Shulou(Shulou.com)06/02 Report--

What the editor wants to share with you this time is how the Docker container realizes network management and network isolation. The article is rich in content. Interested friends can learn about it. I hope you can get something after reading this article.

I. Management of Docker network

1. The method of Docker container

1) Docker accesses the public network

The Docker container is connected to the Docker0 bridge of the host to access the public network; by default, the docker0 bridge is automatically added to the docker container.

2) Communication between containers and containers

Administrators are required to create bridges; connect different containers to the bridge to achieve mutual access between containers and containers.

3) external network access container

Communication is achieved through port mapping or synchronous docker host network configuration.

2. The network communication mode of Docker container.

1) bridge

The default container is used to access public network communication; it depends on docker0 bridge.

2) none

You need to create a separate network namespace for the container; the created container is not configured with TCP/IP information.

3) container

Container and container communication is used; containers need to share container namespaces, and different containers communicate by sharing container namespaces.

4) host

The internal network of the container is synchronized with the host.

3. Configure bridge network communication mode

[root@centos01 yum.repos.d] # wget-O / etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo [root@centos01 ~] # yum-y install docker [root@centos01 ~] # systemctl start docker [root@centos01 ~] # systemctl enable docker [root@centos01 ~] # echo "net.ipv4.ip_forward = 1" > > / etc/sysctl.conf [root@centos01 ~] # sysctl -p net.ipv4.ip_forward = 1 [root@centos01 ~] # docker pull hub.c.163.com/public/centos:7.2-tools [root@centos01 ~] # docker images REPOSITORY TAG IMAGE ID CREATED SIZEhub.c.163.com/public/centos 7.2-tools 4a4618db62b9 3 years ago 515 MB [root@centos01 ~] # docker run-d-net=bridge-name centos7.201 hub.c.163.com/public / centos:7.2-tools b308fb5c097fd455073f2f4a280d2660e6943fe1a62d6409e8ebcd3b86469438 [root@centos01 ~] # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESb308fb5c097f hub.c.163.com/public/centos:7.2-tools "/ usr/bin/supervisord" 20 seconds ago Up 19 seconds 22/tcp centos7.201 [root@centos01 ~] # ifconfig docker0: flags=4163 mtu 1500 inet 172.17.0.1 netmask 255 .255.0.0 broadcast 0.0.0.0 [root@centos01 ~] # docker exec-it centos7.201 / bin/bash [root@b308fb5c097f /] # ifconfig eth0: flags=4163 mtu 1500 inet 172.17.0.2 netmask 255.255.0.0 broadcast 0.0.0.0 [root@b308fb5c097f /] # ping www.baidu.com PING www.a.shifen.com (39.156.66.18) 56 (84) bytes of data.64 bytes from 39.156.66.18: icmp _ seq=1 ttl=50 time=18.4 ms64 bytes from 39.156.66.18: icmp_seq=2 ttl=50 time=18.3 ms64 bytes from 39.156.66.18: icmp_seq=3 ttl=50 time=16.9 ms [root@b308fb5c097f /] # ping 192.168.100.10 PING 192.168.100.10 (192.168.100.10) 56 (84) bytes of data.64 bytes from 192.168.100.10: icmp_seq=1 ttl=64 time=0.043 ms64 bytes from 192.168.100.10: icmp_seq=2 ttl=64 time=0.086 ms64 Bytes from 192.168.100.10: icmp_seq=3 ttl=64 time=0.150 ms

4. Configure none network communication mode

[root@centos01] # docker run-d-- net=none-- name centos7.202 hub.c.163.com/public/centos:7.2-tools e2c4837d67818e7ef4d7cedf964db21d98cabb594d12091d7f69da4e8fb3f30f [root@centos01 ~] # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESe2c4837d6781 hub.c.163.com/public/centos:7.2-tools "/ usr/bin/supervisord" 57 seconds ago Up 56 seconds Centos7.202b308fb5c097f hub.c.163.com/public/centos:7.2-tools "/ usr/bin/supervisord" 7 minutes ago Up 7 minutes 22/tcp centos7.201 [root@centos01 ~] # docker exec-it centos7.202 / bin/bash [root@e2c4837d6781 /] # ifconfig lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 [root@e2c4837d6781 /] # ping www.baidu.com ping: unknown host www.baidu.com [ Root@e2c4837d6781 /] # [root@e2c4837d6781 /] # ping 192.168.100.10 connect: Network is unreachable

