一、网络驱动
docker可以通过创建虚拟网卡,通过虚拟网卡转发到宿主机网卡和外部进行通信。除此之外,也可以不创建自己的虚拟网卡而是直接和宿主机共
用网卡直接占用宿主机IP和端口的方式和外部进行通信。docker的网络驱动是可插拔的,默认情况下存在以下几种网络模式:
1、桥接网络模式(bridge): 这是docker默认的网络驱动程序,如果在创建驱动程序时未指定驱动程序类型,默认便是bridge模式。
当你的应用程序是在同一个主机部署独立容器时,推荐使用桥接网络模式。连接到同一桥接网络的容器可以互相通信,对不同桥接网络的容器则无法直接相互通信。
2、覆盖网络模式(overlay):覆盖网络模式可以将不同的Dockerd守护进程连接在一起,该网络模式支持集群容器之间相互通信,
以及集群和某个单机版独立容器直接相互通信,或不同Dockerd守护进程的独立容器之间进行通信。该网络模式使用场景比较广泛,通常集群部署时会使用该模式。
3、主机网络模式(host):如果某个容器需要访问主机的某个服务,那么需要配置主机网络模式,该模式直接占用主机的网络端口和网卡资源。
也就是说docker网络并非隔离而是直接和宿主机共享资源,就好像应用是直接在宿主机上运行一样。但是其它(例如存储,进程命名空间和用户命名空间)相对宿主机隔离的。
该模式仅适用于Docker 17.06及更高版本的swarm服务。
4、MAC网络模式(macvlan):Macvlan网络允许您为容器分配MAC地址,使其显示为网络上的物理设备。Docker守护程序通过其MAC地址将流量路由到容器。
macvlan 使用场景在于如果希望直接连接到物理网络时,使用驱动程序有时是最佳选择,而不是通过Docker宿主机的网络堆栈进行路由。
5、禁用网络模式(none): 禁用容器所有网络。通常与自定义网络驱动程序一起使用。none不适用于群组服务。
6、其它模式(网络插件):可以使用Docker安装和使用第三方网络插件
[root@localhost7C ~]# docker network create -d
bridge macvlan overlay
[root@localhost7C ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
796c38ad861b bridge bridge local
00e08763c06a host host local
0bf2813ea139 none null local
使用场景
下面我们总结下不同场景建议使用的网络模式:
1、当您需要多个容器在同一个Docker宿主机上进行通信时,使用自定义的桥接网络模式(bridge)是最佳选择。
2、当容器网络堆栈不应与Docker主机隔离但又希望隔离容器的其他方面(cgroup,unix file system)时,使用主机网络模式(host)是最佳选择。
3、当您需要在不同Docker守护进程上运行的容器进行通信时,或者当多个应用程序使用swarm服务协同工作时,覆盖网络模式(overlay)是最佳选择。
4、当您从VM设置迁移或需要容器看起来像网络上的物理主机时,Macvlan网络是最佳的,这样每个主机都具有唯一的MAC地址。
5、另外如果以上模式都不能满足您的需求是,可以查找第三方网络插件进行集成。
例:使用下面的命令创建一个基于bridge driver的自定义网络:
[root@localhost7C ~]# docker network create -d bridge --subnet 172.27.0.0/16 --gateway 172.27.0.1 zzhz
b3a5712a5391eff8db290b25893e88a496432d54c63df050efb05c44ccbf938f
[root@localhost7C ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
796c38ad861b bridge bridge local
00e08763c06a host host local
0bf2813ea139 none null local
b3a5712a5391 zzhz bridge local
[root@localhost7C ~]# ip a
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:cd:40:f8:77 brd ff:ff:ff:ff:ff:ff
inet 10.100.0.1/24 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:cdff:fe40:f877/64 scope link
valid_lft forever preferred_lft forever
21: br-b3a5712a5391: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ac:d8:d7:4a brd ff:ff:ff:ff:ff:ff
inet 172.27.0.1/16 scope global br-b3a5712a5391
valid_lft forever preferred_lft forever
[root@localhost7C ~]# brctl show
bridge name bridge id STP enabled interfaces
br-b3a5712a5391 8000.0242acd8d74a no
docker0 8000.0242cd40f877 no
virbr0 8000.525400fbc09b yes virbr0-nic
[root@localhost7C ~]# route -n
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
10.100.0.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0
172.27.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-b3a5712a5391
[root@localhost7C ~]# docker run -it -d --name centosA --network zzhz centos-base:v1
[root@localhost7C ~]# docker exec -it centosA bash
[root@833c8730e36d /]# ip a
22: eth0@if23: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:1b:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.27.0.2/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe1b:2/64 scope link
valid_lft forever preferred_lft forever
二、网络通信
1.容器之间的通信和互联
即在同一个宿主机上的容器之间可以通过自定义的容器名称相互访问,比如一个业务前端静态页面是使用 nginx,
动态页面使用的是 tomcat,由于容器在启动 的时候其内部 IP 地址是 DHCP 随机分配的,
所以如果通过内部访问的话,自定 义名称是相对比较固定的,因此比较适用于此场景。
解决的问题:IP不固定。
docker run -it -d --name centosA centos-base:v1 bash
f98aa064f560972755d2024104395d94648936e877164fa1a37b96fe77671914
[root@localhost7B ~]# docker exec -it centosA bash
[root@f98aa064f560 /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 8 bytes 656 (656.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@f98aa064f560 /]# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 f98aa064f560
