1.linux Namespace
1. Concept
namespace is used to isolate the core Linux kernel resources. Can make some processes by namespace can only see a portion of the resources associated with their own, while others can only see the processes associated with their own resources, which two sets of the process do not feel each other's existence. Specific implementation is the resources of one or more processes specified in the same namespace.
Linux namespaces is a global packaging isolation system resources, making the process in a different namespace of an independent global system resources, changing the system resources in a namespace will only affect the current namespace in the process, has no effect on other processes in the namespace .
2. Uses
In fact, the main purpose of the Linux kernel to achieve a namespace is to achieve a lightweight virtualization (container) services. In the process under the same namespace can change the perception of each other, and the outside world knew nothing about the process. This allows the process to produce the illusion of a container, think themselves in a stand-alone system, so as to achieve the purpose of isolation. That namespace technology linux kernel provides the basic conditions for the emergence and development docker such as container technology.
We can consider how to achieve a resource isolation container from the perspective of docker implementer. Such switching is not possible by the root mount point chroot command to isolate the file system. To communicate and positioned in a distributed environment, the container must have a separate IP, port and routing, which requires the network isolation. Meanwhile container also requires a separate host name to identify itself in the network. Next also need to isolate communications, user rights between processes and the like. Finally, an application running in the container requires a process ID (PID), also need to be isolated from the natural host of the PID. That these six isolation capability is the basis for a vessel, the following is provided by the ability to linux:
On the table is the realization of the first six namespace container must isolation techniques.
2.docker network mode
1. The principle
Docker bridge using Linux, a virtual bridge Docker containers (docker0) in the host, will be assigned to segments in accordance with the container bridge Docker Docker start a container when an IP address, called Container-IP, while bridges per Docker the default gateway of containers. Because the container in the same host computer are connected to the same bridge, it is possible by direct communication between the container so the container Container-IP.
Docker host virtual bridge is out, there is not a real network devices, external network is not addressed to, this also means that the external network can not access directly to the container by Container-IP. If the container is desired to be able to access external access, the host may be host port (port mapping) by mapping the container, i.e. docker run time to enable the container is created by -p or -P parameters, time to access the container through the [host IP]: [container port] access to the container.
2. The four types of network mode
1. bridge mode --net = bridge (default)
When Docker process starts, it will create a virtual bridge named docker0 on the host, started on this host Docker containers will be connected to this virtual bridge. Similar virtual bridge work and physical switches, so that all the containers on the host through a switch attached to a Layer 2 network, the container may communicate with each other directly through the ip (via ping test) .
Dispensed from one IP subnet to docker0 containers, and set the IP address of the default gateway docker0 container. Created on the host, a virtual network adapter veth pair devices, Docker will end veth pair devices placed in a container in the newly created and named eth0 (NIC container), and the other end on the host to vethxxx such similar names name, and join the network device to bridge the docker0. You can be viewed by brctl show command.
bridge mode is the docker's default mode network, do not write --net parameter is bridge mode. When using the docker run -p, docker actually do DNAT in the iptables rules, implement port forwarding function. You can use iptables -t nat -vnL view.
As shown below:
E.g:
(1) Start nginx
docker run -p 80:80 nginx
(2) the cuvette
docker inspect a5
Network information is as follows:
2. host mode --net = host
If the start time of the container using a host mode, the container will not get a separate Network Namespace, but the host and shared a Network Namespace. Virtual container will not be out of your network card, configure your own IP, etc., but the use of IP and port of the host. However, other aspects of the container, such as file systems, processes, etc., or a list of host and isolation.
Use the host mode of container can be used as host IP addresses and communication inside the external container port service can also use the port of the host, does not require NAT, host the biggest advantage is that network performance is better, but the docker host has use the port can not be used again, the isolation of the network is not good.
Host pattern as shown below:
For example :( started directly, without having direct use with -p specified port and host the same port and IP.)
docker@default:~$ docker run -d --net=host nginx
fe607548d6f1faca06b0d9e02f1305f2d0d5c4691202c18f82000b42fa4a6732
Check information inspect containers:
3.none mode --net = none
使用none模式,Docker容器拥有自己的Network Namespace,但是,并不为Docker容器进行任何网络配置。也就是说,这个Docker容器没有网卡、IP、路由等信息。需要我们自己为Docker容器添加网卡、配置IP等。
这种网络模式下容器只有lo回环网络,没有其他网卡。none模式可以在容器创建时通过--network=none来指定。这种类型的网络没有办法联网,封闭的网络能很好的保证容器的安全性。
示意图如下:
例如:
docker@default:~$ docker run -d --net=none nginx 371686158b33958ec3c71b6fb3db2c5309f8515e07b0d76aac0bc8b0745d293a docker@default:~$ docker inspect 37
查看网络信息如下:
4.container模式 --net=container:容器ID或name
这个模式指定新创建的容器和已经存在的一个容器共享一个 Network Namespace,而不是和宿主机共享。新创建的容器不会创建自己的网卡,配置自己的 IP,而是和一个指定的容器共享 IP、端口范围等。同样,两个容器除了网络方面,其他的如文件系统、进程列表等还是隔离的。两个容器的进程可以通过 lo 网卡设备通信。
示意图如下:
例如:
docker run -d --net=container:371686158b33 nginx