5. Configure host network communication mode

[root@centos01] # docker run-d-- net=host-- name centos7.203-v / data1 hub.c.163.com/public/centos:7.2-tools 2911358be486720c4ee93c8de22cd77301236f48c5baf22ea63bb3c54450032e [root@centos01 ~] # ls / var/lib/docker/volumes/ dc755f3b6036f167471435629918d06264e1c2c6a8b175426fa80da36143a87e metadata.db [root@centos01 ~] # docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES2911358be486 hub.c.163.com/public/centos:7.2 -tools "/ usr/bin/supervisord" About a minute ago Up About a minute centos7.203e2c4837d6781 hub.c.163.com/public/centos:7.2-tools "/ usr/bin/supervisord" 15 minutes ago Up 15 minutes centos7.202b308fb5c097f hub.c.163.com/public/centos:7.2-tools "/ usr/bin/supervisord" 21 minutes ago Up 21 minutes 22/tcp centos7.201 [root@ Centos01 ~] # docker exec-it centos7.203 / bin/bash [root@centos01 /] # ifconfig docker0: flags=4163 mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0ens32: flags=4163 mtu 1500 inet 192.168.100.10 netmask 255.255.255.0 broadcast 192.168.100.255ens34: flags=4163 mtu 1500 inet 192.168.0.126 netmask 255.255.255.0 broadcast 192.168.0.255lo: flags=73 mtu 65536 inet 127.0 .0.1 netmask 255.0.0.0vethc39178a: flags=4163 mtu 1500 inet6 fe80::7c4b:a6ff:fe1c:a37f prefixlen 64 scopeid 0x20virbr0: flags=4099 mtu 1500 inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255 [root@centos01 ~] # docker exec-it centos7.203 / bin/bash [root@centos01 /] # ping www.baidu.com PING www.a.shifen.com (39.156.66.14) 56 (84) bytes of data.64 bytes From 39.156.66.14: icmp_seq=1 ttl=51 time=20.0 ms64 bytes from 39.156.66.14: icmp_seq=3 ttl=51 time=15.9 ms [root@centos01 /] # ping 192.168.100.10 PING 192.168.100.10 (192.168.100.10) 56 (84) bytes of data.64 bytes from 192.168.100.10: icmp_seq=1 ttl=64 time=0.020 ms64 bytes from 192.168.100. Icmp_seq=2 ttl=64 time=0.060 ms64 bytes from 192.168.100.10: icmp_seq=3 ttl=64 time=0.030 ms [root@centos01 ~] # cp / mnt/nginx-1.6.0.tar.gz. / [root@centos01 ~] # ls anaconda-ks.cfg initial-setup-ks.cfg nginx-1.6.0.tar.gz [root@centos01 ~] # cp nginx-1.6.0.tar.gz / var/lib/docker/volumes/dc755f3b6036f167471435629918d06264e1c2c6a8b175426fa80da36143a87e/_data/ [root@centos01 ~] # docker exec-it centos7.203 / bin/bash [root@centos01 /] # lsanaconda-post.log bin data1 dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var [root@centos01 /] # cd data1/ [root@centos01 data1] # ls nginx-1.6.0.tar.gz [root@centos01 /] # yum-y install pcre-devel zlib-devel [root@centos01 /] # useradd-M-s / sbin/nologin nginx [ Root@centos01 /] # tar zxvf / data1/nginx-1.6.0.tar.gz-C / usr/src/ [root@centos01 /] # yum-y install gcc pcre-devel zlib-devel make [root@centos01 /] # cd / usr/src/nginx-1.6.0/ [root@centos01 nginx-1.6.0] #. / configure-prefix=/usr/local/nginx-user=nginx-with-http_stub_status_module & & make & & make install [root@centos01 nginx-1.6.0] # ln-s / usr/local/nginx/sbin/nginx / usr/local/sbin/ [root@centos01 nginx-1.6.0] # echo "www.docker.nginx.com" > / usr/local/nginx/html/index.html [root@centos01 nginx-1.6.0] # ln-s / usr/local/nginx/sbin/nginx / usr/local/sbin/ [root@centos01 Nginx-1.6.0] # netstat-anptu | grep nginx tcp 00 0.0.0.0 anptu 80 0.0.0.0 * LISTEN 6268/nginx: master [root@centos01 ~] # curl http://192.168.100.10 www.docker.nginx.com [root@centos01 nginx-1.6.0] # cat / usr/local/nginx/logs/access.log 192.168.100.10-- [12 / May/2020:21:42:47 + 0800] "GET / HTTP/1.1" 200 21 "-"curl/7.29.0"

