Six kinds namespace:
UTS: host and domain name
User: User
Mount file system mount system
IPC: Inter-Process Communication
pid: process id
Net: network
The network name space is mainly to achieve isolation "stack" and "network device", a device can be associated with a single to a single namespace to use other namespaces do not see the device, which makes each namespace can be configured a single ip communication with the outside world,
But if the network device is not used for network devices, our core can be simulated a switch, and one pair of interface simulation, a name connected to a space, a to the switch,
docker network
docker automatically provide three network after installation
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
1d7c5fcc9190 bridge bridge local
b3ec0cad3ccc host host local
2c634f206126 none null localbridge represents a bridging network (net bridge) he creates a pure software switches on the machine, called docker0, can play both switching equipment, and can play LAN equipment,
host represents the container to use the host network name space
none indicates null means empty, no card, only closed-end interfaces lo Interface
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:72:1c:ca brd ff:ff:ff:ff:ff:ff
inet 10.192.45.116/21 brd 10.192.47.255 scope global dynamic enp0s3
valid_lft 2875sec preferred_lft 2875sec
inet6 fe80::a00:27ff:fe72:1cca/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:58:26:e8:42 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:58ff:fe26:e842/64 scope link
valid_lft forever preferred_lft forever
13: vethcc71d75@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
link/ether 86:ad:5a:89:e7:46 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::84ad:5aff:fe89:e746/64 scope link
valid_lft forever preferred_lft forever
15: vethe5b386c@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
link/ether 3a:43:31:9c:5b:0f brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::3843:31ff:fe9c:5b0f/64 scope link
valid_lft forever preferred_lft forever
Two containers, half in the container, the machine vethcc71d75 @ if12 and vethe5b386c @ if14 two half one pair of card we created, we have half
[root@localhost ~]# docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bd141921d661 haoran/httpd:v0.2 "/bin/httpd -f -h /d…" 3 hours ago Up 3 hours t2
e0f415751ebb haoran/httpd:v0.1-1 "sh" 3 hours ago Up 3 hours t1Use brctl command you can clearly see the
[root@localhost ~]# yum -y install bridge-utils
[root@localhost ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.02425826e842 no vethcc71d75
vethe5b386cWe can see docker0 associated with two devices vethcc71d75 and vethe5b386c
Create a container after each start and assigned ip, on the host will generate an iptables rule
[root@iZ2zefbrqggvke1qw0kd0hZ ~]# iptables -t nat -vnL
Chain POSTROUTING (policy ACCEPT 8020 packets, 581K bytes)
pkts bytes target prot opt in out source destination
274 17427 MASQUERADE all -- * !docker0 172.18.0.0/16 0.0.0.0/0 * Coming from any interface
! Docker0 they do not come from docker0
The original address to a 172.18.0.0/16 this segment
Regardless reach any host 0.0.0.0/0
MASQUERADE with IP data transmitted on the card to replace the source IP, and therefore, is not fixed IP for those occasions, such as through a dial-up network or IP allocation dhcp case, you have to use MASQUERADE.