Docker基础Part6——Docker网络

[TOC]

Docker0

veth-pair

https://www.cnblogs.com/bakari/p/10613710.html

  • 只要安装了docker,就会有docker0桥接模式,使用的是veth-pair技术。
  • veth-pair 就是一对的虚拟设备接口,他们都是成对出现的,一端连着协议,一端彼此相连。
  • OpenStac、Docker容器之间的连接、OVS的连接,都是使用evth-pair技术。

主机与容器的网络

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# 1.查看主机网络地址
[root@VM-1-14-centos ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo  # lo 本机回环地址
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 52:54:00:23:6f:89 brd ff:ff:ff:ff:ff:ff
    inet 172.17.1.14/20 brd 172.17.15.255 scope global eth0	 # eth0 阿里云内网地址
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe23:6f89/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:76:5e:c5:42 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global docker0  # docker0 docker地址
       valid_lft forever preferred_lft forever
    inet6 fe80::42:76ff:fe5e:c542/64 scope link 
       valid_lft forever preferred_lft forever
       
# 2.运行Tomcat
[root@VM-1-14-centos ~]# docker run -d -P --name tomcat01 tomcat
......

# 3.查看容器内网络地址
[root@VM-1-14-centos ~]# docker exec -it tomcat01 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
582: eth0@if583: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever
       
# 4.在Linux主机可以ping通容器
[root@VM-1-14-centos ~]# ping 172.18.0.2
PING 172.18.0.2 (172.18.0.2) 56(84) bytes of data.
64 bytes from 172.18.0.2: icmp_seq=1 ttl=64 time=0.062 ms
64 bytes from 172.18.0.2: icmp_seq=2 ttl=64 time=0.049 ms
64 bytes from 172.18.0.2: icmp_seq=3 ttl=64 time=0.049 ms

# 5.每次启动一个容器就会多一对网卡,给docker容器分配一个ip
[root@VM-1-14-centos ~]# docker run -d -P --name tomcat02 tomcat
bb207d673d6b6a3b0898494d23850d87d852263b8c612b9788533fd3978bcdff
[root@VM-1-14-centos ~]# docker exec -it tomcat02 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
584: eth0@if585: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:12:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.18.0.3/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever
[root@VM-1-14-centos ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
......
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
......
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
......
583: veth10795dd@if582: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether e6:83:7d:be:d2:57 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::e483:7dff:febe:d257/64 scope link 
       valid_lft forever preferred_lft forever
585: veth3c80d43@if584: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 92:75:28:4c:a7:02 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::9075:28ff:fe4c:a702/64 scope link 
       valid_lft forever preferred_lft forever

容器之间的网络互通

1
2
3
4
5
6
7
8
9
10
11
12
# 1.获取tomcat01的ip 172.17.0.2   
[root@VM-1-14-centos ~]# docker exec -it tomcat01 ip addr  
550: eth0@if551: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

# 2.	用tomcat02 ping通 tomcat01
[root@VM-1-14-centos ~]# docker exec -it tomcat02 ping 172.18.0.2
PING 172.18.0.2 (172.18.0.2) 56(84) bytes of data.
64 bytes from 172.18.0.2: icmp_seq=1 ttl=64 time=0.074 ms
64 bytes from 172.18.0.2: icmp_seq=2 ttl=64 time=0.051 ms

docker内网结构

  • 所有的 docker 容器在不指定网络的情况下,都是由 docker0 使用Linux虚拟化技术、充当虚拟内网的路由/桥接,由 docker0 给容器分配一个可用ip,并由veth-pair连接,直到容器删除。
  • Docker中所有网络接口都是虚拟的,虚拟的转发效率高(内网传递文件)。
  • 路由上发送信息可以通过两种方法:1.对每一个设备都进行注册;2.进行广播,看谁进行了回应。

image-20210427082646681

容器互联

为了保证数据ip更换时,项目不需要重启,并且通过名字来访问容器。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 1.在未使用 --link 时,不能使用名字ping通
[root@VM-1-14-centos ~]# docker exec -it tomcat02 ping tomcat01
ping: tomcat01: Name or service not known

# 2.使用--link连接tomcat02、tomcat03
[root@VM-1-14-centos ~]# docker run -d -P --name tomcat03 --link tomcat02 tomcat
16d977fe6d16ffd3e7e813e2487a55c9d52319a2c94c967fe3eed85f26078fd8

# 3.可以单向ping通
[root@VM-1-14-centos ~]# docker exec -it tomcat03 ping tomcat02
PING tomcat02 (172.18.0.3) 56(84) bytes of data.
64 bytes from tomcat02 (172.18.0.3): icmp_seq=1 ttl=64 time=0.081 ms
64 bytes from tomcat02 (172.18.0.3): icmp_seq=2 ttl=64 time=0.050 ms
64 bytes from tomcat02 (172.18.0.3): icmp_seq=3 ttl=64 time=0.053 ms

