I. Overview
See article: https://docs.docker.com/engine/reference/commandline/network_create/
Four kinds of network Docker's own work, and some custom network mode
When installing Docker, it will automatically create three networks, bridge (default create container connected to this network), none, host
host: container will not be their own virtual network card, configure your own IP, etc., but the use of IP and port of the host.
Container: Create a container does not create its own network card, configure your own IP, but the specified container and a shared IP, port range.
None: The network function mode closed container.
Bridge: This mode for each dispensing container, such as IP set, and the vessel is connected to a virtual bridge docker0, configuration and host bridge and communicate docker0 Iptables nat table.
These are not hands-on, real need to configure a custom network.
Second, the network introduced
2.1, network settings
When you install Docker, it will automatically create three networks. You can use the following docker network ls command lists these networks:
$ docker network ls NETWORK ID NAME DRIVER 7fca4eb8c647 bridge bridge 9f904ee27bf5 none null cf03ee007fb4 host host
Docker built these three networks, when you run the container, you can use the --network flag to specify which container should be connected to the network.
The bridge network on behalf of all docker0 Docker installation in existing network. Unless you use the docker run --network = <NETWORK> option is specified, otherwise Docker daemon will connect to the default web container.
When we create Docker containers docker run, you can specify the network mode option with --net container, Docker can have the following four kinds of network modes: [bridge host ipvlan macvlan null overlay]
host mode: --net = host specified.
none mode: --net = none specified.
bridge mode: --net = bridge specified, the default setting.
container mode: --net = container: NAME_or_ID specified.
2.2, host network
Vmware corresponds to the bridging mode, and a host on the same network, but no unique IP addresses. As we all know, Docker use of Linux Namespaces technology to isolate resources, such as PID Namespace isolation process, Mount Namespace isolation File System, Network Namespace isolation networks. A Network Namespace provides an independent network environment, including network cards, routing, Iptable rules and so on with other Network Namespace isolation. A Docker container typically assigned a unique Network Namespace. However, if the start time of the container using host mode, the container will not get a separate Network Namespace, but the host and shared a Network Namespace. Virtual container will not be out of your network card, configure your own IP, etc., but the use of IP and port of the host.
For example, we launched a Docker container containing nginx application with host mode on 10.10.0.186/24 machine, listening tcp80 port.
# 运行容器; $ docker run --name=nginx_host --net=host -p 80:80 -d nginx 74c911272942841875f4faf2aca02e3814035c900840d11e3f141fbaa884ae5c # 查看容器; $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 74c911272942 nginx "nginx -g 'daemon ..." 25 seconds ago Up 25 seconds nginx_host
When we perform any similar ifconfig command to view the network environment in the container, the information on the see are the host. The application of the outside world to access the container, you can directly use 10.10.0.186:80 without any NAT translation, just the same as running directly in the host machine. However, other aspects of the container, such as file systems, processes, etc., or a list of host and isolation.
$ netstat -nplt | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 27340/nginx: master
summary:
Direct use of host IP address, the easiest, but the container with the host shared, direct foreign exposure, security is low.
Docker 17.06+ support.
Only supports Linux.
2.3、Container
After understanding the host mode, this mode also like to understand. This mode is designated a newly created container and container existing share a Network Namespace, rather than the host and shared. The newly created container does not create its own network card, configure your own IP, but the specified container and a shared IP, port range. Similarly, the two vessels in addition to the network, such as other file systems, such as the process list or isolated. Process two containers lo card communication device can pass.
2.4、None
The container is placed in a mode of its own network stack, but does not perform any configuration. In fact, this mode is off the network function of the container, in the following two cases are useful: container does not require a network (for example, only need to write batch jobs disk volume). Disable network configuration, usually set when the network configuration using third-party plug-ins.
2.5、overlay
Docker1.7 reconstruction in the code, the network part separate independent written, so the addition of a new overlay network docker1.8 mode. Docker for network access control is also gradually improved.
docker comes across the host network model
2.6、Bridge
Nat equivalent of Vmware mode, the container separate network Namespace, and is connected to docker0 virtual NIC (default mode). By docker0 Iptables nat bridge and arranged to communicate with the host table; Docker Bridge mode is the default network settings, this mode for each container for dispensing Network Namespace, IP settings like, and a Docker containers on the host is connected to a virtual bridge on.