6. Configure the parameters of docker0 network card

[root@centos01 ~] # ifconfig docker0: flags=4163 mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0 [root@centos01 ~] # systemctl stop docker [root@centos01 ~] # ip link set dev docker0 down [root@centos01 ~] # brctl delbr docker0 [root@centos01 ~] # brctl addbr docker0 [root@centos01 ~] # ip addr add 192.168.20.1 and 24 dev dokcer0 [root@centos01 ~] # ip link set dev docker0 up [root@centos01 ~] # vim / etc/docker/daemon.json {"registry-mirrors": ["https://6kx4zyno.mirror.aliyuncs.com"]}{"bip":"192.168.20.1/24"} [root@centos01] # systemctl start docker [root@centos01 ~] # ifconfig docker0: flags=4163 mtu 1500 inet 192.168.20.1 netmask 255.255.255.0 broadcast 0.0.0.0 [root@centos01 ~] # docker run-it -d-- name centos7.2v1 hub.c.163.com/public/centos:7.2-tools d0b5392e60cef37f3c44d79a9fb73916720cfc44faa7b73862bee05fb2d6ce7b [root@centos01 ~] # docker exec-it centos7.2v1 / bin/bash [root@d0b5392e60ce /] # ifconfig eth0: flags=4163 mtu 1500 inet 192.168.20.2 netmask 255.255.255.0 broadcast 0.0.0.0

II. Docker network isolation

1. Docker network isolation principle.

You need to manage the creation of network space names; load different containers into different network space names to achieve isolation; and do not configure network isolation default docker0 network space names assigned to containers.

2. The type of cyberspace name that comes with the Docker container

Bridge: the container is bridged to the docker0 bridge; host: the container synchronizes the network configuration information of the docker host; none: no network is created and the docker container does not need to configure TCP/IP information

3. Configure Docker network namespace isolation

[root@centos01 ~] # docker network ls NETWORK ID NAME DRIVER SCOPE8bb953004416 bridge bridge local2c18234cad82 host host local67860e823c36 none null local [root@centos01 ~] # docker network create-d bridge liyanxin 0c69de4672ec173dc4c60b19e0bf93b361f45a804859f7bc2105d85ca83b1169 [root@centos01] # docker network create-d bridge gongsunli 35687468c9034262173a96e9c23e045cbb8b7ffa6648fc84e015504740815001 [root@centos01 ~] # ifconfig br-0c69de4672ec: flags=4099 mtu 1500 inet 172.18.0.1 netmask 255.255.0.0 broadcast 0.0. 0.0br-35687468c903: flags=4099 mtu 1500 inet 172.19.0.1 netmask 255.255.0.0 broadcast 0.0.0.0 [root@centos01 ~] # docker run-it-d-name centos6.701-network=liyanxin hub.c.163.com/public/centos:6.7-tools b85a2d8419a98756369ddc3b78247d3d42c178e8e563a936fe973f2f6611f951 [root@centos01 ~] # docker exec-it centos6.701 / bin/bash [root@b85a2d8419a9 /] # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:12:00 : 02 inet addr:172.18.0.2 Bcast:0.0.0.0 Mask:255.255.0.0 [root@centos01 ~] # docker run-it-d-name centos6.702-- network=gongsunli hub.c.163.com/public/centos:6.7-tools 9af0fb7b85af3270f3c7c44b62438f436b22289ac0a7604d6ed522604b7b185f [root@centos01 ~] # docker exec-it centos6.702 / bin/bash [root@9af0fb7b85af /] # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:13:00:02 Inet addr:172.19.0.2 Bcast:0.0.0.0 Mask:255.255.0.0

Third, configure the bridge to achieve network isolation

1. Configure the bridge to achieve the purpose of network isolation

Implement the container communication of the Docker host across the Docker host container.

