The network of Docker container can be divided into four types, Closed, Bridged, Joined, Open
Its structure diagram is as follows: (Source: "Docker In Action")
1、Closed
Network access is not allowed. The process in the container can only access the loopback interface. The network access of the program can only be performed inside the container and cannot access the external network of the container. The --net none parameter is used when creating the container.
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --net none alpine ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever
- Runners inside the container can connect or wait to connect to this interface
- External containers are not allowed to connect to this interface
- The outer container cannot access the container
Scenario: A high degree of network isolation is required or the application does not require network access. For example a terminal text editor does not require network access, or a program generates a password inside the container
2、Bridged
This mode is the default option generated by the container. The container has a private callback interface and a private interface for connecting to the host's network bridge. Using this mode, the process in the container needs to access network resources, which can be ignored when creating a container. --net option or specified as bridge.
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --net bridge alpine ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 157: eth0@if158: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP link/ether 02:42:ac:12:00:04 brd ff:ff:ff:ff:ff:ff inet 172.18.0.4/16 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::42:acff:fe12:4/64 scope link tentative valid_lft forever preferred_lft forever
- custom domain name
The bridge mode supports the custom domain name function, which is specified with the --hosename parameter
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --hostname barker alpine nslookup barker nslookup: can't resolve '(null)': Name does not resolve Name: barker Address 1: 172.18.0.4 barker
- Add domain name resolution --dns option
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --dns 8.8.8.8 alpine nslookup docker.com nslookup: can't resolve '(null)': Name does not resolve Name: docker.com Address 1: 52.205.177.26 ec2-52-205-177-26.compute-1.amazonaws.com Address 2: 52.54.245.124 ec2-52-54-245-124.compute-1.amazonaws.com Address 3: 52.73.59.133 ec2-52-73-59-133.compute-1.amazonaws.com
The parameter value must be ip; it supports arrays, and multiple DNS services can be specified; supports container daemon mode operation (-d)
- Add domain name search domain, --dns-search=[]
You can specify multiple, similar to adding a prefix to the domain name, look up registry.hub.docker.com
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --dns-search docker.com busybox nslookup registry.hub Server: 100.100.2.138 Address 1: 100.100.2.138 Name: registry.hub Address 1: 52.86.136.227 ec2-52-86-136-227.compute-1.amazonaws.com Address 2: 34.200.149.55 ec2-34-200-149-55.compute-1.amazonaws.com Address 3: 52.45.79.109 ec2-52-45-79-109.compute-1.amazonaws.com
- Add local domain name-IP mapping, --add-host, can be specified multiple times
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --hostname mycontainer --add-host docker.com:127.0.0.1 --add-host test:172.0.2.2 alpine cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 127.0.0.1 docker.com 172.0.2.2 test 172.18.0.4 mycontainer
- 暴露端口 -p=[],--publish=[]
cp:随机映射一个宿主机端口到容器端口上
hp:cp:同时指定端口
ip:cp:将容器端口绑定到指定ip的随机端口上
ip:hp:cp:将容器端口绑定到指定的ip及端口上
--expose:开放容器端口
-P,--publish-all,将容器所有开放的端口映射到宿主机的随机端口上
0.0.0.0:32775->5000/tcp, 0.0.0.0:32774->6000/tcp, 0.0.0.0:32773->7000/tcp
- 修改桥接口
--bip参数指定IP段,设置docker0的ip及允许的ip范围
--bip "192.168.0.128/25" 后128个ip(32-25=7, 2^7=128)
--fixed-cidr 指定IP可以被分配到新的容器
新容器接受的ip段 docker -d --fixed-cidr "192.168.0.192/26"(后64个ip,192-255,32-26=6,2^6=64)
–mtu,指定以太网接口的网络包大小,默认1500字节
docker -d –mtu 1200,指定为1200字节
-b/--bridge,指定Docker守护进程的网桥,默认为docker0
docker -d -b mybridge docker -d --bridge mybridge
3、Joined
容器共享同一个网络,也就意味着减少了控制和安全,联合容器是由特殊容器为新容器提供访问接口。
创建一个封闭的容器
docker run -d --name brady --net none alpine nc -l 127.0.0.1:3333Create a federated container
docker run -it --net container:brady alpine netstat -al Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:36328 0.0.0.0:* LISTEN Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Pathscenes to be used:
When different containers communicate using the same callable interface, they can be implemented by creating a joint container
4、Open
There is no network container in this mode, and it directly accesses the host network completely, which has hidden network security risks. It is not recommended to use it if you have to. Use --net host when creating a container.
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --net host alpine ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 …… 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 …… 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP …… 30: br-662aeb7954f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN …… 102: vethc3eb910@if101: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue master docker0 state UP link/ether 42:7f:7b:ee:f1:a0 brd ff:ff:ff:ff:ff:ff 154: veth69e1658@if153: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue master docker0 state UP link/ether a6:78:6e:81:7a:24 brd ff:ff:ff:ff:ff:ff [root@iz2ze7sp5njgaf81ekoudez ~]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 …… 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 …… 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP …… 30: br-662aeb7954f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN …… 102: vethc3eb910@if101: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP …… 154: veth69e1658@if153: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP ……Consistent with the host's network information