Docker is based on the underlying virtualization technology LXC + Cgroups + AUFS (Overlay) technology, and we have known Cgroups is a Linux kernel can limit the records, the physical mechanism of resource isolation process group (Process Groups) used.
Docker Docker virtualization product is container, container when Docker Engine start based on the default container will designate and assign various subsystems: CPU subsystem ,, Memory subsystem, IO subsystem, NET subsystems.
Start a container, assigns Network Namespace (subsystem) provides an independent network environment, including network cards, routing, Iptables rules, Network Namespace container with other containers are isolated from each other.
When you create a container by Docker Docker run, you can use the option to specify the -net Docker container network mode, there are four network Docker default mode:
the n-Host mode, using the -net = host specified;
the n-Container mode, using the -net = container: NAME_or_ID Specifies;
n-none mode, -net = none specified;
n-Bridge mode, -net = bridge specified, the default setting.
2. Host mode analysis
Generally speaking, start a new Docker containers, are assigned a separate Network Namespace isolation subsystem, if the run is designated as the host mode, Docker containers will not receive a separate Network Namespace, but and Network Namespace share a host subsystem.
Docker newly created container does not create your own card, will not be their own virtual network adapter, IP, gateway, routing information, but the host and share information such as IP and port, other software, or independent directory . In addition to the two containers the same networks, other systems, such as file, process lists, or isolated from each other.
3. Container pattern analysis
Docker container network, Container mode is specified container and a container existing share a newly created Network Namespace subsystem, rather than sharing Namespace and host subsystem.
Docker newly created container does not create your own card, will not be their own virtual network adapter, IP, gateway, routing information, but specified Docker container and share information such as IP and port, other software, or another directory independent. In addition to the two containers the same networks, other systems, such as file, process lists, or isolated from each other. If the attachment of Docker container is closed, the new network will be lost Docker containers.
Analysis of the Mode 4. None
None mode and other modes are different, if Docker containers None mode, Docker container will have its own Network Namespace subsystem, but Docker engine does not configure any network information for the new start of Docker containers.
Docker container that is not a newly created their own virtual network adapter, IP, gateway, routing information, but need to manually add network card Docker containers, configure IP, routing and other information in real business environment, often using Pipework Tools IP and other specified information Docker containers.
5. Bridge Bridge analyze
Bridge mode Docker Docker container is also the default network mode, which allocates Network Namespace subsystem for each container, automatically their own virtual network adapter, IP, gateway, routing information to each container, no need to manually add.
Docker containers created by default will be unified by a pair of veth virtual network card, connect to a virtual bridge switch Docker0, all the container network to join a network switcher inside, all that is possible between all containers of the same host , interconnected and accessible.
6. Bridge mode analysis principles
default Docker engine will start to generate a Docker0 virtual NIC locally. Docker0 is a standard Linux virtual bridge device. In Docker default bridged networking mode, docker0 bridge played a crucial role. Physical Layer is the standard network bridge device, the bridge only two standard physical network port can be connected together two physical networks.
However, compared with the physical layer device such as a hub, a bridge function comprising isolating collision domains. Bridge Layer achieve relatively efficient communication by flooding and MAC address learning manner. With the development of technology, the standard bridge device has basically been eliminated, replace the bridge is the switcher. Switcher can also be seen as a multi-port bridge.
Docker container is shown in block diagram using Bridge mode:
Docker Bridge bridge mode creation:
a specified mode to bridge mode, Docker engine creates a virtual NIC 1) to start a Docker container, veth pair devices, veth equipment always come in pairs appears, constitute a data channel, the data entered from a device, it will come out from another device, veth device used to connect two network devices that can interface both ends veth virtual network cable. The virtual cable is inserted at one end on a bridge named docker0 the other end into the container. By veth bind each interface to a docker0 bridge, Docker create a virtual subnet, the subnet shared by the host and all the Docker containers.
2) Docker veth pair will be placed in the container device a device newly created named eth0, and an additional device on the host machine, similar to vethxxx have the name and network devices to join this bridge docker0 in.
3) Docker engine will be allocated from docker0 subnet dynamic IP to a new container use, and set the IP address of the default gateway for the docker0 container.
4) the container with the newly created host can communicate this case, the host can also access the IP address of the vessel, in the Bridge-mode communication between the container may be connected with each other on the same bridge (switch), while the container is also can access the Internet (based iptables SNAT), but other physical IP can not access the docker container, the container needs to have the NAT port mapped to the IP host an IP and port.