[root@localhost7B ~]# docker run -it -d --name centosC --link centosA centos-base:v1 bash
7583cf048ef8030dc697e3b1e1eac0e13e3757cce381acaf7561588c8172fd7f
[root@localhost7B ~]# docker exec -it centosC bash
[root@7583cf048ef8 /]# ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.214 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.045 ms
^C
--- 172.17.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.045/0.129/0.214/0.085 ms
[root@7583cf048ef8 /]# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 centosA f98aa064f560
172.17.0.3 7583cf048ef8
[root@7583cf048ef8 /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.3 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:03 txqueuelen 0 (Ethernet)
RX packets 12 bytes 936 (936.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4 bytes 280 (280.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@7583cf048ef8 /]# ping www.qq.com
PING ins-r23tsuuf.ias.tencent-cloud.net (101.91.42.232) 56(84) bytes of data.
64 bytes from 101.91.42.232 (101.91.42.232): icmp_seq=1 ttl=127 time=11.8 ms
64 bytes from 101.91.42.232 (101.91.42.232): icmp_seq=2 ttl=127 time=11.6 ms
2.同宿主机的网络通信
同宿主机的相同网络类型的容器网络通信
桥接模式是可以访问宿主机
#使用其它物理主机安装一个服务
[root@localhost7A ~]# yum install nginx
[root@localhost7A ~]# echo 192.168.80.100 > /usr/share/nginx/html/index.html
[root@localhost7A ~]# systemctl start nginx.service
#宿主机运行bridge网络容器
[root@localhost7B ~]# docker run -it -d --name centosA --network bridge centos-base:v1
92dc6a928cb96c6dfe25e105415e85ce52db0ba976613c3d7400f6777ba72578
[root@localhost7B ~]#
[root@localhost7B ~]# docker exec -it centosA bash
[root@92dc6a928cb9 /]#
[root@92dc6a928cb9 /]# ip a
204: eth0@if205: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@92dc6a928cb9 /]# ping 172.17.0.3
PING 172.17.0.3 (172.17.0.3) 56(84) bytes of data.
64 bytes from 172.17.0.3: icmp_seq=1 ttl=64 time=0.138 ms
64 bytes from 172.17.0.3: icmp_seq=2 ttl=64 time=0.069 ms
64 bytes from 172.17.0.3: icmp_seq=3 ttl=64 time=0.049 ms
#宿主机运行bridge网络容器
[root@localhost7B ~]# docker run -it -d --name centosB --network bridge centos-base:v1
9fc9f973b8c11f08d6fe8d3ac3bae47080be67a722ebd01fb5cb36e39b7db5b2
[root@localhost7B ~]# docker exec -it centosB bash
[root@9fc9f973b8c1 /]# ip a
206: eth0@if207: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
#测试
[root@9fc9f973b8c1 /]# ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.174 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.064 ms
[root@9fc9f973b8c1 /]# curl 192.168.80.100
192.168.80.100
--------------------------------------------------------------
2.同宿主机的不同网络类型名的容器网络通信
#创建网络类型和网段
[root@localhost7B ~]# docker network create -d bridge --subnet 10.100.0.0/16 --gateway 10.100.0.1 AAAA
d940641ff2e2cdddb92d99e0376116a92d729b1fedb10d48acc189fca0f2f9ca
[
[root@localhost7B ~]# docker network create -d bridge --subnet 172.27.0.0/16 --gateway 172.27.0.1 BBBB
efd6f5041a54161390745cfa0fca1dd5292125cc774fc0583d5819a7e187ca8c
[root@localhost7B ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
d940641ff2e2 AAAA bridge local
efd6f5041a54 BBBB bridge local
dadcee624d9f bridge bridge local
c3a3c664c940 host host local
7dd7ae01904e none null local
#查看网络相关信息
[root@localhost7B ~]# ifconfig
br-d940641ff2e2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.100.0.1 netmask 255.255.0.0 broadcast 10.100.255.255
inet6 fe80::42:47ff:fe51:d929 prefixlen 64 scopeid 0x20<link>
ether 02:42:47:51:d9:29 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br-efd6f5041a54: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.27.0.1 netmask 255.255.0.0 broadcast 172.27.255.255
