Docker网络篇
Docker会自动创建三个网络
- brige(创建容器时,默认是此模式)
- None
- Host
❯ docker network ls
NETWORK ID NAME DRIVER SCOPE
ee2d3a2b6478 bridge bridge local
1885cd38302f host host local
f122b0c57335 none null local网络模式
1、Host
该网络模式与宿主机在同一个网络中,但没有独立IP地址。容器将不会虚拟出自己的网卡,配置自己的IP等,而是使用宿主机的IP和端口。当容器以网络模式为Host启动时,不会新建network namespace,而是和宿主机共用一个Network Namespace。
docker run -dit --network=host --name host-net-test ubuntu:16.04
docker exec -it a30b74bea69c bash
root@k8s-worker:/# ls -al /proc/$$/ns
total 0
dr-x--x--x 2 root root 0 Mar 22 10:06 .
dr-xr-xr-x 9 root root 0 Mar 22 10:06 ..
lrwxrwxrwx 1 root root 0 Mar 22 10:06 cgroup -> cgroup:[4026531835]
lrwxrwxrwx 1 root root 0 Mar 22 10:06 ipc -> ipc:[4026532451]
lrwxrwxrwx 1 root root 0 Mar 22 10:06 mnt -> mnt:[4026532449]
lrwxrwxrwx 1 root root 0 Mar 22 10:06 net -> net:[4026531993]
lrwxrwxrwx 1 root root 0 Mar 22 10:06 pid -> pid:[4026532452]
lrwxrwxrwx 1 root root 0 Mar 22 10:06 pid_for_children -> pid:[4026532452]
lrwxrwxrwx 1 root root 0 Mar 22 10:06 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 Mar 22 10:06 uts -> uts:[4026532450]
exit
root@k8s-worker ~ 7m 40s
❯ ls -al /proc/$$/ns
总用量 0
dr-x--x--x 2 root root 0 Mar 22 15:01 .
dr-xr-xr-x 9 root root 0 Mar 22 15:00 ..
lrwxrwxrwx 1 root root 0 Mar 22 15:14 cgroup -> cgroup:[4026531835]
lrwxrwxrwx 1 root root 0 Mar 22 15:14 ipc -> ipc:[4026531839]
lrwxrwxrwx 1 root root 0 Mar 22 15:14 mnt -> mnt:[4026531840]
lrwxrwxrwx 1 root root 0 Mar 22 15:14 net -> net:[4026531993]
lrwxrwxrwx 1 root root 0 Mar 22 15:14 pid -> pid:[4026531836]
lrwxrwxrwx 1 root root 0 Mar 22 15:14 pid_for_children -> pid:[4026531836]
lrwxrwxrwx 1 root root 0 Mar 22 15:01 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 Mar 22 15:14 uts -> uts:[4026531838]在docker中的network namespace和宿主机的network namespace是同一个。但文件系统、进程等还是和宿主机进行隔离的。
2、Container
该模式是指新创建的容器和已经存在的容器共享一个network namespace,而不是和宿主机共享。两个容器除了网络方面,文件系统、进程等还都是隔离的。
root@k8s-worker ~
❯ docker run -dit --name net-test ubuntu:16.04
93c185d986087d5b38fe3e09c955de20975038f59df1beb7daf61c43eb18ad8e
root@k8s-worker ~
❯ docker run -dit --network=container:93c --name container-net-test ubuntu:16.04
08c8280fe0a603babb21c9bb327e471b44e58c3ba47aa29bc1fe80fe4c2420f0
root@k8s-worker ~
❯ docker exec -it 93c bash 2 ↵
root@93c185d98608:/# ls -al /proc/$$/ns
total 0
dr-x--x--x 2 root root 0 Mar 22 10:33 .
dr-xr-xr-x 9 root root 0 Mar 22 10:33 ..
