Use network name space
net namespaces is six in a namespace can be used to isolate network equipment and services, only to have the same network device namespace guess to see each other. Constructed a network name space only need to use the ip netns and sub-command ip link related to, here are some simple usage.
ip netns add n1 #添加一个网络名称空间
ip netns add n2
ip netns list #查看当前的网络名称空间
ip link add name veth1.1 t
ype veth peer name veth1.2 #创建一对虚拟网卡
ip link show #查看当前的网络接口
ip link set dev veth1.1 netns n1 #将veth1.1接到n1名称空间中,同样的方式设置veth1.2
ip netns exec n1 ip link set dev veth1.1 name eth0 #将n1名称空间的veth1.1命名为eth0
ip netns exec n1 ifconfig eth0 10.0.0.1/24 up #设置n1名称空间中的网络地址并激活使用
ip netns exec n2 ifconfig eth0 10.0.0.2/24 up
ip netns exec n2 ping 10.0.0.1 #测试两个名称空间的网络
docker four network model
- none mode, --network none specified
- bridge mode, --network bridge specified
- container mode, --network container: CNAME_CID specified
- host mode, --network host specified
none mode
In this mode, docker container has its own network namespace, but does not create any network device, just lo network, namely a closed container.
docker run -it --network none busybox:latest
/ # ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
bridge mode (default)
docker is enabled by default after installation 172.17.0.1/16 network, and create docker0 bridge as a gateway, use the container create this network will generate a pair of virtual network card that begins veth, half container, half docker0 bridge, this manner enables communication between the container and the host. docker0 bridge is a NAT bridge, so the container is obtained private network address, the container can be thought of as the host host behind the NAT service, if the development of the container or on the external network access services, need to define DNAT rules in the host .
Access to an IP address of the host address all mapped to a container
-A PREROUTING -d 主机IP -j DNAT --to-destination 容器IP
Access to a port mapping an IP address to the host address of a port of a container
-A PREROUTING -d 主机IP -p [tcp|udp] --dport 主机端口 -j DNAT --to-destination 容器IP:容器PORT
[root@node01 ~]# docker run -it -d -p 80:80 nginx:1.14-alpine
9e0c8389537082bc2dd2b03e4386d57e12a3f084ff4f464ae8234f4e313a1c29
[root@node01 ~]# docker exec -it 9e0c /bin/sh
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:656 (656.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Chain POSTROUTING (policy ACCEPT 6 packets, 360 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
container mode
Also known as the League of container, in this mode, the newly created container will use the specified container net, ipc, uts namespace, based lo communicate with each other, and mount, user, pid namespace is still isolated.
docker run -it --network container:c8dddac96e38 busybox:latest #创建一个容器连接到上一个容器中
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:698 (698.0 B) TX bytes:334 (334.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ # wget -O - -q localhost
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
host mode
Shared host network name space, the container does not own virtual LAN equipment and ip address, and direct use of host ip address for communication with the outside, and does not require any NAT translation.
[root@node01 ~]# docker run -it -d --network host nginx:1.14-alpine
9fd88c8dc7ed7c3489e5202f4809f29f0266e369ec82b030da5099eb38514374
[root@node01 ~]# docker exec -it 9fd88 /bin/sh
/ # ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:08:64:66:20
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
inet6 addr: fe80::42:8ff:fe64:6620/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:42 errors:0 dropped:0 overruns:0 frame:0
TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6302 (6.1 KiB) TX bytes:4053 (3.9 KiB)
enp0s8 Link encap:Ethernet HWaddr 08:00:27:56:C7:9D
inet addr:172.28.128.6 Bcast:172.28.128.255 Mask:255.255.255.0
inet6 addr: fe80::4b03:37d0:c28d:ccd5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8669 errors:0 dropped:0 overruns:0 frame:0
TX packets:35690 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:958944 (936.4 KiB) TX bytes:2761926 (2.6 MiB)
eth0 Link encap:Ethernet HWaddr 08:00:27:29:73:07
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe29:7307/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3458 errors:0 dropped:0 overruns:0 frame:0
TX packets:3076 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1333104 (1.2 MiB) TX bytes:268337 (262.0 KiB)
Other uses of the docker bridge
The default IP modify docker0 bridge
- Add /etc/docker/daemon.json profile
"bip":"10.0.0.1/16"
- Restart docker Service
systemctl restart docker
- Use
ifconfig
View docker0 address
Add a new docker Bridge
docker network create -d bridge --subnet "192.168.0.0/24" --gateway "192.168.0.1" mybr #添加一个叫mybr的桥,子网为192.168.0.0/24
docker network ls #查看当前的网络
NETWORK ID NAME DRIVER SCOPE
ea08a5af48d4 bridge bridge local
206de06c064a host host local
df506bd1407b mybr bridge local
c25bc3fc6dde none null local
docker run -it --network mybr busybox # 创建一个容器并加入此网桥
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:C0:A8:00:02
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1102 (1.0 KiB) TX bytes:0 (0.0 B)