Shulou(Shulou.com)06/02 Report--

I. the concept of MacVlan

There are many ways to implement Docker cross-host network communication. For example, as mentioned in the previous blog post, the Docker container implements cross-host communication through the deployment of consul services, and this blog post will write down Macvlan.

How Macvlan works:

Macvlan is a network interface supported by the Linux kernel. The required Linux internals are v3.9-3.19 and 4.0; by creating MacVlan subinterfaces for physical network cards, a physical network card is allowed to have multiple independent MAC and IP addresses. The virtual subinterface will be directly exposed to the adjacent physical network. From an external point of view, it is like separating the network cable from multiple strands and accepting it on different hosts. After the physical network card receives the packet, it will judge that the packet needs to be handed over to the virtual network card according to the destination MAC address of the packet received.

Macvlan can be used when the container needs to be directly connected to the physical network. Macvlan itself does not create a network, in essence, the physical Nic of the host is made to work in "promiscuous mode", so that the MAC address of the physical Nic will become invalid and all the traffic in the layer 2 network can be received by the physical Nic. The next step is to create a virtual network card on this physical network card and specify a MAC address for the virtual network card to achieve multiple uses of one card. From the point of view of the physical network, each virtual network card is a separate interface.

There are a few things to note when using Macvlan:

The container is directly connected to the physical network, and the physical network is responsible for allocating the IP address. The possible result is that the physical network IP address is exhausted. Another consequence is the network performance problem, which is caused by more hosts connected to the physical network and the rapid increase in the proportion of broadcast packets. A certain network on the host needs to work in 'chaotic mode'. As mentioned earlier, the MAC address of a physical Nic working in chaotic mode will become invalid, so the container running in this mode cannot communicate with the public network, but it will not affect the communication between the host and the public network. In the long run, bridge network and overlay network are better choices, because the virtual network should be isolated from the physical network rather than shared.

The schematic diagram of the work is as follows:

2. Configure instance 1 (to achieve macvlan-based communication between single IP address ranges of containers across hosts):

Achieve results:

Two centos 7.5s are running docker services, and two docker servers create the same MacVlan network so that containers on the docker server can communicate across hosts.

Start the configuration:

(1) the first docker server is configured as follows:

[root@docker ~] # ip link set ens33 promisc on # enables the promiscuous mode of the ens33 Nic. # that is, multiple virtual interface (interfaces) [root@docker ~] # ip link show ens33 # to enable the network card. Make sure that the information you view contains the following words in red: ens33: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000 link/ether 00:0c:29:2f:89:cb brd ff:ff:ff:ff:ff:ff [root@docker ~] # docker network create-d macvlan-- subnet 172.22.16.0On24-- Gateway 172.22.16.1-o parent=ens33 mac_net1# creates macvlan network Specify network segment, gateway and other information, and "- o" specify which network card to bind to [root@docker ~] # docker run-tid-- name box1-- ip 172.22.16.10-- network mac_net1 busybox# runs a container based on the newly created macvlan network and specifies its IP.

Confirm the IP address of the running container:

(1) the configuration of the second docker server is as follows (similar to that of the first docker server):

[root@docker02 ~] # ip link set ens33 promisc on # enables the promiscuous mode of the ens33 Nic. [root@docker02 ~] # ip link show ens33 # make sure the viewed information contains the following red words 2: ens33: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000 link/ether 00:0c:29:c6:57:bc brd ff:ff:ff:ff:ff:ff [root@docker02 ~] # docker network create-d macvlan-- subnet 172.22.16.0 parent=ens33 mac_net1# 24-- gateway=172.22.16.1-o parent=ens33 mac_net1# create a Network segments with the first docker server, The same macvlan for the gateway. And bind to the physical network card. # in order to visually see that macvlan and this one on other docker servers are in the same network segment. # therefore, it is recommended to set the same network name. [root@docker02] # docker run-tid-- name box2-- ip 172.22.16.11-- network mac_net1 busybox# runs a container and specifies that it is based on the macvlan network # Note: its IP address does not conflict with the container IP address on other docker servers

Confirm the IP address of the running container:

Use the container box2 on the second docker server to ping the container box1 on the first docker server:

OK, container communication across hosts is achieved through macvlan. Because the use of promiscuous mode will invalidate the MAC address of the physical network card, the container cannot communicate with the external network through this mode.

