DESCRIPTION environment shown in FIG. 1 described below
figure 1
node01, node02 Ali AWS cloud or host, belong to a VPC: 172.28.0.0/16.
The network of 172.17.0.0/24 node01 docker0;
The segment is node02 docker0 172.18.0.0/24;
Goals: docker container cross-host network access each other on node01 and node02.
Implementation steps:
(1), added Ali cloud or AWS security group rules that allow access to the host network segment docker0 that permitted 172.17.0.0/24 and 172.18.0.0/24 to access the host network segment (VPC: 172.28.0.0/16) .
(2), or the AWS aliyun manually add routes in the routing table.
Ali cloud in the console - operating> routing table, will take 172.17.0.0/16 instance (instance) of amdha01 ens3 -> NAT gateway; 172.18.0.0/16 take the instance (instance) of amdha02 ens3, such as As shown in FIG. 2, docker0 node01 added, and then add the docker0 node02.
figure 2
aws in the Control Panel -> Services -> VPC -> routing table, select the corresponding VPC, to operate in the "Route" menu select "Edit route" below, empathy is 172.17.0.0/16 go instance (examples) the amdha01 ens3; 172.18.0.0/16 will go instance (instance) of amdha02 ens3, as shown in FIG.
image 3
Note that, in addition to adding the route, but also on the AWS, selected instances, in the "operation" -> "Networking" -> "Change source destination, checking," click "Disable", FIG. 4, FIG. 5 FIG.
Figure 4
Figure 5
(3), and modified in node01 node02 iptables configuration, after the above setting, the same vpc ECS / EC2 docker0 only ping to the host, i.e., the gateway docker container, but can not access to a particular container.
ubuntu 16.04系统使用iptables-save命令保存当前iptables的配置到/etc/network/iptables.up.rules,然后再修改配置如下
# iptables-save > /etc/network/iptables.up.rules
# cat /etc/network/iptables.up.rules
# Generated by iptables-save v1.6.0 on Sat Mar 16 16:47:22 2019
*nat
:PREROUTING ACCEPT [287:18748]
:INPUT ACCEPT [224:13456]
:OUTPUT ACCEPT [362:23448]
:POSTROUTING ACCEPT [362:23448]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Sat Mar 16 16:47:22 2019
# Generated by iptables-save v1.6.0 on Sat Mar 16 16:47:22 2019
*filter
:INPUT ACCEPT [7991:829858]
:FORWARD ACCEPT [63:5292]
:OUTPUT ACCEPT [7823:884204]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sat Mar 16 16:47:22 2019
Last saved using iptables-apply the configuration to take effect
# iptables-apply
or
# iptables-restore /etc/network/iptables.up.rules
If Centos7.x systems, generally use the service command (premise must first install initscripts) to save the current iptables configuration, and then modify the configuration, attention to the preservation of the path and file name is ubuntu there is a difference.
# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
End or modified using the service iptables configuration systemctl after the restart to validate the configuration
# service iptables restart
or
# systemctl restart iptables
After completing the above configuration, in the container between the docker aliyun or different from the host can communicate the AWS. In the Esxi we need only "promiscuous mode" is set in the attribute vSwitch0 "Accept" button, 6, 7 shown in FIG.
Image 6
Figure 7