lrwxrwxrwx 1 root root 0 Mar 22 10:33 cgroup -> cgroup:[4026531835]
lrwxrwxrwx 1 root root 0 Mar 22 10:33 ipc -> ipc:[4026532389]
lrwxrwxrwx 1 root root 0 Mar 22 10:33 mnt -> mnt:[4026532387]
lrwxrwxrwx 1 root root 0 Mar 22 10:33 net -> net:[4026532392]
lrwxrwxrwx 1 root root 0 Mar 22 10:33 pid -> pid:[4026532390]
lrwxrwxrwx 1 root root 0 Mar 22 10:33 pid_for_children -> pid:[4026532390]
lrwxrwxrwx 1 root root 0 Mar 22 10:33 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 Mar 22 10:33 uts -> uts:[4026532388]
root@93c185d98608:/# exit
exit
root@k8s-worker ~
❯ docker exec -it 08c bash 1 ↵
root@93c185d98608:/# ls -al /proc/$$/ns
total 0
dr-x--x--x 2 root root 0 Mar 22 10:34 .
dr-xr-xr-x 9 root root 0 Mar 22 10:34 ..
lrwxrwxrwx 1 root root 0 Mar 22 10:34 cgroup -> cgroup:[4026531835]
lrwxrwxrwx 1 root root 0 Mar 22 10:34 ipc -> ipc:[4026532451]
lrwxrwxrwx 1 root root 0 Mar 22 10:34 mnt -> mnt:[4026532449]
lrwxrwxrwx 1 root root 0 Mar 22 10:34 net -> net:[4026532392]
lrwxrwxrwx 1 root root 0 Mar 22 10:34 pid -> pid:[4026532452]
lrwxrwxrwx 1 root root 0 Mar 22 10:34 pid_for_children -> pid:[4026532452]
lrwxrwxrwx 1 root root 0 Mar 22 10:34 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 Mar 22 10:34 uts -> uts:[4026532450]
root@93c185d98608:/# exit
exit
root@k8s-worker ~ 18s
❯ ls -al /proc/$$/ns
总用量 0
dr-x--x--x 2 root root 0 Mar 22 15:01 .
dr-xr-xr-x 9 root root 0 Mar 22 15:00 ..
lrwxrwxrwx 1 root root 0 Mar 22 15:14 cgroup -> cgroup:[4026531835]
lrwxrwxrwx 1 root root 0 Mar 22 15:14 ipc -> ipc:[4026531839]
lrwxrwxrwx 1 root root 0 Mar 22 15:14 mnt -> mnt:[4026531840]
lrwxrwxrwx 1 root root 0 Mar 22 15:14 net -> net:[4026531993]
lrwxrwxrwx 1 root root 0 Mar 22 15:14 pid -> pid:[4026531836]
lrwxrwxrwx 1 root root 0 Mar 22 15:14 pid_for_children -> pid:[4026531836]
lrwxrwxrwx 1 root root 0 Mar 22 15:01 user -> user:[4026531837]
lrwxrwxrwx 1 root root 0 Mar 22 15:14 uts -> uts:[4026531838]
3、Bridge
使用该网络模式的容器启动时会新建一个network namespace,它会连接到docker0虚拟网桥上,容器从docker0中分配一个IP,并设置docker0的IP为网关地址。每运行一个Bridge网络的容器,宿主机就会创建一对Veth pair设备(虚拟设备接口)。Docker程序将Veth pair设备的一端放在新创建的容器中,并命名为eth0,也就是容器中的网卡。另一端放在主机中,以Veth***这样类似的名字存在,并将这个网络设备加入到docker0网桥中。如下所示:
启动两个bridge网络模式的容器,查看docker0网桥信息:
ubuntu ➜ ~ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7587f2733fc2 c0ny1/upload-labs:latest "apache2-foreground" 21 months ago Up 4 minutes 0.0.0.0:10002->80/tcp upload
85a0999f5b06 acgpiano/sqli-labs:latest "/run.sh" 21 months ago Up 4 minutes 3306/tcp, 0.0.0.0:10001->80/tcp sqli-lab
ubuntu ➜ ~ brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.024251773690 no veth512022f
veth8185f1f4、None
当容器以None网络模式启动时,会新建新的network namespace,但是不会为容器分配IP、网卡、路由等网络信息。需要后期自己去配置。
ubuntu ➜ ~ docker run -dit --network=none --name=none-net-test ubuntu:18.04
123b311427e1ed0d9d3388af3b3d2a7334726f0207ea52431e14b79dc581ce1f
radish ➜ ~ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
123b311427e1 ubuntu:18.04 "/bin/bash" 2 seconds ago Up 1 second none-net-test
7587f2733fc2 c0ny1/upload-labs:latest "apache2-foreground" 21 months ago Up 30 minutes 0.0.0.0:10002->80/tcp upload
85a0999f5b06 acgpiano/sqli-labs:latest "/run.sh" 21 months ago Up 30 minutes 3306/tcp, 0.0.0.0:10001->80/tcp sqli-lab
ubuntu ➜ ~ brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.024251773690 no veth512022f
veth8185f1f
radish ➜ ~ echo /proc/$$/ns
/proc/3772/ns
radish ➜ ~ ls -al /proc/$$/ns
总用量 0
dr-x--x--x 2 root root 0 Mar 23 10:17 .
