Docker 使用 Linux 桥接的方式,在宿主机虚拟一个 Docker 容器网桥(docker0),Docker 启动一个容器时会根据 Docker 网桥的网段分配给容器一个 IP 地址,称为 Container-IP,同时 Docker 网桥是每个容器的默认网关。因为在同一宿主机内的容器都接入同一个网桥,这样容器之间就能够通过容器的 Container-IP 直接通信。
Docker 网桥是宿主机虚拟出来的,并不是真实存在的网络设备,外部网络是无法寻址到的,这也意味着外部网络无法通过直接 Container-IP 访问到容器。如果容器希望外部访问能够访问到,可以通过映射容器端口到宿主主机(端口映射),即 docker run 创建容器时候通过 -p 或 -P 参数来启用,访问容器的时候就通过[宿主机 IP]:[容器端口]访问容器。
HOTS模式
如果启动容器的时候使用 host 模式,那么这个容器将不会获得一个独立的 Network Namespace,而是和宿主机共用一个 Network Namespace。容器将不会虚拟出自己的网卡,配置自己的 IP 等,而是使用宿主机的 IP和端口。但是,容器的其他方面,如文件系统、进程列表等还是和宿主机隔离的。
使用 host 模式的容器可以直接使用宿主机的 IP 地址与外界通信,容器内部的服务端口也可以使用宿主机的端口,不需要进行 NAT,host 最大的优势就是网络性能比较好,但是 docker host 上已经使用的端口就不能再用了,网络的隔离性不好。
[root@localhost ~]# docker run -d --name wot_web --network host nginx:1.19.2
6bf06c09d140d950c7b8969dcb33e917bbe6890645c638f0a4cd7b6594d53897
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6bf06c09d140 nginx:1.19.2 "/docker-entrypoin..." 5 seconds ago Up 5 seconds wot_web
[root@localhost ~]# curl 127.0.0.1:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@localhost ~]#
Containe 模式
这个模式指定新创建的容器和已经存在的一个容器共享一个 Network Namespace,而不是和宿主机共享。新创建的容器不会创建自己的网卡,配置自己的 IP,而是和一个指定的容器共享 IP、端口范围等。同样,两个容器除了网络方面,其他的如文件系统、进程列表等还是隔离的。两个容器的进程可以通过 lo 网卡设备通信。
[root@localhost ~]# docker run -d --name wot_web --network host nginx:1.19.2
6bf06c09d140d950c7b8969dcb33e917bbe6890645c638f0a4cd7b6594d53897
[root@localhost ~]# docker run -itd --name wot01 nginx:1.19.5
3abb0f62a84b6f074701cc36dc9bd15ed399074b785fde3fcdfcfa688a445904
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3abb0f62a84b nginx:1.19.5 "/docker-entrypoin..." 8 seconds ago Up 7 seconds 80/tcp wot01
6bf06c09d140 nginx:1.19.2 "/docker-entrypoin..." 47 minutes ago Up 47 minutes wot_web
[root@localhost ~]# docker exec -it wot01 sh -- 进入容器 wot01 查看IP 信息 , 需要安装命令
# apt update
# apt install net-tools
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 0.0.0.0
inet6 fe80::42:acff:fe11:2 prefixlen 64 scopeid 0x20<link>
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 3345 bytes 8842598 (8.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3047 bytes 166356 (162.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# exit
[root@localhost ~]# docker exec -it wot_web sh -- 进入容器 wot_web 内部查看 ip 信息
# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0
inet6 fe80::42:2fff:fe97:8a0 prefixlen 64 scopeid 0x20<link>
ether 02:42:2f:97:08:a0 txqueuelen 0 (Ethernet)
RX packets 3047 bytes 123698 (120.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3337 bytes 8841942 (8.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.50.100 netmask 255.255.255.0 broadcast 192.168.50.255
inet6 fe80::1b26:701f:1a7:941e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ff:ae:23 txqueuelen 1000 (Ethernet)
RX packets 71484 bytes 79783004 (76.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17581 bytes 1567015 (1.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.0.100 netmask 255.255.0.0 broadcast 172.16.255.255
inet6 fe80::5d6c:ff46:56b0:2dec prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ff:ae:2d txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17 bytes 1292 (1.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 77 bytes 7407 (7.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 77 bytes 7407 (7.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.0.112 netmask 255.255.240.0 broadcast 0.0.0.0
