bridge network is the most commonly used network mode. It takes into account both the security and the completeness of functions. However, its communication with the outside world needs to be converted through NAT, which will cause many inconveniences in complex network scenarios.
The bridge network is specified by --network = bridge when it is created, and the Docker daemon will automatically create a Docker bridge -- docker0 for the created container (you can also specify the name --driver bridge my_net), this docker0 is used to connect Docker A bridge between containers and hosts.
Then, the Docker daemon will create a pair of virtual network card veth pair, one network card is left in the host's root network namespace and bound to docker0, and the other is placed in the newly created network namespace, named eth0, and assigned to it Configure IP and routing, set its gateway to docker0, as follows, so that the bridge network communication environment of the entire container is established, and other containers are established in the same way. Finally, the containers are interconnected through the bridge of docker0.
More complex multi-host networks are discussed below.
PS: Friends who are interested in cloud computing can follow my WeChat public account: aCloudDeveloper, focus on the field of cloud computing, and insist on sharing dry goods.