inet6 fe80::42:7bff:fee0:add5 prefixlen 64 scopeid 0x20<link>
ether 02:42:7b:e0:ad:d5 txqueuelen 0 (Ethernet)
RX packets 1109 bytes 106616 (104.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 78 bytes 6228 (6.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#查看网络相关信息
[root@localhost7B ~]# brctl show
bridge name bridge id STP enabled interfaces
br-d940641ff2e2 8000.02424751d929 no vethaee927d
br-efd6f5041a54 8000.02427be0add5 no veth4f5b3e9
veth5e8cbf8
docker0 8000.0242f1d70496 no
virbr0 8000.525400ecdab8 yes virbr0-nic
#创建容器
[root@localhost7B ~]# docker run -it -d --name centosA --network AAAA centos-base:v1 bash
89b91f8ae4310fac0ffa797e47cba153369bff122c76bb1d6ac7df54bd0137c9
[root@localhost7B ~]# docker exec -it centosA bash
[root@89b91f8ae431 /]# ip a
211: eth0@if212: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:0a:64:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.100.0.2/16 brd 10.100.255.255 scope global eth0
valid_lft forever preferred_lft forever
#创建容器
[root@localhost7B ~]# docker run -it -d --name centosB --network BBBB centos-base:v1 bash
1592786ecfc7272e86d6c37a3bb3f9b8d618654bc0ac8b5a505dc019a5f43785
[root@localhost7B ~]# docker exec -it centosB bash
[root@1592786ecfc7 /]# ip a
213: eth0@if214: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:1b:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.27.0.2/16 brd 172.27.255.255 scope global eth0
valid_lft forever preferred_lft forever
#创建容器
[root@localhost7B ~]# docker run -it -d --name centosC --network BBBB centos-base:v1 bash
[root@574a608904fa /]# ip a
215: eth0@if216: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:1b:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.27.0.3/16 brd 172.27.255.255 scope global eth0
valid_lft forever preferred_lft forever
#测试: 同网段的相通,不同网段的不通。(网络类型是相同)
[root@574a608904fa /]# ping 172.27.0.2
PING 172.27.0.2 (172.27.0.2) 56(84) bytes of data.
64 bytes from 172.27.0.2: icmp_seq=1 ttl=64 time=24.4 ms
64 bytes from 172.27.0.2: icmp_seq=2 ttl=64 time=0.050 ms
64 bytes from 172.27.0.2: icmp_seq=3 ttl=64 time=0.050 ms
[root@574a608904fa /]# curl 192.168.80.100
[root@574a608904fa /]# ping www.qq.com
PING ins-r23tsuuf.ias.tencent-cloud.net (101.91.42.232) 56(84) bytes of data.
64 bytes from 101.91.42.232 (101.91.42.232): icmp_seq=1 ttl=127 time=11.6 ms
64 bytes from 101.91.42.232 (101.91.42.232): icmp_seq=2 ttl=127 time=11.5 ms
#不通。
[root@574a608904fa /]# ping 10.100.0.2
PING 10.100.0.2 (10.100.0.2) 56(84) bytes of data.
^C
解决产:同宿主机的不同网络类型名的容器网络通信
[root@localhost7B ~]# iptables -vnL
.....
.....
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
5 420 DOCKER-ISOLATION-STAGE-2 all -- br-efd6f5041a54 !br-efd6f5041a54 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- br-d940641ff2e2 !br-d940641ff2e2 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
修改iptalbes配置
[root@localhost7B ~]# iptables-save
[root@localhost7B ~]# iptables-save > iptables.rule
[root@localhost7B ~]# vim iptables.rule
......
......
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
#-A DOCKER-ISOLATION-STAGE-1 -i br-efd6f5041a54 ! -o br-efd6f5041a54 -j DOCKER-ISOLATION-STAGE-2 #注意此行规则
#-A DOCKER-ISOLATION-STAGE-1 -i br-d940641ff2e2 ! -o br-d940641ff2e2 -j DOCKER-ISOLATION-STAGE-2 #注意此行规则
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
[root@localhost7B ~]# iptables-restore < iptables.rule
#进入容器测试,通了。
[root@localhost7B ~]# docker exec -it centosB bash
[root@574a608904fa /]# ping 10.100.0.2
PING 10.100.0.2 (10.100.0.2) 56(84) bytes of data.
