docker
Article Directory
1 docker container network
Docker automatically provides three kinds of network after installation, use docker network ls command to view
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
cd97bb997b84 bridge bridge local
0a04824fc9b6 host host local
4dcb8fbdb599 none null local
Docker bridge using Linux, a virtual bridge Docker containers (docker0) in the host, will be assigned to segments in accordance with the container bridge Docker Docker start a container when an IP address, called Container-IP, while bridges per Docker the default gateway of containers. Because the container in the same host computer are connected to the same bridge, it is possible by direct communication between the container so the container Container-IP.
2 docker four types of network mode
| Network mode | Configuration | Explanation |
|---|---|---|
| host | –network host | Containers and host shared Network namespace |
| container | –network container:NAME_OR_ID | Container and another container shared Network namespace |
| none | –network none | The container has a separate Network namespace, but did not make any network settings, such as the distribution veth pair and bridge connections, such as IP configuration |
| bridge | –network bridge | The default mode |
2.1 bridge mode
When Docker process starts, it will create a virtual bridge named docker0 on the host, started on this host Docker containers will be connected to this virtual bridge. Similar virtual bridge work and physical switches, so that all the containers on the host through a switch attached to a Layer 2 network.
Dispensed from one IP subnet to docker0 containers, and set the IP address of the default gateway docker0 container. Created on the host, a virtual network adapter veth pair devices, Docker will end veth pair devices placed in a container in the newly created and named eth0 (NIC container), and the other end on the host to vethxxx such similar names name, and join the network device to bridge the docker0. You can be viewed by brctl show command.
bridge mode is the docker's default mode network, do not write -network parameter is bridge mode. When using the docker run -p, docker actually do DNAT in the iptables rules, implement port forwarding function. You can use iptables -t nat -vnL view.
bridge pattern as shown below:
Assume docker2 the figure to run a nginx, we would like to several questions:
- You can direct communication between the hosts with two containers? For example, in docker1 can not directly access to the nginx docker2 site?
- On the host can directly access to the nginx docker2 site?
- How to access this site nginx on node1 it on another host? DNAT release?
Docker host virtual bridge is out, there is not a real network devices, external network is not addressed to, this also means that the external network can not access directly to the container by Container-IP. If the container is desired to be able to access external access, the host may be host port (port mapping) by mapping the container, i.e. docker run time to enable the container is created by -p or -P parameters, time to access the container through the [host IP]: [container port] access to the container.
2.2 container mode
This mode is designated a newly created container and container existing share a Network Namespace, rather than the host and shared. The newly created container does not create its own network card, configure your own IP, but the specified container and a shared IP, port range. Similarly, the two vessels in addition to the network, such as other file systems, such as the process list or isolated. Process two containers lo card communication device can pass.
FIG container mode is as follows:
2.3 host mode
If the start time of the container using a host mode, the container will not get a separate Network Namespace, but the host and shared a Network Namespace. Virtual container will not be out of your network card, configure your own IP, etc., but the use of IP and port of the host. However, other aspects of the container, such as file systems, processes, etc., or a list of host and isolation.
Use the host mode of container can be used as host IP addresses and communication inside the external container port service can also use the port of the host, does not require NAT, host the biggest advantage is that network performance is better, but the docker host has use the port can not be used again, the isolation of the network is not good.
Host pattern as shown below:
2.4 none mode
Use none mode, Docker container has its own Network Namespace, however, does not make any network configuration Docker containers. In other words, this Docker container without a network card, IP, routing and other information. We need to add yourself to Docker container network card, and other IP configuration.
In this network mode only container lo loopback network, no other cards. none mode can be specified by -network none when the container was created. This type of network is no way to network, closed network can well guarantee the safety of the vessel.
Scenario:
Start a container processing data, such as data format conversion
of some background processing tasks and calculation
none pattern as shown below:
docker network inspect bridge #查看bridge网络的详细配置