Example 2 (macvlan-based solution of multiple network segments across host networks)

The results are as follows:

Two centos 7.5s are running docker services; each host creates two MacVlan network segments for containers (172.10.16.0 and 172.20.16.0); the first docker server runs container bbox1 and bbox2, and the second docker server runs container bbox3 and bbox4. Finally, the same network segment container across hosts can communicate with each other.

Start the configuration:

(1) the first docker server is configured as follows:

[root@docker ~] # ip link set ens33 promisc on # enables the promiscuous mode of the ens33 Nic. # that is, multiple virtual interface (interfaces) [root@docker ~] # ip link show ens33 # to open the network card. Make sure that the information you view contains the following red words: 2: ens33: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000 link/ether 00:0c:29:2f:89:cb brd ff:ff:ff:ff:ff:ff [root@docker ~] # modinfo 8021q # check whether 8021q module is loaded, and if any information is returned Indicates that the module has been loaded

The modinfo 8021q command returns the following information:

[root@docker ~] # modprobe 8021q # if the 8021q module is not loaded, execute this command [root@docker ~] # cd / etc/sysconfig/network-scripts/ [root@docker network-scripts] # vim ifcfg-ens33 # to change the physical network card configuration. # omit part of the content BOOTPROTO=manual # make this configuration item "manual" It also means manually. # omit part of the content # after the change is completed Save and exit [root@docker network-scripts] # cp-p ifcfg-ens33 ifcfg-ens33.10 # copy the Nic configuration file # "- p" means to retain the original properties of the file [root@docker network-scripts] # vim ifcfg-ens33.10 # change the copied configuration file as follows: BOOTPROTO=noneNAME=ens33.10 # Note to change the name DEVICE=ens33.10 # Note to change the name ONBOOT=yesIPADDR=192.168.10.10 # set an IPPREFIX=24GATEWAY=192.168.10.2VLAN=yes# to the virtual network card after the change is completed Just save and exit. Note that the above IP and the IP to be used by the container are not the same network segment [root@docker network-scripts] # cp ifcfg-ens33.10 ifcfg-ens33.20 [root@docker network-scripts] # vim ifcfg-ens33.20 # Edit the following BOOTPROTO=noneNAME=ens33.20 # Note to change the name DEVICE=ens33.20 # Note to change the name ONBOOT=yesIPADDR=192.168.30.10 # Note The IP and ens33.10 here are not in the same network segment. After the PREFIX=24GATEWAY=192.168.30.2VLAN=yes# change is completed, save and exit [root@docker network-scripts] # ifdown ens33. Ifup ens33 # restart the Nic so that the changes take effect [root@docker network-scripts] # ifup ens33.10 # enable ens33.10 [root@docker network-scripts] # ifup ens33.20 # enable ens33.20 [root@docker ~] # docker network create-d macvlan-- subnet 172.10.16.0 parent=ens33.10 mac_net10# 24-- gateway 172.10.16.1-o parent=ens33.10 mac_net10# create a macvlan network Define a network segment, gateway and bind to ens33.10 [root @ docker ~] # docker network create-d macvlan-- subnet 172.20.16.0 parent=ens33.20 mac_net20# 24-- gateway 172.20.16.1-o parent=ens33.20 mac_net20# to create a macvlan network Define a network segment, gateway and bind to ens33.20#, then run a container based on the macvlan network you just created [root@docker ~] # docker run-itd-name bbox1-network mac_net10-ip 172.10.16.10 busybox# run a container based on network mac_net10 And specify its IP [root@docker ~] # docker run-itd-- name bbox2-- network mac_net20-- ip 172.20.16.20 busybox# to run a container based on network mac_net10, and specify its IP