inet6 fe80::143f:9ff:fe71:977d prefixlen 64 scopeid 0x20<link>
ether 16:3f:09:71:97:7d txqueuelen 1000 (Ethernet)
RX packets 22 bytes 1804 (1.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 31 bytes 2182 (2.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth4621885: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::70c3:4ff:fea3:7a86 prefixlen 64 scopeid 0x20<link>
ether 72:c3:04:a3:7a:86 txqueuelen 0 (Ethernet)
RX packets 3047 bytes 166356 (162.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3345 bytes 8842598 (8.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
none 模式
使用 none 模式,Docker 容器拥有自己的 Network Namespace,但是,并不为 Docker 容器进行任何网络配置。也就是说,这个 Docker 容器没有网卡、IP、路由等信息。需要我们自己为 Docker 容器添加网卡、配置IP 等。
这种网络模式下容器只有 lo 回环网络,没有其他网卡。none 模式可以在容器创建时通过--network=none来指定。这种类型的网络没有办法联网,封闭的网络能很好的保证容器的安全性。
[root@localhost ~]# docker run -dit --name wot07 --network none busybox
ad14e5a13663ab52ee3c905bc9f83a4a0abdad5fd24e676517d28de032308166
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ad14e5a13663 busybox "sh" 4 seconds ago Up 3 seconds wot07
[root@localhost ~]# docker exec -it wot07 sh
/ # ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ #
bridge 模式
当 Docker 进程启动时,会在主机上创建一个名为 docker0 的虚拟网桥,此主机上启动的 Docker 容器会连接到这个虚拟网桥上。虚拟网桥的工作方式和物理交换机类似,这样主机上的所有容器就通过交换机连在了一个二层网络中。
从 docker0 子网中分配一个 IP 给容器使用,并设置 docker0 的 IP 地址为容器的默认网关。在主机上创建一对虚拟网卡 veth pair 设备,Docker 将 veth pair 设备的一端放在新创建的容器中,并命名为 eth0(容器的网卡),另一端放在主机中,以 vethxxx 这样类似的名字命名,并将这个网络设备加入到 docker0 网桥中。可以通过 brctl show 命令查看。
bridge 模式是 docker 的默认网络模式,不写--net 参数,就是 bridge 模式。使用 docker run -p 时,docker实际是在 iptables 做了 DNAT 规则,实现端口转发功能。可以使用 iptables -t nat -vnL 查看。
[root@localhost ~]# docker run -dit --name wot01 busybox
9bc70d8d82b2af52f702e9ab8b28e01d5df668cdbd53497c4c4dbcb0f34aef18
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:ff:ae:23 brd ff:ff:ff:ff:ff:ff
inet 192.168.50.100/24 brd 192.168.50.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::1b26:701f:1a7:941e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:ff:ae:2d brd ff:ff:ff:ff:ff:ff
inet 172.16.0.100/16 brd 172.16.255.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::5d6c:ff46:56b0:2dec/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:2f:97:08:a0 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:2fff:fe97:8a0/64 scope link
valid_lft forever preferred_lft forever
6: veth@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 16:3f:09:71:97:7d brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.16.0.112/20 scope global veth
valid_lft forever preferred_lft forever
inet6 fe80::143f:9ff:fe71:977d/64 scope link
valid_lft forever preferred_lft forever
12: vethebffb4f@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 02:cc:47:17:af:2e brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::cc:47ff:fe17:af2e/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]# docker exec -it wot01 sh
/ # ping 192.168.50.100
PING 192.168.50.100 (192.168.50.100): 56 data bytes
64 bytes from 192.168.50.100: seq=0 ttl=64 time=0.156 ms
64 bytes from 192.168.50.100: seq=1 ttl=64 time=0.130 ms
64 bytes from 192.168.50.100: seq=2 ttl=64 time=0.082 ms
^C
--- 192.168.50.100 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.082/0.122/0.156 ms
/ #本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