2. configure the bridge to realize the principle of network isolation.

Bridge the physical network card to the created bridge network card; configure the bridge network card with IP address; create a container to load the bridge network card; docker host container communicates across the docker host container; the administrator manages the docker host for remote management through the bridge network card.

3. Configure docker bridge to achieve network isolation.

[root@centos01 ~] # vim / etc/sysconfig/network-scripts/ifcfg-ens32 TYPE=EthernetPROXY_METHOD=noneBROWSER_ONLY=noBOOTPROTO=staticDEFROUTE=yesNAME=ens32DEVICE=ens32ONBOOT=yesBRIDGE=br0 [root@centos01 ~] # cp / etc/sysconfig/network-scripts/ifcfg-ens32 / etc/sysconfig/network-scripts/ifcfg-br0 [root@centos01 ~] # vim / etc/sysconfig/network-scripts/ifcfg-br0 TYPE=Bridge PROXY_METHOD=noneBROWSER_ONLY=noBOOTPROTO=staticDEFROUTE=yesNAME=br0 DEVICE=br0 ONBOOT=yesIPADDR=192.168.100.10 NETMASK=255.255.255.0 [root@centos01 ~] # systemctl restart network [root@centos01 ~] # ifconfig br0: flags=4163 mtu 1500 inet 192.168.100.10 netmask 255.255.255.0 broadcast 192.168.100.255br-0c69de4672ec: flags=4163 mtu 1500 inet 172.18.0.1 netmask 255.255.0.0 broadcast 0.0.0.0br-35687468c903: flags=4163 mtu 1500 inet 172.19.0.1 netmask 255.255.0.0 broadcast 0.0.0.0docker0: flags=4099 mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 0. 0.0.0ens32: flags=4163 mtu 1500 ether 00:0c:29:18:d3:26 txqueuelen 1000 (Ethernet) ens34: flags=4163 mtu 1500 inet6 fe80::4ad2:dd37:4341:5d8e prefixlen 64 scopeid 0x20lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0veth7b0bb5f: flags=4163 mtu 1500 inet6 fe80::ccd3:86ff:fee6:5725 prefixlen 64 scopeid 0x20veth7e0f471: flags=4163 mtu 1500 inet6 fe80::684c:fdff:fe13:b436 prefixlen 64 scopeid 0x20virbr0: flags=4099 mtu 1500 inet 192.168.122 .1 netmask 255.255.255.0 broadcast 192.168.122.255 [root@centos01 ~] # yum-y install git [root@centos01 ~] # git clone https://github.com/jpetazzo/pipework [root@centos01 ~] # cp pipework/pipework / usr/local/bin/ [root@centos01 ~] # chmod + x / usr/local/bin/pipework [root@centos01 ~] # docker run-d-name centos6.703-network=none hub.c.163.com/public / centos:6.7-tools adea0ad48bdde947ec595382d96cba06eb6522ec046e9b3c7bfcb1edb5c84545 [root@centos01 ~] # pipework br0 centos6.703 192.168.100.101 pick 24 [root@centos01 ~] # docker exec-it centos6.703 / bin/bash [root@adea0ad48bdd /] # ifconfig eth2 Link encap:Ethernet HWaddr FA:3A:9D:ED:C0:FF inet addr:192.168.100.101 Bcast:192.168.100.255 Mask:255.255.255.0 [root@adea0ad48bdd / ] # ping 192.168.100.10PING 192.168.100.10 (192.168.100.10) 56 (84) bytes of data.64 bytes from 192.168.100.10: icmp_seq=1 ttl=64 time=0.100 ms64 bytes from 192.168.100.10: icmp_seq=2 ttl=64 time=0.097 ms64 bytes from 192.168.100.10: icmp_seq=3 ttl=64 time=0.039 ms