2.7、macvlan
macvlan NIC virtualization technology, a plurality of MAC addresses can be configured on a physical network adapter, corresponding to a plurality of the interfaces, each interface a ip. The advantage is excellent properties, no need to create Linux bridge, but is connected directly to the physical network interface.
Docker can assign a MAC address for each container, directly through the MAC address forwarding data.
When the need to consider network performance or application may want to use a direct connection to the network through physical NIC.
Three, Bridge Detailed
Docker default mode network settings
3.1, Linux and mac networks
linux system:
-
- Docker host create a docker0 card randomly assigned a local unoccupied private network segment, eg: 172.17.0.1/16;
- Docker containers will increase a network card eth0 randomly assigned the same network segment: a ip eg 172.17.0.0/16 in.
- When Docker create a container, a pair of simultaneously created veth pair interfaces (when a packet is sent to the interface, another interface may receive the same data packet). This end of the interface in the container, i.e. eth0; locally and the other end mounted to docker0 bridge names start with Veth (e.g. vethAQI2QT). In this way, the host can communicate with each other with communication between the container, the container. Docker to create a virtual shared between the host and all containers networks.
ifconfig | grep docker -A 8
ifconfig | grep eth0 -A 7
mac system:
Because of different ways (see below), so there is no docker0 card.
The difference between 3.1.1, Linux and Mac networks
1, the network structure in FIG under Linux [1]
Docker implemented on the Linux kernel comes, so Docker after installation on Linux, creates a virtual NIC of docker0, Linux host and Docker in the container to communicate through the network card.
2, the network structure of the Mac: [Figure 2]
Docker achieve a Mac is to create a lightweight virtual machine Hypervisor, and then put the docker to a virtual machine implementation. Mac OS host Docker in the container and communicate through the socket /var/run/docker.sock this document, so the IP ping container in Mac OS, IP ping in the container not on the host.
Four, Docker two implementations of the Mac
docker have a Mac two implementations, one is based HyperKit (Docker Desktop for Mac), and the other is based on Virtual Box (Docker Toolbox).
The difference will lead to different host and container direct network access, Docker Desktop for Mac is based on /var/run/docker.sock file. Docker Toolbox is based on the virtual network adapter. There is a way to manage the container is not the same, Docker Desktop for Mac is the use of HyperKit, lightweight Hypervisor-based virtualization machine; Docker Toolbox is to create a container using Virtual Box to create a virtual machine.
4.1、Docker Desktop for Mac
4.1.1, the host and port mapping of the container
docker run -p HOST_PORT:CLIENT_PORT xxxxx
e.g : doker run -p 80:80 -d nginx
4.1.2, Mac OS restrictions in
No docker0 bridge card.
Host can not ping container ip, host
Linux bridge can not be accessed from the host Mac.
4.1.3, mac host container and interoperable solutions
1, the container to access the host, after Docker 18.03 recommend a particular DNS record host.docker.internal to access the host. Note, however, that when the Docker Desktop for Mac is just as effective development. DNS record gateway: gateway.docker.internal. Original Docker for Mac
2, the host access to the container, using the machine localhost port mapping function using -publish (single port), -p (single port), -P (all ports) of the container port and port mapping of the present machine.
3, the host access to the container, using the port mapping parameter -p. Container to access the host, the following command may be used in host address of the host machine acquiring ip:
ps -ef | grep -i docker | grep -i "\-\-host\-ip" |awk -F "host-ip" '{print $2}' | awk -F '--lowest-ip' '{print $1}'
View docker deamon on a mac host process, can be found in the following configuration parameters to start
ps -ef | grep -i docker
--host-ip
Segment can be extracted from the process to the host's ip address, ip address in Docker for Mac - Configuration> Docker subnet in -> Preferences -> Advanced.
The old version is too much trouble, the new version directly configured, the network can pass
Rinetd may be mounted in the vessel socket request is forwarded to the local host.
4.2、Docker Toolbox
The purpose is to adapt the old version of the Mac OS and Windows, implementations and Docker Desktop for Mac different.