Shulou(Shulou.com)06/01 Report--

Introduction of Network function in Docker

By default, the container can establish a connection to the external network, but the external network cannot connect to the container.

Docker allows network services to be provided through external access to containers or interconnection of containers.

External access container:

Some network applications can be run in the container, and to make them accessible externally, you can specify the port mapping with the-P or-p parameter.

Experimental environment:

Centos7 runs a container that provides web services and ssh services

Host enables routing forwarding (net.ipv4.ip_forward=1)

The steps of the experiment:

The mirror image has been created before.

Execute docker p_w_picpaths to view the newly generated image

When using the-P (uppercase) flag, Docker randomly maps a random port to a network port open in the internal container.

Note:-P needs to be specified when using-- expose option or the port to be exposed by the expose instruction container in dockerfile, specify the port that needs to provide services to the outside world.

Using docker ps, you can see that 32770 of the local host is mapped to port 22 of the container, 32769 of the local host is mapped to port 80 of the container, and 32768 of the local host is mapped to port 443 of the container.

At this point, you can access the ssh application in the container by accessing port 32770 of this machine.

View the httpd process that the container is running

Note: 192.168.190.128 is the host directory

At this point, you can access the web application in the container by accessing port 32769 of this machine.

-p (lowercase) can specify the port to be mapped, and only one container can be bound on a specified port

Note:

The container has its own internal network and ip address (all variables can be obtained using docker inspect. )

The-p flag can be used multiple times to bind multiple ports

Map all interface addresses:

Using hostPort:containerPort format, the local port 10111 is mapped to the container's port 22, and the local port 801 to the container's port 80 can be executed.

Test access:

1) ssh test:

Use the xshell tool:

Test web access

Map to the specified port of the specified address

You can use the ip:hostPort:containerPort format to specify that the mapping uses a specific address

Map to any port at the specified address

Use ip::containerPort to bind any port of 192.168.190.128 to port 80 of the container, and the local owner automatically assigns a port. -- name specifies a container name for the launched container

Use docker port to view the port configuration of the current mapping, and you can also see the bound address

Docker NAT iptables implementation

By default, the container can actively access the connection to the external network, but the external network cannot access the container

Container access external implementation

For all connections to the external network, the source address of the container will be the IP address (that is, the docker0 address) of the NAT system. This is achieved by using iptables's source address masquerade operation

View the NAT rules of the host

External access container implementation

The container allows external access, which can be enabled with the-p or-P parameter during docker run. If it doesn't work that way, it actually adds the corresponding rules to the nat table of the local iptable.

When using-P

Iptables-t nat-nvL

At 80:80 using-p

Iptables-t nat-nvL

Docker0 bridge

By default, the Docker service creates a docker0 bridge (with an docker0 internal interface on it), which connects other physical or virtual network cards in the kernel layer, which places all containers and local hosts on the same physical network.

Docker specifies the IP address and subnet mask of the docker0 interface by default, so that hosts and containers can communicate with each other through the bridge.

Since the Docker bridge is currently a Linux bridge, users can use brctl show to view bridge and port connection information

Note: the brctl command can be installed using yum install bridge-utils in centos

Each time a new container is created, Docker selects a free IP address from the available address field to assign to the container's eth0 port. Use the IP of the docker0 interface on the local host as the default gateway for all containers

Docker network configuration

Four Network modes of Docker

When docker run creates a Docker container, you can use the-- net option to specify the network mode of the container. Docker has the following four network modes:

Host mode, specified using-- net=host.

Container mode, specified using-- net=container:NAMEorID.

None mode, specified using-- net=none.

Bridge mode, specified using-- net=bridge, default setting

Host mode

If you start the container in host mode, the container will not get a separate NetworkNamespace, but will share a NetworkNamespace with the host. The container will not virtualize its own network card or configure its own IP, but will use the IP and port of the host.

For example, we started a Docker container containing web applications in host mode on the machine of 192.168.190.128 Compact 24, listening on tcp port 80. When we execute any similar ifconfig command in the container to view the network environment, all we see is the information on the host. On the other hand, to access the application in the container, you can directly use 192.168.190.128 NAT 80 without any conversion, just like running directly in the host. However, other aspects of the container, such as file systems, process lists, and so on, are isolated from the host.

Before starting the container, execute pgrep http to view the host httpd process

The result shown above indicates that there is no httpd process running on the host.

Start a Docker container with web applications in host mode

Access port 80 of the host address with a browser

Pay attention to the firewall

Container mode

This mode specifies that the newly created container and an existing container share a Network Namespace rather than with the host. Instead of creating its own Nic and configuring its own IP, the newly created container shares IP, port range, and so on with a specified container. Similarly, apart from the network, the two containers are isolated, such as file systems, process lists, and so on. The processes of the two containers can communicate through the lo network card device.

Run a container: view the IP of the container

Switch the container to the background: ctrl+p ctrl+q

Use container mode when running a container: view the address of the new container

Add this network device to the docker0 bridge and view it with the brctl show command; assign an IP from the docker0 subnet to the container and set the IP address of docker0 as the default gateway of the container.

The internal access to the public network of the container and the port mapping between the container and the host are all realized through Iptables. You can view the Iptables table analysis.

View the current docker0 address

While the container is running, each container is assigned a specific virtual machine port and bridged to the docker0. Each container is configured with a private ip address for the same network segment as docker0 ip, and the IP address of docker0 is used for the default gateway of all containers.

Run a container

And check

View through the brctl show command

Execute docker network inspect bridge to view the details of the bridged network

Custom Brid

In addition to the default docker0 bridge, you can also specify a bridge to connect individual containers. When starting the Docker service, use-b BRIDGE or-- bridge=BRIDGE to specify the bridge to use.

Docker allows you to manage docker0 bridging or customize the bridging network card through the-b option. You need to install the bridge-utils package.

The basic steps are as follows:

1. Make sure the docker process is stopped

two。 Create a custom bridge

3. Assign a specific ip to the bridge

4. Specify the bridge in the form-b

Specific operation steps:

If the service is already running, stop the service first and delete the old bridge

Then create a bridge bridge0 and assign a specific ip to the bridge

Check to confirm that the bridge is created and started

(two methods)

Modify / etc/sysconfig/docker file

Add-b=bridge0

Start the Docker service

Create a new container and you can see that it has been bridged to the bridge0

Enter the container and check the container's IP

The docker service starts successfully and binds the container to a new bridge, create a new container, you will see that its ip is the new ip segment of our settings, and docker will automatically detect it. Using brctl show, you can see the configuration changes of the bridge after the container starts or stops. Use ip an and ip r in the container to view ip address configuration and routing information.

The following is to configure a container started with-- net=none so that he has the same access to the network as usual. To describe how docker is connected to the container.

Start a container running / bin/bash and specify-- net=none

Open a new terminal, find the container's process id, and then create its namespace, which will be used in the following ip netns

Check the ip and subnet mask of the bridged network card

Create a pair of "peer" interfaces An and B, bind A to the bridge, and enable it

Put B into the network namespace of the container, name it eth0, and configure a free ip

You can use the network.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.