# 4.对于没有进行配置的容器,不能与其他容器直接ping通
[root@VM-1-14-centos ~]# docker exec -it tomcat02 ping tomcat03
ping: tomcat03: Name or service not known
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# 查看总体网络
[root@VM-1-14-centos ~]# docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
c49bd3c9074e   bridge    bridge    local
7137f78f9152   host      host      local
830f9dcb1238   none      null      local
[root@VM-1-14-centos ~]# docker network inspect c49bd3c9074e
[
    {
        "Name": "bridge",
        "Id": "c49bd3c9074eccb131f580ae87a0f639459d8fbfb6106ff16d95de982f955cb6",
        "Created": "2021-04-20T21:44:51.886039709+08:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.18.0.0/16",  # 局域网
                    "Gateway": "172.18.0.1"  # docker0地址
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {  # 三个tomcat地址
            "16d977fe6d16ffd3e7e813e2487a55c9d52319a2c94c967fe3eed85f26078fd8": {
                "Name": "tomcat03",
                "EndpointID": "5a5630f2d5c897c1d9c36c9fef6df14885c381bdd5bd3bb38c1936335b65ccef",
                "MacAddress": "02:42:ac:12:00:04",
                "IPv4Address": "172.18.0.4/16",
                "IPv6Address": ""
            },
            "35806ff980cd8d16855934bceaacc02a6b99d50efeb9c9ff078ae43027c1ffbc": {
                "Name": "tomcat01",
                "EndpointID": "fda00eb71c90561f15bdfd6c535411e7d38830c82315c747ac806b6369dcd623",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            },
            "bb207d673d6b6a3b0898494d23850d87d852263b8c612b9788533fd3978bcdff": {
                "Name": "tomcat02",
                "EndpointID": "33d04884bfec102e7b8d1ac0985a60636c2766c4e4aebcc68bc8d766ec13c037",
                "MacAddress": "02:42:ac:12:00:03",
                "IPv4Address": "172.18.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

# 查看容器网络
[root@VM-1-14-centos ~]# docker ps
CONTAINER ID   IMAGE     COMMAND             CREATED          STATUS          PORTS                                         NAMES
16d977fe6d16   tomcat    "catalina.sh run"   11 minutes ago   Up 11 minutes   0.0.0.0:49158->8080/tcp, :::49158->8080/tcp   tomcat03
bb207d673d6b   tomcat    "catalina.sh run"   16 hours ago     Up 16 hours     0.0.0.0:49156->8080/tcp, :::49156->8080/tcp   tomcat02
35806ff980cd   tomcat    "catalina.sh run"   17 hours ago     Up 17 hours     0.0.0.0:49155->8080/tcp, :::49155->8080/tcp   tomcat01
[root@VM-1-14-centos ~]# docker inspect 16d977fe6d16
......
        "HostConfig": {
            ......
            "Links": [  # 绑定的容器连接信息
                "/tomcat02:/tomcat03/tomcat02"
            ],
            ......
         }
......

[root@VM-1-14-centos ~]# docker exec -it tomcat03 cat /etc/hosts
127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
ff00::0	ip6-mcastprefix
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
172.18.0.3	tomcat02 bb207d673d6b  # 添加了对tomcat02的解析映射
172.18.0.4	16d977fe6d16

现在Docker不建议使用–link,以及官方提供的docker0,因为不支持容器名连接访问,较为局限,而是使用自定义网络。

自定义网络

查看网络信息

1
2
3
4
5
6
7
8
9
10
docker network [ command ]

Commands:
  connect     Connect a container to a network
  create      Create a network
  disconnect  Disconnect a container from a network
  inspect     Display detailed information on one or more networks
  ls          List networks
  prune       Remove all unused networks
  rm          Remove one or more networks

网络信息解释

1
2
3
4
5
[root@VM-1-14-centos ~]# docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
c49bd3c9074e   bridge    bridge    local
7137f78f9152   host      host      local
830f9dcb1238   none      null      local
  • bridge :桥接 docker(默认,自定义也使用bridge)
  • none :不配置网络,一般不用
  • host :和主机共享网络
  • container :容器网络连通(局限大,用得少)

创建自定义网络

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# 1.默认--net bridge,bridge就是docker0。因此以下两者等效
docker run -d -P --name tomcat01 tomcat
docker run -d -P --name tomcat01 --net bridge tomcat

# 2.自定义一个网络
[root@VM-1-14-centos ~]# docker network create --driver bridge --subnet 192.168.0.0/16 --gateway 192.168.0.1 mynet
1144482c2ac35e85b348c18a0038fe93c9fd871bcb83612beea9c1a272589596
[root@VM-1-14-centos ~]# docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
c49bd3c9074e   bridge    bridge    local
7137f78f9152   host      host      local
1144482c2ac3   mynet     bridge    local
830f9dcb1238   none      null      local
[root@VM-1-14-centos ~]# docker network inspect mynet
[
    {
        "Name": "mynet",
        "Id": "1144482c2ac35e85b348c18a0038fe93c9fd871bcb83612beea9c1a272589596",
        "Created": "2021-04-27T10:25:16.077076141+08:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "192.168.0.0/16",
                    "Gateway": "192.168.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {},
        "Options": {},
        "Labels": {}
    }
]