dr-xr-xr-x 9 root root 0 Mar 23 10:17 ..
lrwxrwxrwx 1 root root 0 Mar 23 10:17 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Mar 23 10:17 ipc -> 'ipc:[4026531839]'
lrwxrwxrwx 1 root root 0 Mar 23 10:17 mnt -> 'mnt:[4026531840]'
lrwxrwxrwx 1 root root 0 Mar 23 10:17 net -> 'net:[4026531992]'
lrwxrwxrwx 1 root root 0 Mar 23 10:17 pid -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Mar 23 10:17 pid_for_children -> 'pid:[4026531836]'
lrwxrwxrwx 1 root root 0 Mar 23 10:17 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Mar 23 10:17 uts -> 'uts:[4026531838]'
ubuntu ➜ ~ docker exec -it 123 bash
root@123b311427e1:/# ls -al /proc/$$/ns
total 0
dr-x--x--x 2 root root 0 Mar 23 02:17 .
dr-xr-xr-x 9 root root 0 Mar 23 02:17 ..
lrwxrwxrwx 1 root root 0 Mar 23 02:17 cgroup -> 'cgroup:[4026531835]'
lrwxrwxrwx 1 root root 0 Mar 23 02:17 ipc -> 'ipc:[4026532495]'
lrwxrwxrwx 1 root root 0 Mar 23 02:17 mnt -> 'mnt:[4026532493]'
lrwxrwxrwx 1 root root 0 Mar 23 02:17 net -> 'net:[4026532498]'
lrwxrwxrwx 1 root root 0 Mar 23 02:17 pid -> 'pid:[4026532496]'
lrwxrwxrwx 1 root root 0 Mar 23 02:17 pid_for_children -> 'pid:[4026532496]'
lrwxrwxrwx 1 root root 0 Mar 23 02:17 user -> 'user:[4026531837]'
lrwxrwxrwx 1 root root 0 Mar 23 02:17 uts -> 'uts:[4026532494]'
root@123b311427e1:/#五、端口映射
当docker在启动容器是,参数配置了端口映射的话,网桥 docker0 通过 iptables 中的配置与宿主机器上的网卡相连。如下所示
ubuntu ➜ ~ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
123b311427e1 ubuntu:18.04 "/bin/bash" 31 minutes ago Up 31 minutes none-net-test
7587f2733fc2 c0ny1/upload-labs:latest "apache2-foreground" 21 months ago Up About an hour 0.0.0.0:10002->80/tcp upload
85a0999f5b06 acgpiano/sqli-labs:latest "/run.sh" 21 months ago Up About an hour 3306/tcp, 0.0.0.0:10001->80/tcp sqli-lab
ubuntu ➜ ~ iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !localhost/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:http
MASQUERADE tcp -- 172.17.0.3 172.17.0.3 tcp dpt:http
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
DNAT tcp -- anywhere anywhere tcp dpt:10002 to:172.17.0.2:80
DNAT tcp -- anywhere anywhere tcp dpt:10001 to:172.17.0.3:80参考
https://www.jianshu.com/p/22a7032bb7bd