Shulou(Shulou.com)06/03 Report--

Four Network modes of Docker Container

When creating a docker container based on docker run, you can use the-- net option to specify the container network mode. The Docker network modes are:

1), None mode

No networks are configured for the container. -- network none

# docker run-it-- network none busybox:latestUnable to find image 'busybox:latest' locallylatest: Pulling from library/busyboxee153a04d683: Pull complete Digest: sha256:9f1003c480699be56815db0f8146ad2e22efea85129b5b5983d0e0fb52d9ab70Status: Downloaded newer image for busybox:latest/ # / # ifconfiglo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped : 0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:0 (0.0B) TX bytes:0 (0.0B) / #

There is no IP address in the container and cannot connect to the public network. No IP is assigned to the host.

2), Container mode

Share Network Namespace with another running container. -- network=container:containerID

The newly created container will not have its own IP and Nic information and share the network environment with the specified container. Except for the network, containers are isolated, such as file systems, processes, and so on.

3), Host mode

Share Network Namespace with the host. -- network=host

# docker run-it-- network host centos:latest

After entering the above command, it is found that there is no change. In fact, it has already entered the container, because it shares a network with the host, and the host name is the same as the host. The container will not have network card and other information, and all use the host IP and port. If the host opens any port, the container will also be open accordingly, so the network security is relatively insufficient.

4), Bridge bridging mode

Docker's NAT network model is the default network mode of docker. The host automatically assigns Network Namespace to the docker container, and the independent virtual IP,docker container is connected to the docker0 virtual bridge so that it can connect to the network.

Prototype diagram of Docker Bridge bridging network

The host has two network cards: eth0 and docker0. When the docker service starts, a bridge network card docker0 (172.17.0.1) is automatically created, and a bridge docker0 (# brctl show) appears to view:

[root@docker-qa ~] # brctl showbridge name bridge id STP enabled interfacesdocker0 8000.024267a34c5d no veth008914e9 veth04d070a5 veth209e9cae veth226cdf5

Connect all docker virtual network cards to the docker0 bridge, and the docker container startup allocates the IP sequentially.

Docker Bridge bridge creation process:

1) the host creates a pair of virtual network card veth pair devices, and the veth appears in pairs to connect two network devices for data transmission.

2) one end of the veth pair device is in the container, named eth0, and the other end is in the docker0 bridge, which can be viewed by the brctl show command.

3) docker0 assigns an IP to the container, and sets the IP of docker0 as the container default gateway.

4) the container can communicate with the host. In Bridge mode, containers under the same bridge can communicate with each other, and containers can access the public network.

The docker container can be connected with the public network, and the main key role is the Linux kernel. The Linux kernel forwards the container bridge Nic signal to eth0, and then eth0 connects with the public network, in which you need to configure forwarding in the Linux system configuration item net.ipv4.ip_forward=1.

Container accesses the public network

For applications in the container to connect to the public network, you can specify port mapping through-P or-p parameters.

-P docker random mapping: docker run-d-P-- name nginxTest nginx-p docker specified mapping:-p hostPort:containerPort-p ip:hostPort:containerPort-p ip::containerPort # Port-p hostPort:containerPort:udp specified by any Port mapping container of the host

If the host enables the iptables rule, after the port mapping is completed, the corresponding port opening rule will be added to the iptables firewall rule.

Container interconnection mode-link

Container interconnection, in addition to port mapping, can also achieve secure interaction between containers by specifying-- link parameter in docker run. For example:

Create a DB container: # docker run-d-name dbserver test/mysql

Create a Web container and connect it to the dbserver container

# docker run-p 8080VR 8090-name myweb-link dbserver:db mywebtest:latest

At this point, docker establishes a secure tunnel in two interconnected containers and does not need to map the port to the host, and does not use-P or-p to specify the port in the docker run dbserver container, thus preventing the dbserver database container port from being exposed and enhancing security.

-- link format is:-- link name:alias,name is the name of the container to be connected, and alias is the alias of the connection. However, in subsequent versions of docker, the-- link option in docker run will be removed.

The database container dbserver interconnects with the web container. Now enter the web container through docker exec and look at the hosts file. You can find the IP and hostname information parsed by the database container dbserver. And ping is an alias for link.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.