Shulou(Shulou.com)06/02 Report--

[technology Salon 002] data Center: construction practice of Credit Agile data Center | Credit Technology Salon will be broadcast live online at 8: 00 p.m. on May 23. Click to sign up.

1. About Docker

Docker is an open source application container engine based on the Go language and open source according to the Apache2.0 protocol.

Docker allows developers to package their applications and dependencies into a lightweight, portable container and publish them to any popular Linux machine. Containers are completely sandboxed and do not have any interfaces to each other (similar to iPhone's app). More importantly, the container performance overhead is extremely low.

Because compared with the traditional virtual machine has the absolute advantages of fast start, performance improvement, operation and maintenance costs, it is more and more favored by the development, operation and maintenance of children's shoes.

2. On the classification of Docker network patterns

1. Bridge mode,-- net=bridge (default)

2. Host mode,-- net=host

3. Container mode uses-net = container: specify the container name

4. None mode,-- net=none

5. User-defined mode

Third, the detailed explanation of Docker network mode 3.1 bridge mode

The default mode of the Docker network is used by default if the-- net parameter is not added when docker run starts the container. After installing docker, the system automatically adds a bridge docker0 for docker. The container obtains an IP address of the same network segment as docker0 through DHCP, connects to the docker0 bridge by default, and uses the IP address of docker0 as a gateway to realize the network interconnection between the container and the host. In addition, containers that also use bridge mode under the same host can communicate directly.

Experimental part

Environment: VMware installs the Centos7 virtual machine.

First install the container in the Centos virtual machine

Yum-y install docker-io # install docker

Start CCS and check the startup status systemctl start docker

After starting the docker service, you will find that the host has an extra docker0 network card.

(PS: at present, this computer can surf the Internet directly through the address of 192.168.32.129.)

We launch a Centos container and enter bash. Since we do not have a local image file without centos, we download it directly from Docker's official image repository by default.

[root@cesrc ~] # docker run-itd centos / bin/bash

View the launched container

[root@cesrc] # docker ps-a

Enter the container and view the IP configuration.

[root@cesrc ~] # docker attach b670

There is no ifconfig command by default. Install net-tools under yum.

Yum install net-tools

Check the ip and routing configuration of the container. The container is assigned the same segment address as docker0 and points the default route to docker0.

This container can access the Internet directly.

Iptables-t nat-vnL. If you look at the iptables generated by docker, you can see that docker0 is equivalent to SNAT the container.

Start another container.

Docker run-itd-- name centos2 centos / bin/bash

Containers on this host can communicate directly

The network operation mode of this mode is shown in the following figure

3.2 host mode

The container will not virtualize its own network card, configure its own IP, etc., but will directly use the host's IP and port, but the file system is isolated from the host.

Docker run-itd-net=host-name host-rq centos / bin/bash

Enter the container

The process of the container is as follows, independent of the host.

3.3 Container Mod

This mode specifies that the newly created container and an existing container share a Network and are independent of the existing container out of the network.

Create an original container s-centos

[root@cesrc] # docker run-itd-- name s-centos centos / bin/bashbe7425c3fac6845c9d8d150f9b8c710f9268611fa3a6d86d59444ea1e4bfe415

Create a new container d-centos and use the network of the old container

[root@cesrc] # docker run-itd-- net=container:s-centos-- name d-centos centos / bin/bashd576e3009391111688004f57c1549572fd534d33d0e7ee7cc1e02a785f6c8c14

Go inside the container and check whether the IP configuration and file system are independent.

S-centos

D-centos

3.4 None mode

What is created in this mode will not create a network, so there will not be only lo in the ip container. Users can customize the container network on this basis. If you want to use pipework to manually configure the ip address of the docker container, you must be in none mode.

Docker run-itd-net=none-name n-centos centos / bin/bash

Containers generated in None mode must be manually configured before they can surf the Internet.

3.5 user-defined mode

There are three kinds of network drivers that can be selected for user-defined mode: bridge, overlay and macvlan. The bridge driver is used to create a bridge network similar to that mentioned earlier; the overlay and macvlan drivers are used to create a network across hosts. In this case, we use Flannel and etcd to implement docker cross-physical machine communication using overlay technology.

The cross-host communication of the container implemented by Flannel is achieved by the following process:

Plan and configure the docker0 subnet range of all hosts in etcd; the flanneld on each host assigns subnets to the host's docker0 according to the configuration in etcd, ensures that the docker0 network segments on all hosts are not duplicated, and stores the results (that is, the corresponding relationship between the docker0 subnet information on the host and the host IP) in the etcd database, so that the corresponding relationship between the docker subnet information on all hosts and the host IP is saved in the etcd library. When you need to communicate with containers on other hosts, look for the etcd database, find the outip corresponding to the subnet of the destination container (the IP of the destination host), encapsulate the original packet in VXLAN or UDP packets, and encapsulate the IP layer with outip as the destination IP Because the destination IP is the host IP, the route is reachable. The VXLAN or UDP packets arrive at the destination host to decapsulate, unpack the original packet, and finally reach the destination container.

