Docker containers acquaintance network mode

1. Docker containers four kinds of network model
   based upon docker run to create a docker container, the container can be used --net option to specify the network mode, Docker network model has:
   1), None mode,
   the container is not any network configuration. --network none

   # docker run -it --network none busybox:latest
   Unable to find image 'busybox:latest' locally
   latest: Pulling from library/busybox
   ee153a04d683: Pull complete 
   Digest: sha256:9f1003c480699be56815db0f8146ad2e22efea85129b5b5983d0e0fb52d9ab70
   Status: Downloaded newer image for busybox:latest
   / # 
   / # ifconfig
   lo        Link encap:Local Loopback  
         inet addr:127.0.0.1  Mask:255.0.0.0
         UP LOOPBACK RUNNING  MTU:65536  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1 
         RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
   / # 

   No IP address within the container, can not connect to external networks, host unassigned IP.
   2), Container mode
   and running another vessel sharing Network Namespace. --network = container: containerID
   newly created containers do not have their own IP, network card information, shared network environment with the specified container. In addition to container networks, others are isolated, such as file systems, processes and so on.
   3), Host mode
   and host shared Network Namespace. --network = host

   # docker run -it --network host centos:latest

   After entering the above command found nothing changes, in fact, has entered the container, due to the public network and the host, the host name and also as the host. The container does not have network cards and other information, use the host IP and port, if open within what host port, open container accordingly, in relation to network security is not enough.
   4), Bridge bridge mode
   NAT network model Docker is the docker default mode network, the host will automatically assign Network Namespace to docker container, separate virtual IP, docker containers will be connected to the docker0 virtual bridge, so that it can connect to the network .
   FIG prototype Docker Bridge bridge network
   
   host two network cards: eth0, docker0. docker service starts automatically creates a bridge card docker0 (172.17.0.1), while the emergence of a bridge docker0 (# brctl show) View:

   [root@docker-qa ~]# brctl show
   bridge name     bridge id       STP enabled     interfaces
   docker0     8000.024267a34c5d       no          veth008914e9
                                               veth04d070a5
                                               veth109e9cae
                                               veth126cdf5

   Connect all virtual NICs to the docker docker0 bridge, docker container starts assigns IP in order.
   Docker Bridge bridge creation process:
   1) creates a host of the virtual NIC device veth pair, Veth pairs are used to connect two network devices, for data transmission.
   2) veth pair at one end of the container device, named eth0, the other end of the bridge docker0, brctl show command.
   3) docker0 IP assigned to a container, and the container is provided docker0 an IP default gateway.
   4) and the container may communicate with a host. The Bridge mode, the container under the same bridge can communicate, and the container can access the Internet.
   docker container and can be connected to external networks, mainly key role Linux kernel, the Linux kernel forwards container bridge card signal to eth0, eth0 then connected to the outer network, wherein the configuration items required to net.ipv4.ip_forward Linux system with a = to configure forwarding

2. Outer container access network
   application container is to be connected to external networks, can be specified by -P or -p port mapping parameters.

   -P   docker随机映射： docker run -d -P --name nginxTest nginx
   -p   docker指定映射：-p hostPort：containerPort
                    -p ip:hostPort：containerPort
                    -p ip::containerPort    #宿主机任意Port映射容器指定的Port
                    -p hostPort：containerPort：udp

   If the host is turned on iptables rules, port mapping is completed, the port will join the corresponding opening of the firewall rules iptables rules later.

3. -Link interconnection container
   vessel interconnected, in addition to port mapping, but also by the docker run --link parameters specified for secure interaction between the containers. For example:
   Creating a DB container:

   #docker run -d --name dbserver test/mysql

   Creating a Web container, and connect it to the container dbserver

   #docker run -p 8080:8090 --name myweb --link dbserver:db  mywebtest:latest

   At this point, docker built on two interconnected vessels a secure tunnel, and need to be mapped to the host port, did not specify the -P or -p port in the docker run dbserver container to avoid dbserver database container port exposed, to enhance security.
   --link format: - link name: alias, name is a name to connect the container, alias alias connection. But subsequent versions docker, the option will be canceled --link docker run in.
   Database web container and container dbserver Internet. Now enter through the docker exec to web container, see the hosts file can be found in the host name and IP information database container dbserver resolution. Ping the link and alias.