Networking in Docker

Others 2022-04-28 10:57:00 views: 0

The network of Docker container can be divided into four types, Closed, Bridged, Joined, Open

Its structure diagram is as follows: (Source: "Docker In Action")


 

1、Closed

  Network access is not allowed. The process in the container can only access the loopback interface. The network access of the program can only be performed inside the container and cannot access the external network of the container. The --net none parameter is used when creating the container.

 

[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --net none alpine  ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever

 

  •  Runners inside the container can connect or wait to connect to this interface
  • External containers are not allowed to connect to this interface
  • The outer container cannot access the container

  Scenario: A high degree of network isolation is required or the application does not require network access. For example a terminal text editor does not require network access, or a program generates a password inside the container

 

2、Bridged

  This mode is the default option generated by the container. The container has a private callback interface and a private interface for connecting to the host's network bridge. Using this mode, the process in the container needs to access network resources, which can be ignored when creating a container. --net option or specified as bridge.

 

[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --net bridge  alpine  ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
157: eth0@if158: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
    link/ether 02:42:ac:12:00:04 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.4/16 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe12:4/64 scope link tentative
       valid_lft forever preferred_lft forever

 

  • custom domain name

   The bridge mode supports the custom domain name function, which is specified with the --hosename parameter

[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --hostname barker alpine nslookup barker
nslookup: can't resolve '(null)': Name does not resolve

Name:      barker
Address 1: 172.18.0.4 barker
  •  Add domain name resolution --dns option
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --dns 8.8.8.8  alpine nslookup docker.com
nslookup: can't resolve '(null)': Name does not resolve

Name:      docker.com
Address 1: 52.205.177.26 ec2-52-205-177-26.compute-1.amazonaws.com
Address 2: 52.54.245.124 ec2-52-54-245-124.compute-1.amazonaws.com
Address 3: 52.73.59.133 ec2-52-73-59-133.compute-1.amazonaws.com

 The parameter value must be ip; it supports arrays, and multiple DNS services can be specified; supports container daemon mode operation (-d)

  • Add domain name search domain, --dns-search=[]

    You can specify multiple, similar to adding a prefix to the domain name, look up registry.hub.docker.com

[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --dns-search docker.com busybox nslookup registry.hub
Server:    100.100.2.138
Address 1: 100.100.2.138

Name:      registry.hub
Address 1: 52.86.136.227 ec2-52-86-136-227.compute-1.amazonaws.com
Address 2: 34.200.149.55 ec2-34-200-149-55.compute-1.amazonaws.com
Address 3: 52.45.79.109 ec2-52-45-79-109.compute-1.amazonaws.com
  •  Add local domain name-IP mapping, --add-host, can be specified multiple times
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --hostname mycontainer --add-host docker.com:127.0.0.1 --add-host test:172.0.2.2 alpine cat /etc/hosts
127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
ff00::0	ip6-mcastprefix
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
127.0.0.1	docker.com
172.0.2.2	test
172.18.0.4	mycontainer
  •  暴露端口 -p=[],--publish=[]

  cp:随机映射一个宿主机端口到容器端口上

  hp:cp:同时指定端口

  ip:cp:将容器端口绑定到指定ip的随机端口上

  ip:hp:cp:将容器端口绑定到指定的ip及端口上

  --expose:开放容器端口

  -P,--publish-all,将容器所有开放的端口映射到宿主机的随机端口上

0.0.0.0:32775->5000/tcp, 0.0.0.0:32774->6000/tcp, 0.0.0.0:32773->7000/tcp
  •  修改桥接口

   --bip参数指定IP段,设置docker0的ip及允许的ip范围

--bip "192.168.0.128/25" 后128个ip(32-25=7, 2^7=128)

   --fixed-cidr 指定IP可以被分配到新的容器

新容器接受的ip段
docker -d --fixed-cidr "192.168.0.192/26"(后64个ip,192-255,32-26=6,2^6=64)

   –mtu,指定以太网接口的网络包大小,默认1500字节

docker -d –mtu 1200,指定为1200字节

  -b/--bridge,指定Docker守护进程的网桥,默认为docker0

docker -d -b mybridge
docker -d --bridge mybridge

3、Joined

   容器共享同一个网络,也就意味着减少了控制和安全,联合容器是由特殊容器为新容器提供访问接口。

 创建一个封闭的容器

 

docker run -d --name brady --net none alpine nc -l 127.0.0.1:3333
    Create a federated container

 

 

docker run -it --net container:brady alpine netstat -al

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 0.0.0.0:36328           0.0.0.0:*               LISTEN      
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
 scenes to be used:

 

  When different containers communicate using the same callable interface, they can be implemented by creating a joint container

4、Open

  There is no network container in this mode, and it directly accesses the host network completely, which has hidden network security risks. It is not recommended to use it if you have to. Use --net host when creating a container.

  

[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --net host alpine ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    ……
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    ……
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    ……
30: br-662aeb7954f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN    ……
102: vethc3eb910@if101: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue master docker0 state UP 
    link/ether 42:7f:7b:ee:f1:a0 brd ff:ff:ff:ff:ff:ff
154: veth69e1658@if153: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue master docker0 state UP 
    link/ether a6:78:6e:81:7a:24 brd ff:ff:ff:ff:ff:ff
[root@iz2ze7sp5njgaf81ekoudez ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    ……
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    ……
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
    ……
30: br-662aeb7954f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN ……
102: vethc3eb910@if101: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
  ……
154: veth69e1658@if153: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
   ……
 Consistent with the host's network information

 

 

 

 

 

 

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=326295467&siteId=291194637
Recommended
Ranking
Reason Codes enhanced accounting documents
The first test case appium
Force command and dispatch emergency communication plan
Interview - What is concurrent programming
21 classic Python interview questions [recommended collection]
[Dahua Data Structure-Introduction to Data Structure ①]
Spring @ConfigurationProperties
Why do we want to broadcast live on WeChat public account? What are the advantages?
How to bring up the toolbar under the desktop of Apple laptop
Dialog: Manually enter information
Daily
More
2024-05-21(35)
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)

Code World

© 2018 codetd.com