docker There are three kinds of networks:
Use the command docker network lsexecution results are as follows.
NETWORK ID NAME DRIVER SCOPE
82e8822065c7 bridge bridge local
a36f938bc6c6 host host local
55ee9a442ee8 none null local1, bridge: is NAT Bridge. Create a software switch or NIC on the host machine.
With ifconfigyou can see more than a [docker0].
[Docker0] either as a switch, it can be used as network cards. It does not address is the switch to give it addresses not only when it can be when the switch card.
linux kernel can create a virtual network adapter on for the process, as this card on the same cable, there are two heads.
A process belongs to the network their own namespace, the other end connected anywhere.
linux kernel can also create a software switch, brctl created using [] command.
Create a virtual network to allow the process to achieve the process of C1 and C2 can communicate.
- Step 1: Create a network cable m
- Step 2: Create a network line n
- Step 3: Create a virtual switch S1.
- Step 4: Let m end of the cable connected on a network namespace belongs C1 process, so that the other end of the cable is connected to the m virtual switch S1.
- Step 5: Let the end of the network cable connected to the process C2 n belongs to the network namespace, so that the other end of the cable is connected to the n virtual switch S1.
- Process C1 and C2 can communicate the process.
Create a virtual network to allow the process to achieve the process of C1 and C3 can communicate.
- Step 1: Create a cable k
- Step 2: Create a virtual switch S2.
- Step 3: Create a chart in the middle of micro-kernel, so the kernel instead of the router. Or no router, creating a network cable, S1 and S2 are connected, such an action would not require the step 4.
- Step 4: Create two cable, so that S1 and S2 are both connected to the micro-kernel.
- Process C1 and C3 can communicate the process.
There is a well-known open-source software to create a virtual switch: OVS (OpenVSwitch).
overlay network (overlay network)
C1 (192.168.1.3) and C5 (192.168.1.4) in the same network segment, physical machine h1 (10.1.1.3) and h2 (10.1.1.4) connected to the same switch. Since C1 and C5 in the same network segment, so that they can see each other two, when the data to be transmitted when C1 C5, where IP packets are C1: C5, and then through the virtual bridge (docker0), forwarded to the physical machine h1 , the physical machine h1 [ip packets C1: C5] outside and then wrapped in a layer of [h1: h2], the physical machine h2 received packet, the outer layer removed [h1: h2], there is also found [C1 : C5], so through the virtual bridge (docker0), forwarded to C5.
The figure inside the [docker0], is on the machine running docker daemon process in implementing ifconfig, see [docker0], it is nat bridge. A container per actuation, produces a network cable, one end of it onto docker0 [], one end of the container inserted in their network namespace. .
So how do you see, put a few on the net line on the road [docker0]?
Use [yum install bridge-utils] inside the [command] brctl show, which plug the network cable on the bridge to see.
[root@localhost ys]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242af11c649 no veth93593bc
vethc7cb2ca
From the above results can be performed out on docker0 [2] cable inserted respectively veth93593bc and vethc7cb2ca. By using ifconfig, it can be seen that two cables on the host.
[root@localhost ys]# ifconfig
veth93593bc: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 ..... prefixlen 64 scopeid 0x20<link>
ether ..... txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 656 (656.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethc7cb2ca: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 .. prefixlen 64 scopeid 0x20<link>
ether ..... txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 656 (656.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Using {ip link show veth93593bc] can also be seen and vethc7cb2ca, but also is found in the other end veth93593bc if14, the other end is if12 vethc7cb2ca
[root@localhost ys]# ip link show
5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 02:42:af:11:c6:49 brd ff:ff:ff:ff:ff:ff
13: vethc7cb2ca@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether a2:a3:b8:3c:8c:88 brd ff:ff:ff:ff:ff:ff link-netnsid 0
15: veth93593bc@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether b2:24:a8:13:4d:56 brd ff:ff:ff:ff:ff:ff link-netnsid 1[Iptables -t nat -vnL] look and found the following rules, and thus the description docker0 is nat bridge.
DNAT and SNAT iptables species concept
Chain POSTROUTING (policy ACCEPT 47 packets, 3073 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
in: *, Representative: coming from any interface
out:! docker0, representatives: do not go out from docker0
source: 172.17.0.0/16, on behalf of: the original address from any host address of 172.17.0.0/16,
destination: 0.0.0.0/0, Representative: sent to any host address,
target: MASQUERADE, on behalf of: as source address translation (SNAT), that is, a source address is automatically selected on the unit.
Then connecting the above meaning: coming from any interface, do not go out from docker0, the original address is a host address from any of 172.17.0.0/16 is transmitted to any host address as source address translation.
There is a problem, how to communicate between each other docker container is it?
Assumptions are based container bridge way to start
Two containers are inserted in docker0, then the two containers are in the 172.17 network, communicate with each other without any problems.
Vessel communicate with each other and with the host no problem.
The client CL1, through port 80 access nginx container WEB1, but the client CL1 with nginx container WEB1 in different networks, how to communicate it? nginx container WEB1 host where the only use DNAT technology, communication can be achieved. That client CL1 visit is the host, the host forwarded to nginx container WEB1.
That there is a problem, and if web2 web3 also nginx, but also use port 80, then forwarded when the host does not know which container was transferred to.
Another way: the container can have independent six namespaces, between two containers to be used lo (127.0.0.1) communication, so that they only have three (user, mount, pid) separate namespace, another 3 a (uts, net, ipc) they shared.
Two, host:
Container can be shared between three (uts, net, ipc) space, the container can host (docker daemon processes running on the machine) shared it? is allowed. A container and let a common host 3 (uts, net, ipc) space, so that other containers using a bridge, so that the container A will have a privilege management network. This is the host of connections docker.
Three, none: no container network card, only lo. Network can not communicate.
docker network type:
Command to view specific information about the network connection (inspect can view any docker object):
# docker network inspect bridge/host/noneSee vessel network connection specific information.
# docker container inspect ng1c/c++ 学习互助QQ群:877684253
