Rede Docker Docker
Um, entenda docker0
Exclua todos os espelhos primeiro, depois
~ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:fc:57:e2 brd ff:ff:ff:ff:ff:ff
inet 172.31.202.45/24 brd 172.31.202.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fefc:57e2/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:98:04:68:a9 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:98ff:fe04:68a9/64 scope link
valid_lft forever preferred_lft forever
docker0 é a placa de rede padrão do docker
- Princípio
1. Cada vez que iniciamos um contêiner docker, o docker atribuirá um ip ao contêiner docker. Contanto que sigamos o docker, haverá um modo de ponte docker0. A tecnologia usada é a tecnologia veth-pair!
docker run -d -P --name tomcat01 tomcat
83b4703873b5213054e7e506e721a5d68f1ca40521ac68b363616a7f333fa981
#查看容器内ip
[root@Latteitcjz /]# docker exec -it tomcat01 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@Latteitcjz /]# docker run -d -P --name tomcat02 tomcat
56bb3fef856fa86b39bd862c5227893fad81b2cc64daaabd67f54680e6708782
[root@Latteitcjz /]# docker exec -it tomcat02 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
16: eth0@if17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
#发现linux能ping通容器内部
[root@Latteitcjz /]# ping 172.17.0.3
PING 172.17.0.3 (172.17.0.3) 56(84) bytes of data.
64 bytes from 172.17.0.3: icmp_seq=1 ttl=64 time=0.207 ms
64 bytes from 172.17.0.3: icmp_seq=2 ttl=64 time=0.065 ms
1. Cada vez que um contêiner docker é iniciado, o docker atribuirá um ip ao contêiner docker, desde que o docker esteja instalado, uma placa de rede docker0 será atribuída
2. Ao iniciar um teste de contêiner, verifica-se que há outro par de placas de rede
[root@Latteitcjz /]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:fc:57:e2 brd ff:ff:ff:ff:ff:ff
inet 172.31.202.45/24 brd 172.31.202.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fefc:57e2/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:98:04:68:a9 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:98ff:fe04:68a9/64 scope link
valid_lft forever preferred_lft forever
15: veth77b0c46@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 22:b3:44:bf:da:48 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::20b3:44ff:febf:da48/64 scope link
valid_lft forever preferred_lft forever
17: veth6dbc1f1@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether be:44:4f:0f:dd:ea brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::bc44:4fff:fe0f:ddea/64 scope link
valid_lft forever preferred_lft forever
#我们发现这个容器带来网卡都是一对一对的
veth-pair 就是一对的虚拟设备接口,他们都是成对出现的,一端连着协议,一端彼此相连
正因为有这个特性 veth-pair 充当一个桥梁,连接各种虚拟网络设备的
OpenStac,Docker容器之间的连接,OVS的连接,都是使用evth-pair技术
Vamos testar se tomcat01 e tomcat02 podem ser pingados
$ docker-tomcat docker exec -it tomcat01 ip addr #获取tomcat01的ip 172.17.0.2
550: eth0@if551: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
$ docker-tomcat docker exec -it tomcat02 ping 172.17.0.2#让tomcat02ping tomcat01
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.098 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.071 ms
# 可以ping通
A ponte Linux usada pelo docke é a seguinte
Conclusão: Tomcat01 e tomcat02 compartilham um roteador, docker0.
Enquanto o contêiner for excluído, o par de pontes correspondente desaparecerá.
Todos os contêineres são roteados por docker0 se não especificarem uma rede. O Docker atribuirá um IP padrão utilizável ao nosso contêiner.
Resumo: Docker usa uma ponte Linux e o host é uma ponte de contêiner Docker docker0
Dois, -link
#Às vezes, estamos diante da situação de substituição do IP do serviço, como acessar o container através do nome do serviço?
$ docker exec -it tomcat02 ping tomca01 # ping不通
ping: tomca01: Name or service not known
# 运行一个tomcat03 --link tomcat02
$ docker run -d -P --name tomcat03 --link tomcat02 tomcat
5f9331566980a9e92bc54681caaac14e9fc993f14ad13d98534026c08c0a9aef
# 用tomcat03 ping tomcat02 可以ping通
$ docker exec -it tomcat03 ping tomcat02
PING tomcat02 (172.17.0.3) 56(84) bytes of data.
