Shulou(Shulou.com)06/01 Report--

How to understand the connectivity between Docker containers? in view of this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

Today we will discuss the connectivity between these containers.

Both busybox containers are hung on my_net2 and should be able to communicate with each other. Let's verify it.

It can be seen that containers and gateways in the same network can communicate with each other.

Can my_net2 communicate with the default bridge network?

From the topology diagram, we can see that the two networks belong to different bridges and should not be able to communicate. Let's verify it through experiments and let the busybox container ping httpd the container.

It is true that the ping does not work, as expected.

"wait! if routing is added to different networks, they should be able to communicate, right?" I've already heard suggestions from readers.

This is a very good idea.

Indeed, if there is a route to each network on host and ip forwarding,host is turned on on the operating system, it becomes a router, and networks attached to different bridges can communicate with each other. Let's see if docker host meets these conditions.

Ip r looks at the routing table on host:

# ip r

.

172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1

172.22.16.0/24 dev br-5d863e9f78b6 proto kernel scope link src 172.22.16.1

.

Routes are defined for both 172.17.0.0Compact 16 and 172.22.16.0Universe 24 networks. Take a look at ip forwarding:

# sysctl net.ipv4.ip_forward

Net.ipv4.ip_forward = 1

Ip forwarding has also been enabled.

If all the conditions are met, why can't we pass through?

We also need to take a look at iptables:

# iptables-save

.

-A DOCKER-ISOLATION-I br-5d863e9f78b6-o docker0-j DROP

-A DOCKER-ISOLATION-I docker0-o br-5d863e9f78b6-j DROP

.

This is the reason: iptables DROP lost the two-way traffic between the bridge docker0 and br-5d863e9f78b6.

From the naming DOCKER-ISOLATION of the rule, we can see that docker is designed to isolate different netwrok.

So the next question is: how do you get busybox to communicate with httpd?

The answer is: add a net_my2 network card to the httpd container. This can be done through the docker network connect command.

Let's look at the network configuration in the httpd container

A network card eth2 is added to the container, and my_net2 's IP 172.22.16.3 is assigned. Now that busybox should be able to access httpd, verify it.

Busybox can ping to httpd and can access httpd's web service.

This is the end of the answer to the question on how to understand the connectivity between Docker containers. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.