# 3.在自定义网络下启动Tomcat
[root@VM-1-14-centos ~]# docker run -d -P --name tomcat-net-01 --net mynet tomcat
8efc7a929482e82d74f723d2af17f77560b53561752fc1aab50d0189e06d7237
[root@VM-1-14-centos ~]# docker run -d -P --name tomcat-net-02 --net mynet tomcat
6ccb4239abcfda10aa1b463d2f44d4a9ca4bc312735b56d08cad55266545ce2a

# 4.测试可以使用容器名直接ping通
[root@VM-1-14-centos ~]# docker exec -it tomcat-net-01 ping tomcat-net-02
PING tomcat-net-02 (192.168.0.3) 56(84) bytes of data.
64 bytes from tomcat-net-02.mynet (192.168.0.3): icmp_seq=1 ttl=64 time=0.069 ms
64 bytes from tomcat-net-02.mynet (192.168.0.3): icmp_seq=2 ttl=64 time=0.061 ms
64 bytes from tomcat-net-02.mynet (192.168.0.3): icmp_seq=3 ttl=64 time=0.056 ms

好处:

  • 不同的集群使用不同的网络,保证集群是互相隔离并且安全的。

网络连通

connect

1
2
3
4
5
6
7
8
9
docker network connect --help

Options:
      --alias strings           Add network-scoped alias for the container
      --driver-opt strings      driver options for the network
      --ip string               IPv4 address (e.g., 172.30.100.104)
      --ip6 string              IPv6 address (e.g., 2001:db8::33)
      --link list               Add link to another container
      --link-local-ip strings   Add a link-local address for the container

容器与不同网段的连通

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# 1.测试两个不同的网络连通 :再启动两个 tomcat 并使用默认网络 docker0
[root@VM-1-14-centos ~]# docker run -d -P --name tomcat01 tomcat
0ad36e6d140040e1c6324695f6fe7102f8857b28b6251a6a21f8e4f8eb88839d
[root@VM-1-14-centos ~]# docker run -d -P --name tomcat02 tomcat
aa8836b5fe93c9437490deb86796cc9d2d12d051df7ffc74b5b618b89c094a95

# 2.此时tomcat01与tomcat-net-01不能ping通
[root@VM-1-14-centos ~]# docker exec tomcat01 ping tomcat-net-01
ping: tomcat-net-01: Name or service not known

# 3.连通容器与不同网段
[root@VM-1-14-centos ~]# docker network connect mynet tomcat01
[root@VM-1-14-centos ~]# docker network inspect mynet 
......
        "Containers": {
            "0ad36e6d140040e1c6324695f6fe7102f8857b28b6251a6a21f8e4f8eb88839d": {
                "Name": "tomcat01",  # 连通子网与不在此子网的容器,就是把容器加入到此子网的配置中
                "EndpointID": "a2f785c266adf679b186367e95cdcc48cc6c976b02b693de43100a625a6ca251",
                "MacAddress": "02:42:c0:a8:00:04",
                "IPv4Address": "192.168.0.4/16",
                "IPv6Address": ""
            },
            "6ccb4239abcfda10aa1b463d2f44d4a9ca4bc312735b56d08cad55266545ce2a": {
                "Name": "tomcat-net-02",
                "EndpointID": "4e03b4f4fd3e11254ad5a5b3b1d1a6e4e8d5d9088eeb7be5e371875bb9885fa6",
                "MacAddress": "02:42:c0:a8:00:03",
                "IPv4Address": "192.168.0.3/16",
                "IPv6Address": ""
            },
            "8efc7a929482e82d74f723d2af17f77560b53561752fc1aab50d0189e06d7237": {
                "Name": "tomcat-net-01",
                "EndpointID": "07427902cf0a5d5c1f72971ccf0615b0155eae830da1811b5e74e55226256d59",
                "MacAddress": "02:42:c0:a8:00:02",
                "IPv4Address": "192.168.0.2/16",
                "IPv6Address": ""
            }
        },
......

# 4.测试连接成功
[root@VM-1-14-centos ~]# docker exec tomcat01 ping tomcat-net-01
PING tomcat-net-01 (192.168.0.2) 56(84) bytes of data.
64 bytes from tomcat-net-01.mynet (192.168.0.2): icmp_seq=1 ttl=64 time=0.065 ms
64 bytes from tomcat-net-01.mynet (192.168.0.2): icmp_seq=2 ttl=64 time=0.069 ms
64 bytes from tomcat-net-01.mynet (192.168.0.2): icmp_seq=3 ttl=64 time=0.054 ms
  • 子网跟子网不能连通,但是容器和所在以外的子网能够连通。
  • 一个容器具备多个ip,以访问不同网段。

实战

Redis集群部署

springboot以服务打包镜像