64 bytes from 10.100.0.2: icmp_seq=1 ttl=63 time=0.055 ms
64 bytes from 10.100.0.2: icmp_seq=2 ttl=63 time=0.056 ms
64 bytes from 10.100.0.2: icmp_seq=3 ttl=63 time=0.057 ms
3.不同宿主机的网络通信
不同宿主机之间的容器IP地址重复,不能相互通信,一台宿主机可以有多个网络模式(bridge 或host等)。有多台宿主机时,要修改网络中的网段,才能通信。
localhost7B 192.168.80.110 容器网段:172.17.0.0/16
localhost7C 192.168.80.120 容器网段:10.100.0.0/24
#修改bridge网络配置,重启docker服务
cat /etc/docker/daemon.json
{
"bip": "10.100.0.1/24",
}
#宿主机IP和路由信息
[root@localhost7B ~]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:f1ff:fed7:496 prefixlen 64 scopeid 0x20<link>
ether 02:42:f1:d7:04:96 txqueuelen 0 (Ethernet)
RX packets 256630 bytes 10327647 (9.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 390337 bytes 303390504 (289.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.80.110 netmask 255.255.255.0 broadcast 192.168.80.255
inet6 fe80::de87:2dd4:969e:491e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:81:5d:42 txqueuelen 1000 (Ethernet)
RX packets 1662403 bytes 1356328786 (1.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1132122 bytes 1638302559 (1.5 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@localhost7B ~]# route -n
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@localhost7B ~]# docker run -it -d --name centosBB --network bridge centos-base:v1
62e5459ec0893322a9a66aee91beb2550f14c7c9757a28fb3082c14c14913304
[root@localhost7B ~]# docker exec -it centosBB bash
[root@62e5459ec089 /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 8 bytes 656 (656.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@62e5459ec089 /]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.17.0.1 0.0.0.0 UG 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
#修改bridge网络后宿主机的网络和路由信息
[root@localhost7C ~]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.100.0.1 netmask 255.255.0.0 broadcast 0.0.0.0
inet6 fe80::42:cdff:fe40:f877 prefixlen 64 scopeid 0x20<link>
ether 02:42:cd:40:f8:77 txqueuelen 0 (Ethernet)
RX packets 10709 bytes 446373 (435.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 15230 bytes 26260116 (25.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.80.120 netmask 255.255.255.0 broadcast 192.168.80.255
inet6 fe80::7cd:a65c:16d4:ff57 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:a2:14:02 txqueuelen 1000 (Ethernet)
RX packets 1095894 bytes 1029481316 (981.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 128831 bytes 10661668 (10.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost7C ~]# route -n
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
10.100.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@localhost7C ~]# docker run -it -d --name centosCC --network bridge centos-base:v1
ddf282697c2a905311a639dc0b63f41fb6106cb7763c640f412fe817ed1b7846
[root@localhost7C ~]#
[root@localhost7C ~]#
[root@localhost7C ~]# docker exec -it centosCC bash
[root@ddf282697c2a /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.100.0.2 netmask 255.255.0.0 broadcast 0.0.0.0
inet6 fe80::42:aff:fe64:2 prefixlen 64 scopeid 0x20<link>
ether 02:42:0a:64:00:02 txqueuelen 0 (Ethernet)
RX packets 8 bytes 656 (656.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 656 (656.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@ddf282697c2a /]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.100.0.1 0.0.0.0 UG 0 0 0 eth0
10.100.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
#测试 不通
[root@ddf282697c2a /]# ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
#添加静态路由和iptables规则,在各宿主机添加静态路由,网关指向对方宿主机的IP
[root@localhost7B ~]# route add -net 10.100.0.0/24 gw 192.168.80.120
[root@localhost7B ~]# iptables -A FORWARD -s 192.168.80.0/24 -j ACCEPT
#添加静态路由和iptables规则,在各宿主机添加静态路由,网关指向对方宿主机的IP
[root@localhost7C ~]# route add -net 172.17.0.0/16 gw 192.168.80.110
[root@localhost7C ~]# iptables -A FORWARD -s 192.168.80.0/24 -j ACCEPT
#测试 通
[root@localhost7C ~]# docker exec -it centosCC bash
[root@ddf282697c2a /]# ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=62 time=0.370 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=62 time=0.381 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=62 time=0.401 ms
64 bytes from 172.17.0.2: icmp_seq=4 ttl=62 time=0.413 ms
64 bytes from 172.17.0.2: icmp_seq=5 ttl=62 time=1.15 ms
#宿主机B上tcpdump抓包观察
[root@localhost7B ~]# tcpdump -i eth0 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:33:16.862295 IP 192.168.80.120 > 172.17.0.2: ICMP echo request, id 39, seq 1, length 64
15:33:16.862401 IP 172.17.0.2 > 192.168.80.120: ICMP echo reply, id 39, seq 1, length 64