4. Configure the communication between docker host container and docker host container

[root@centos02] # ping www.baidu.com PING www.a.shifen.com (39.156.66.18) 56 (84) bytes of data.64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=1 ttl=51 time=19.5 ms64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=2 ttl=51 time=17.3 ms64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=3 ttl=51 time=18.1 ms [root@centos02 ~] # cd / etc/yum.repos.d/ [root@centos02 yum.repos.d] # lslocal.repo [root@centos02 yum.repos.d] # wget-O / etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo [root@centos02 ~] # yum install docker-y [root@centos02] # systemctl start docker [root@centos02] # systemctl enable docker [root@centos02 ~] # Docker pull hub.c.163.com/public/centos:6.7-tools [root@centos02 ~] # docker images REPOSITORY TAG IMAGE ID CREATED SIZEhub.c.163.com/public/centos 6.7-tools b2ab0ed558bb 3 years ago 602 MB [root@centos02 ~] # vim / etc/sysconfig/network-scripts/ifcfg-ens32 TYPE=EthernetPROXY_METHOD=noneBROWSER_ONLY=noBOOTPROTO=staticDEFROUTE=yesNAME=ens32DEVICE=ens32ONBOOT=yesBRIDGE=br0 [root@centos02 ~] # cp / etc/sysconfig/network-scripts / ifcfg-ens32 / etc/sysconfig/network-scripts/ifcfg-br0 [root@centos02 ~] # vim / etc/sysconfig/network-scripts/ifcfg-br0 TYPE=Bridge PROXY_METHOD=noneBROWSER_ONLY=noBOOTPROTO=staticDEFROUTE=yesNAME=br0 DEVICE=br0 ONBOOT=yesIPADDR=192.168.100.20 NETMASK=255.255.255.0 [root@centos02 ~] # systemctl restart network [root@centos02 ~] # ifconfig br0: flags=4163 mtu 1500 inet 192.168.100.20 netmask 255.255.255.0 broadcast 192.168.100.255docker0: flags=4099 mtu 1500 inet 172.17.0. 1 netmask 255.255.0.0 broadcast 0.0.0.0ens32: flags=4163 mtu 1500 ether 00:0c:29:97:5c:9f txqueuelen 1000 (Ethernet) ens34: flags=4163 mtu 1500 inet 192.168.0.104 netmask 255.255.255.0 broadcast 192.168.0.255lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0virbr0: flags=4099 mtu 1500 inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255 [ Root@centos02 ~] # yum-y install git [root@centos02 ~] # git clone https://github.com/jpetazzo/pipework [root@centos02 ~] # cp pipework/pipework / usr/local/bin/ [root@centos02 ~] # chmod + x / usr/local/bin/pipework [root@centos02 ~] # docker run-d-name centos6.7-network=none hub.c.163.com/public/centos:6.7-tools abec0a6bd3822a2fd702dc44d1cf3043648aadd1a661e577c23701e30ee9df7a [root@centos02] # pipework br0 centos6 .7 192.168.100.102 ping 24 [root@centos02 ~] # docker exec-it centos6.7 / bin/bash [root@abec0a6bd382 /] # ifconfig eth2 Link encap:Ethernet HWaddr EE:01:B7:99:90:1C inet addr:192.168.100.102 Bcast:192.168.100.255 Mask:255.255.255.0 [root@abec0a6bd382 /] # ping 192.168.100.101 PING 192.168.100.101 (192.168.100.101) ) 56 (84) bytes of data.64 bytes from 192.168.100.101: icmp_seq=1 ttl=64 time=0.660 ms64 bytes from 192.168.100.101: icmp_seq=2 ttl=64 time=0.865 ms64 bytes from 192.168.100.101: icmp_seq=3 ttl=64 time=0.382 ms [root@abec0a6bd382 /] # ping 192.168.100.10 PING 192.168.100.10 (192.168.100.10) 56 (84) bytes of data.64 bytes from 192.168.100.10: icmp_seq=1 ttl=64 time=0 .632 ms64 bytes from 192.168.100.10: icmp_seq=2 ttl=64 time=0.732 ms64 bytes from 192.168.100.10: icmp_seq=3 ttl=64 time=0.796 ms [root@abec0a6bd382 /] # ping 192.168.100.20 PING 192.168.100.20 (192.168.100.20) 56 (84) bytes of data.64 bytes from 192.168.100.20: icmp_seq=1 ttl=64 time=0.144 ms64 bytes from 192.168.100.20: icmp_seq=2 ttl=64 time=0.094 ms64 bytes from 192. 168.100.20: icmp_seq=3 ttl=64 time=0.043 ms finished reading this article on how the Docker container implements network management and network isolation If you think the content of the article is good, you can share it with more people.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.