(the picture is taken from the Internet)

Experimental planning

The steps for installing etcd on the Node1 node are as follows

1. Install the etcd program

Yum install-y etcd

2. Modify the etcd configuration file, which is located in / etc/etcd/etcd.conf. In this experiment, etcd is deployed on a single machine, and no strict changes have been made to the cluster configuration. The configuration is as follows:

# [Member] # ETCD_CORS= "" ETCD_DATA_DIR= "/ var/lib/etcd/host129.etcd" # etcd data storage directory # ETCD_WAL_DIR= "" # ETCD_LISTEN_PEER_URLS= http://192.168.32.129:2380 # URLETCD_LISTEN_CLIENT_URLS= http://127.0.0.1:2379, for intra-cluster communication Http://192.168.32.129:2379 # URL#ETCD_MAX_SNAPSHOTS= "5" # ETCD_MAX_WALS= "5" ETCD_NAME= "host129" # etcd instance name for external clients

3. Set the network segment to be assigned to the docker container later.

Etcdctl mk / network/config'{"Network": "172.18.0.0 SubnetMax 16", "SubnetMin": "172.18.1.0", "SubnetMax": "172.18.254.0"}'

4. Set boot to start the etcd service and start the service

The steps for installing etcd on the systemctl enable etcdsystemctl start etcdNode2 node are as follows

1. Install Docker and Flannel services

Yum install-y docker flannel

2. Modify the Flannel configuration file as follows

Flanneld configuration options# etcd url location. Point this to the server where etcd runsFLANNEL_ETCD_ENDPOINTS= "http://192.168.32.129:2379" # # sets the etcd address and port information # etcd config key. This is the configuration key that flannel queries# For address range assignmentFLANNEL_ETCD_PREFIX= "/ network" # Any additional options that you want to passFLANNEL_OPTIONS= "- iface=ens33" # # set up Flannel and etcd communication network card

3. Set startup parameters

Cd / usr/libexec/flannel/. / mk-docker-opts.sh-I

4. Start Docker and Flannel services

Systemctl enable docker flanneldsystemctl start docker flannel

5. Enable the host forwarding function {be sure to open it, many online tutorials do not mention this, resulting in the inability to connect}

Iptables-PFORWARD ACCEPT

6. Create a container and enter the container to view the IP

Docker run-itd centos / bin/bashdocker ps-adocker attach 6c

The operation on the Node2 node is also performed in Node3, and finally you can see that the IP obtained by Node3 is shown in the figure:

Test container

Containers on Node2 and node3 can access each other

Route entries to each node are generated on the host

The above methods can achieve cross-host docker communication, but there are two other ways:

Static routes added to other host containers on the host

Bridging mode

Both of these ways are easy to understand. Refer to the two pictures excerpted from the network.

Original link: https://www.cnblogs.com/yy-cxd/p/6553624.html

Static routing method:

Bridging method:

IV. Summary of common concepts and commands about Docker 4.1 Docker image

As we all know, the operating system is divided into kernel and user space. For Linux, after the kernel starts, the root file system is mounted to provide user space support. The Docker image (Image) is the equivalent of a root file system. For example, the official image ubuntu:16.04 contains a complete set of root file systems for the minimum system of Ubuntu 16.04.

4.2 Docker Container

The relationship between Image and Container is like classes and instances in object-oriented programming. Mirrors are static definitions and containers are entities that mirror runtime. Containers can be created, started, stopped, deleted, paused, and so on.

4.3 Docker Registry

After the image is built, it can be easily run on the current host. However, if you need to use this image on other servers, we need a centralized service to store and distribute images, such as Docker Registry.

There are public ownership and private ownership.

Image management command

1) obtain the image

The command to obtain an image from the Docker image repository is docker pull. The command format is:

Docker pull [option] [Docker Registry address [: Port number] /] Warehouse name [: label]

Command reference docker pull ubuntu:16.04

If you do not specify tag, the default is to download the latest

Docker pull mirrors.aliyun.com:ubuntu from Aliyun warehouse

2) list mirrors

Docker image ls

The list contains the repository name, label, image ID, creation time, and space occupied.

3) Delete the image

Docker rmi image Id delete image file

Docker rmi-f Mirror ID forcefully deletes Mirror

4) Container management

Docker create creation does not start

Docker start startup container

Docker stop container name termination container

Docker restart container name restart container

Docker rm id delete container

Docker run-it centos / bin/sh after the container exit is created and started, the container automatically exits. If you want to continue running as a daemon, you need to change it to docker run-itd centos / bin/sh.

Docker ps to view running containers

Docker ps-a looks at all containers, including stopped containers.

5) enter the container

Docker attch name enters the container

Docker exec-it``Container ````id command | docker exec-it 7813e41ec005 / bin/sh

6) Export container to file

Docker export-o test_for_run_tar Container ID

Or docker export container ID > test_for_stop_tar

7) Import files become mirrored

Docker import test_for_run_tar-test/ubuntu:v1.0

8) data management

A) A data volume is a special directory that can be used by the container, mapping the operating system directory to the container

Docker run-d-P-- name web-v / src/webapp:/opt/webapp centos / bin/sh

Mount the / src/webapp of the host to the / opt/webapp directory of the container. It can be read and written by default.

Docker run-d-P-- name web-v / src/webapp:/opt/webapp:ro centos / bin/sh read-only mode

B) data volume containers, containers that can be shared by other containers

First create a data volume container

Root@localhost /] # docker run-it-v / cunchu-- name chuchurongqi centos [root@90bd63b06074 /] # lsbin cunchu dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var [root@90bd63b06074 /] # cd cunchu/ [root@90bd63b06074 cunchu] # vi qiang.txt

Create a new container and use-- volumes-from data volume container name to mount the data volume in the container volume.

[root@localhost /] # docker run-it-volumes-from chuchurongqi-name db2 centos

Author: network Security-Wang Zhiqiang

The original text was first posted at: Yixin Security Emergency response Center

Source: Yixin Institute of Technology

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.