-
Docker containers four kinds of network model
based upon docker run to create a docker container, the container can be used --net option to specify the network mode, Docker network model has:
1), None mode,
the container is not any network configuration. --network none# docker run -it --network none busybox:latest Unable to find image 'busybox:latest' locally latest: Pulling from library/busybox ee153a04d683: Pull complete Digest: sha256:9f1003c480699be56815db0f8146ad2e22efea85129b5b5983d0e0fb52d9ab70 Status: Downloaded newer image for busybox:latest / # / # ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) / #
No IP address within the container, can not connect to external networks, host unassigned IP.
2), Container mode
and running another vessel sharing Network Namespace. --network = container: containerID
newly created containers do not have their own IP, network card information, shared network environment with the specified container. In addition to container networks, others are isolated, such as file systems, processes and so on.
3), Host mode
and host shared Network Namespace. --network = host# docker run -it --network host centos:latest
After entering the above command found nothing changes, in fact, has entered the container, due to the public network and the host, the host name and also as the host. The container does not have network cards and other information, use the host IP and port, if open within what host port, open container accordingly, in relation to network security is not enough.
4), Bridge bridge mode
NAT network model Docker is the docker default mode network, the host will automatically assign Network Namespace to docker container, separate virtual IP, docker containers will be connected to the docker0 virtual bridge, so that it can connect to the network .
FIG prototype Docker Bridge bridge network
host two network cards: eth0, docker0. docker service starts automatically creates a bridge card docker0 (172.17.0.1), while the emergence of a bridge docker0 (# brctl show) View:[root@docker-qa ~]# brctl show bridge name bridge id STP enabled interfaces docker0 8000.024267a34c5d no veth008914e9 veth04d070a5 veth109e9cae veth126cdf5
Connect all virtual NICs to the docker docker0 bridge, docker container starts assigns IP in order.
Docker Bridge bridge creation process:
1) creates a host of the virtual NIC device veth pair, Veth pairs are used to connect two network devices, for data transmission.
2) veth pair at one end of the container device, named eth0, the other end of the bridge docker0, brctl show command.
3) docker0 IP assigned to a container, and the container is provided docker0 an IP default gateway.
4) and the container may communicate with a host. The Bridge mode, the container under the same bridge can communicate, and the container can access the Internet.
docker container and can be connected to external networks, mainly key role Linux kernel, the Linux kernel forwards container bridge card signal to eth0, eth0 then connected to the outer network, wherein the configuration items required to net.ipv4.ip_forward Linux system with a = to configure forwarding -
Outer container access network
application container is to be connected to external networks, can be specified by -P or -p port mapping parameters.-P docker随机映射: docker run -d -P --name nginxTest nginx -p docker指定映射:-p hostPort:containerPort -p ip:hostPort:containerPort -p ip::containerPort #宿主机任意Port映射容器指定的Port -p hostPort:containerPort:udp
If the host is turned on iptables rules, port mapping is completed, the port will join the corresponding opening of the firewall rules iptables rules later.
- -Link interconnection container
vessel interconnected, in addition to port mapping, but also by the docker run --link parameters specified for secure interaction between the containers. For example:
Creating a DB container:#docker run -d --name dbserver test/mysql
Creating a Web container, and connect it to the container dbserver
#docker run -p 8080:8090 --name myweb --link dbserver:db mywebtest:latest
At this point, docker built on two interconnected vessels a secure tunnel, and need to be mapped to the host port, did not specify the -P or -p port in the docker run dbserver container to avoid dbserver database container port exposed, to enhance security.
--link format: - link name: alias, name is a name to connect the container, alias alias connection. But subsequent versions docker, the option will be canceled --link docker run in.
Database web container and container dbserver Internet. Now enter through the docker exec to web container, see the hosts file can be found in the host name and IP information database container dbserver resolution. Ping the link and alias.
Docker containers acquaintance network mode
Guess you like
Origin blog.51cto.com/10874766/2437867
Recommended
Ranking