(2) the configuration of the second docker server is as follows (basically similar to the operation of the first server, except that IP does not conflict):

[root@docker02 ~] # ip link set ens33 promisc on # enables the promiscuous mode of the ens33 Nic. # that is, multiple virtual interface (interfaces) [root@docker02 ~] # ip link show ens33 # on the network card. Make sure that the information you view contains the following red words: 2: ens33: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000 link/ether 00:0c:29:2f:89:cb brd ff:ff:ff:ff:ff:ff [root@docker02 ~] # modinfo 8021q # check whether 8021q module is loaded, and if any information is returned Indicates that the module has been loaded

The modinfo 8021q command returns the following information:

[root@docker02 ~] # modprobe 8021q # if the 8021q module is not loaded, execute this command [root@docker02 ~] # cd / etc/sysconfig/network-scripts/ [root@docker02 network-scripts] # vim ifcfg-ens33 # to change the physical network card configuration. # omit part of the content BOOTPROTO=manual # make this configuration item "manual" It also means manually. # omit part of the content # after the change is completed Save and exit [root@docker02 network-scripts] # scp root@192.168.20.7:/etc/sysconfig/network-scripts/ifcfg-ens33.*. # copy the virtual network card configuration file on the first docker server to root@192.168.20.7 s password: # enter the user password of the first docker server ifcfg-ens33.10 100% 117 0.1KB/ S 00:00 ifcfg-ens33.20 100 17 0.1KB/s 00:00 [root@docker02 network-scripts] # vim ifcfg-ens33.10 # just change its IP BOOTPROTO=noneNAME=ens33.10DEVICE=ens33.10ONBOOT=yesIPADDR=192.168.10.11 # change IP in order not to conflict with the virtual interface IP of the first docker server PREFIX=24GATEWAY=192.168.10.2VLAN=yes [root@docker02 network-scripts] # vim ifcfg-ens33 .20 # ditto BOOTPROTO=noneNAME=ens33.20DEVICE=ens33.20ONBOOT=yesIPADDR=192.168.30.11 # change its IP address PREFIX=24GATEWAY=192.168.30.2VLAN= ys [root @ docker02 network-scripts] # ifdown ens33 Ifup ens33 # restart the network card to make the changes take effect [root@docker02 network-scripts] # ifup ens33.10 # start ens33.10 [root @ docker02 network-scripts] # ifup ens33.20# start ens33.20# and then create the macvlan network Same as the network created by the first docker server [root@docker02 ~] # docker network create-d macvlan-- subnet 172.10.16.0 macvlan 24-- gateway 172.10.16.1-o parent=ens33.10 mac_ net10 [root @ docker02 ~] # docker network create-d macvlan-- subnet 172.20.16.0 parent=ens33.20 mac_net20# 24-- gateway 172.20.16.1-o parent=ens33.20 mac_net20# then run two containers based on the network you just created # run container bbox3 [root@docker02 ~] # docker run-tid-- name bbox3-- network mac_net10-- ip 172.10.16.11 busybox# run container bbox4 [root@docker02 ~] # docker run-itd-- name bbox4-- network mac_net20-- ip 172.20.16.21 busybox based on mac_net20

At this point of configuration, ping testing can be carried out. If the configuration is correct, bbox3 should be interconnected with bbox1 (because they are both based on mac_net1010 network); bbox4 and bbox2 should be interconnected (in the same way).

However, bbox3 and bbox1 cannot interwork with bbox4 and bbox2 (because they are not based on the same virtual LAN).

Container bbox3 ping Container bbox1 Test (Note: if you use a vmware virtual machine for testing, you need to change its network adapter to "bridge mode" instead of NAT mode because of the characteristics of vmware. Otherwise, you can't communicate):

Container bbox4 ping Container bbox2 Test:

At this point, multiple network segments across host networks have been implemented, and similarly, each container cannot communicate with the external network.

Docker network is a complicated concept. If you have patience, it is recommended to read the official docker documentation.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.