Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to bind the Dokcer container to the host designated network card, which has a certain reference value. Interested friends can refer to it. I hope you will learn a lot after reading this article. Let's take a look at it.

If your host has multiple network cards, you may need to bind the Docker container to the specified network card so that all network requests in the container are sent to the external network through the specified network card.

Unfortunately, Docker does not provide a direct way to implement this requirement. However, it can be easily done through iptables.

One size fits all

Suppose you have two network cards on your host: the IP address of one network card is 192.168.0.100, and the IP address of the other is 10.0.0.100. You want all the services in the Docker container on this host to enter and leave the external network through the second network card.

Give the answer before you explain:

Iptables-t nat-I POSTROUTING-p all-s 172.17.0 SNAT 16-j SNAT-- to-source 10.0.0.100

The above iptables command creates a source address translation (SNAT) rule that modifies the source IP address of all packets coming from the 172.17.0.0and16 network segment that are about to flow out of the host to 10.0.0.100.

For 10.0.0.100, we know that it is the IP address of the second network card of the host. And where did 172.17.0.0amp 16 come from?

To put it simply, when you run Docker on a host, it creates a bridge called docker0 on the host with an IP address of 172.17.0.1 and a network segment of 172.17.0.0amp 16. By default, Docker assigns an IP address to all containers from this network segment.

For more detailed instructions, you can refer to this article, "default Network configuration of Docker under single Host".

The IP address of all Docker containers is at 172.17.0. The rule created by the above iptables command is to change the source IP address of all packets from the Docker container that are about to flow out of the host to the IP address of the second network card of the host, that is, 10.0.0.100.

In this way, the "out" part of our needs is realized.

The implementation of the "enter" part of the requirement is also very simple. You only need to specify the IP of the host through the-p parameter during docker run, such as:

Docker run-p 10.0.0.100 purl 80 purl 80...

Divide and rule

The demand is changing rapidly, maybe we have another network card whose IP address is 10.0.0.101. For some reason, we want to let the traffic of part of the container go through the second network card, and at the same time let the traffic of another part of the container go through the new third network card.

Since Docker does not allow you to specify an IP address for a container when using the default bridge (if you specify an IP address, Docker will give the following error message), so we cannot predict in advance what the IP address to which a container will eventually be assigned, so we cannot specify the egress ENI for a container through the iptables rule in advance.

Docker: Error response from daemon: user specified IP address is supported on user defined networks only.

In fact, the above error prompt has given the solution, that is, the user-defined network.

Create a custom network with the following command:

Docker network create-- subnet=172.18.0.0/16-- opt "com.docker.network.bridge.name" = "docker1" docker1

Among them, 172.18.0.0Comp16 is the network segment where the new bridge is located. Because the default Dokcer bridge already occupies 172.17.0.0 Universe 16, the new bridge can only use other network segments that are not occupied.

The first docker1 is the bridge name displayed when the ifconfig-a command is executed. If you do not specify this name with the-- opt parameter, then when you use the ifconfig-a command to view network information, you will see a name like br-110eb56a0b22. This is obviously not very good-looking.

The second docker1 is the name of the bridge displayed when the docker network list command is executed.

With a custom network, we can specify a fixed IP address for the container.

Docker run-- network=docker1-- ip=172.18.0.100. Docker run-- network=docker1-- ip=172.18.0.101.

Knowing the fixed IP address of the container, we can do the same and bind the container to the specified host network card:

Iptables-t nat-I POSTROUTING-p all-s 172.18.0.100-j SNAT-- to-source 10.0.0.100iptables-t nat-I POSTROUTING-p all-s 172.18.0.101-j SNAT-- to-source 10.0.0.101

It is important to note that the-s option here is followed by an IP address, not a network segment.

Other related commands

View iptables rules

Iptables-t nat-L-n-- line-number

Delete an iptables rule

Iptables-t nat-D POSTROUTING 11

Where the last 11 is the rule serial number (num) to be deleted.

Delete Docker Custom Network

Docker network rm docker1 thank you for reading this article carefully. I hope the article "how to bind the Dokcer container to the host designated network card" shared by the editor will be helpful to everyone. At the same time, I also hope that you will support and follow the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.