64 bytes from tomcat02 (172.17.0.3): icmp_seq=1 ttl=64 time=0.115 ms
64 bytes from tomcat02 (172.17.0.3): icmp_seq=2 ttl=64 time=0.080 ms
# 用tomcat02 ping tomcat03 ping不通
#我们通过docker ipspect查看容器网卡内容
#其实是tomcat03本地配置了一个tomcat02的配置,而tomcat02并没有配置
[root@Latteitcjz ~]# docker exec -it tomcat03 cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.0.3 tomcat02 29ef94c31a6e
172.18.0.4 b23fb6cb9f41
[root@Latteitcjz ~]# docker exec -it tomcat02 cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.0.3 29ef94c31a6e
—link其实是在hosts中配置了一个172.17.0.3的名字映射,docker0并不支持容器名访问
Três, rede personalizada
Ver todas as redes
[root@Latteitcjz /]# docker network --help
Usage: docker network COMMAND
Manage networks
Commands:
connect Connect a container to a network
create Create a network
disconnect Disconnect a container from a network
inspect Display detailed information on one or more networks
ls List networks
prune Remove all unused networks
rm Remove one or more networks
Run 'docker network COMMAND --help' for more information on a command.
[root@Latteitcjz /]# docker network ls
NETWORK ID NAME DRIVER SCOPE
fd194d6c2403 bridge bridge local
5c545079dbb6 host host local
2a10cbcdd91c none null local
Modo de rede
- bridge: bridge (padrão, autocriada também está no modo bridge)
- nenhum: não configure a rede
- host: compartilhe a rede com o host
- contêiner: conectividade de rede do contêiner (menos usado)
#我们直接启动命令 --netwok bridge
docker run -d -P --name tomcat01 tomcat
docker run -d -P --name tomcat01 --net bridge tomcat
#docker0特点:默认,但是域名不能访问,--link可以打通连接
#我们可以定义一个网络
[root@Latteitcjz/]# docker network create --driver bridge --subnet 192.168.0.0/16 --gateway 192.168.0.1 mynet
0f87b54b4ddb7fb5176cf6374eba394137bc779e371cbcf1ff48725cf63b7e3c
[root@Latteitcjz /]# docker network ls
NETWORK ID NAME DRIVER SCOPE
22afa40fd7c0 bridge bridge local
459c2f2fb892 host host local
0f87b54b4ddb mynet bridge local
a2db766f6b7d none null local
#发现我们增加的一张网卡mynet有了
#查看我们自己的网卡
[root@Latteitcjz /]# docker network inspect mynet
[
{
"Name": "mynet",
"Id": "0f87b54b4ddb7fb5176cf6374eba394137bc779e371cbcf1ff48725cf63b7e3c",
"Created": "2021-03-06T20:02:43.62232566918Z",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "192.168.0.0/16",
"Gateway": "192.168.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]
Em uma rede personalizada, os serviços podem executar ping uns nos outros sem usar –link
nosso docker de rede personalizado. Depois de manter o relacionamento correspondente, recomendamos que usemos normalmente a rede desta forma!
beneficiar:
redis-Different clusters usam diferentes redes para garantir que o cluster é seguro e íntegro
Clusters mysql-Different usam redes diferentes para garantir que o cluster seja seguro e íntegro
Quarto, conectividade de rede
Use docker network connect para conectar o contêiner a outra placa de rede, porque neste momento tomcat01 está realmente conectado a docker0
[root@Latteitcjz /]# docker network connect mynet tomcat01
[root@Latteitcjz /]# docker exec -it tomcat02 ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.121 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.059 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=0.080 ms
64 bytes from 192.168.0.1: icmp_seq=4 ttl=64 time=0.106 ms
^C
--- 192.168.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 0.059/0.091/0.121/0.025 ms
[root@Latteitcjz /]# docker exec -it tomcat02 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
16: eth0@if17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
#其实此时就相当于tomcat01有两个ip,一个公网一个私网
[root@Latteitcjz /]# docker exec -it tomcat01 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
25: eth1@if26: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:c0:a8:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.0.4/16 brd 192.168.255.255 scope global eth1
valid_lft forever preferred_lft foreve
[root@Latteitcjz /]# docker exec -it tomcat01 ping tomcat-net-01
PING tomcat-net-01 (192.168.0.2) 56(84) bytes of data.
64 bytes from tomcat-net-01.mynet (192.168.0.2): icmp_seq=1 ttl=64 time=0.136 ms
64 bytes from tomcat-net-01.mynet (192.168.0.2): icmp_seq=2 ttl=64 time=0.070 ms
^C
--- tomcat-net-01 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1ms
rtt min/avg/max/mdev = 0.070/0.103/0.136/0.033 ms
[root@Latteitcjz /]# docker exec -it tomcat02 ping tomcat-net-01
ping: tomcat-net-01: Name or service not known
#因为02没有打通到mynet网卡 所以不通!
Conclusão: se você deseja operar em toda a rede, é necessário usar a conexão de rede docker para se conectar
