Docker network model

Use network name space

net namespaces is six in a namespace can be used to isolate network equipment and services, only to have the same network device namespace guess to see each other. Constructed a network name space only need to use the ip netns and sub-command ip link related to, here are some simple usage.

ip netns add n1 #添加一个网络名称空间
ip netns add n2 
ip netns list   #查看当前的网络名称空间
ip link add name veth1.1 t
ype veth peer name veth1.2 #创建一对虚拟网卡
ip link show  #查看当前的网络接口
ip link set dev veth1.1 netns n1 #将veth1.1接到n1名称空间中,同样的方式设置veth1.2
ip netns exec n1 ip link set dev veth1.1 name eth0 #将n1名称空间的veth1.1命名为eth0
ip netns exec n1 ifconfig eth0 10.0.0.1/24 up #设置n1名称空间中的网络地址并激活使用
ip netns exec n2 ifconfig eth0 10.0.0.2/24 up
ip netns exec n2 ping 10.0.0.1 #测试两个名称空间的网络

docker four network model

• none mode, --network none specified
• bridge mode, --network bridge specified
• container mode, --network container: CNAME_CID specified
• host mode, --network host specified

none mode

In this mode, docker container has its own network namespace, but does not create any network device, just lo network, namely a closed container.

docker run -it --network none busybox:latest
/ # ifconfig
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

bridge mode (default)

docker is enabled by default after installation 172.17.0.1/16 network, and create docker0 bridge as a gateway, use the container create this network will generate a pair of virtual network card that begins veth, half container, half docker0 bridge, this manner enables communication between the container and the host. docker0 bridge is a NAT bridge, so the container is obtained private network address, the container can be thought of as the host host behind the NAT service, if the development of the container or on the external network access services, need to define DNAT rules in the host .

• Access to an IP address of the host address all mapped to a container

  -A PREROUTING -d 主机IP -j DNAT --to-destination 容器IP

• Access to a port mapping an IP address to the host address of a port of a container

  -A PREROUTING -d 主机IP -p [tcp|udp] --dport 主机端口 -j DNAT --to-destination 容器IP:容器PORT

[root@node01 ~]# docker run -it -d -p 80:80 nginx:1.14-alpine
9e0c8389537082bc2dd2b03e4386d57e12a3f084ff4f464ae8234f4e313a1c29
[root@node01 ~]# docker exec -it 9e0c /bin/sh
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02  
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:656 (656.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
Chain POSTROUTING (policy ACCEPT 6 packets, 360 bytes)
 pkts bytes target     prot opt in     out     source               destination             
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:80

container mode

Also known as the League of container, in this mode, the newly created container will use the specified container net, ipc, uts namespace, based lo communicate with each other, and mount, user, pid namespace is still isolated.

docker run -it --network container:c8dddac96e38 busybox:latest  #创建一个容器连接到上一个容器中
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02  
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:698 (698.0 B)  TX bytes:334 (334.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

/ # wget -O - -q localhost
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>

host mode

Shared host network name space, the container does not own virtual LAN equipment and ip address, and direct use of host ip address for communication with the outside, and does not require any NAT translation.

[root@node01 ~]# docker run -it -d --network host nginx:1.14-alpine 
9fd88c8dc7ed7c3489e5202f4809f29f0266e369ec82b030da5099eb38514374
[root@node01 ~]# docker exec -it 9fd88 /bin/sh
/ # ifconfig
docker0   Link encap:Ethernet  HWaddr 02:42:08:64:66:20  
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
          inet6 addr: fe80::42:8ff:fe64:6620/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:42 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:6302 (6.1 KiB)  TX bytes:4053 (3.9 KiB)

enp0s8    Link encap:Ethernet  HWaddr 08:00:27:56:C7:9D  
          inet addr:172.28.128.6  Bcast:172.28.128.255  Mask:255.255.255.0
          inet6 addr: fe80::4b03:37d0:c28d:ccd5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8669 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35690 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:958944 (936.4 KiB)  TX bytes:2761926 (2.6 MiB)

eth0      Link encap:Ethernet  HWaddr 08:00:27:29:73:07  
          inet addr:10.0.2.15  Bcast:10.0.2.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe29:7307/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3458 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3076 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1333104 (1.2 MiB)  TX bytes:268337 (262.0 KiB)

Other uses of the docker bridge

The default IP modify docker0 bridge

1. Add /etc/docker/daemon.json profile
   "bip":"10.0.0.1/16"
2. Restart docker Servicesystemctl restart docker
3. Use ifconfigView docker0 address

Add a new docker Bridge

docker network create -d bridge --subnet "192.168.0.0/24" --gateway "192.168.0.1" mybr  #添加一个叫mybr的桥，子网为192.168.0.0/24
docker network ls  #查看当前的网络
NETWORK ID          NAME                DRIVER              SCOPE
ea08a5af48d4        bridge              bridge              local
206de06c064a        host                host                local
df506bd1407b        mybr                bridge              local
c25bc3fc6dde        none                null                local
docker run -it --network mybr busybox # 创建一个容器并加入此网桥
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:C0:A8:00:02  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1102 (1.0 KiB)  TX bytes:0 (0.0 B)