Shulou(Shulou.com)06/02 Report--

Options when creating a container

-- network xx: specifies the type of network used by the container

-- hostname xx: specifies the hostname used by the container

-- dns x.x.x.x: specifies the DNS address used by the container

-- dns-search xxx: specify the search domain. The default search domain is the host.

-- add-host domain name: add a record to the address in the hosts file

Second, create a closed network container

When creating a container, none network is used by default

When you can create the container again, use the network option to specify that the container type is none

Create a container

[root@host1] # docker run-- name T1-it-- rm\ >-- network none-- hostname T1-- dns 114.114.114.114\ >-- dns-search linux.io\ >-- add-host www.baidu.com:1.2.3.4 > busybox

At this time, the container has no address.

Expose the container address to the network

The purpose of installing the container is to allow users to access the service of the container

The container usually works in nat mode, that is, it is hidden behind the docker0 bridge and the user cannot access it.

Therefore, you need to expose the container to the network.

1. Specify the container port as the dynamic port exposed to the host.

Case: start an apache and expose its port 80

[root@host1] # docker run-- name httpd1-it-p 80-- rm busyboxWARNING: IPv4 forwarding is disabled. Networking will not work./ # / # mkdir / html/ # echo "test page" > > / html/index.html/ # / # httpd-h / html// # / # netstat-anActive Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0: 80:: * LISTEN

At this point, it can be accessed from the host.

[root@host1 ~] # curl 172.17.0.2test page

To access this nginx page on other hosts, you need a dynamic port on the host

To expose the port of docker to the outside world, you need iptables rules, so the rules for viewing the nat table are as follows

[root@host1] # iptables-L-n-t nat... Chain DOCKER (2 references) target prot opt source destination RETURN all-0.0.0.0Comp0 0.0.0.0Compare 0 DNAT tcp-- 0.0.0.0ampoule 0.0.0.0.0/ 0 tcp dpt:32770 to:172.17.0.2:80

The docker command can view the port mapping relationship

[root@host1 ~] # docker port httpd180/tcp-> 0.0.0.0purl 32770

Access containers on this host on other hosts

When the container is deleted, the port mapping rule is automatically deleted

2. Specify the container port to expose to the designated port of the host

Case: create an apache container that maps port 80 to port 8081 of the host

[root@host1] # docker run-- name httpd1-it-p 80 it 8081-- rm busybox/ # [root@host1] # docker port httpd18081/tcp-> 0.0.0.0 it 80

3. Expose the designated port of the container to the dynamic port of the host specified IP

The effect in method 1 is to map the port of the container to the random port of the host, which is bound to all IP of the host.

-p Host ip:: container port

4. Expose the designated port of the container to the designated port of the host designated IP

The effect in method 3 is to map the port of the container to the designated port of the host, which is bound to all the IP of the host.

-p Host ip: host port: container port

[if you need to expose multiple ports, you can use the-p option multiple times]

Fourth, create federated network containers

In fact, federated containers allow multiple containers to share three namespaces such as the network.

1. Add contents to the namespaces of other containers

Create a container first

[root@host1 ~] # docker run-- name httpd1-it-- rm busybox / # / # ip addr 1: lo: mtu 65536 qdisc noqueue qlen 1000 link/loopback 0000VlV 0000GRV 0000RV 0000 brd 00LV 00LV 00LV 0000 inet 127.0.0.1: 8 scope host lo valid_lft forever preferred_lft forever13: eth0@if14: mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:02 brd ff: Ff:ff:ff:ff:ff inet 172.17.0.2 ff:ff:ff:ff:ff inet 16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever/ # / # hostname2ce8cf2a2f28/ # / # mkdir / html/ # echo "test page" > / html/index.html/ # httpd-h / html// # / # wget-O-Q 127.0.0.1test page/ #

Create another container and add it to the namespace of the previous container

[root@host1 ~] # docker run-- name httpd2-- network container:httpd1-- rm-it busybox/ # / # ip addr1: lo: mtu 65536 qdisc noqueue qlen 1000 link/loopback 0000 brd 0000 brd 0000 inet 127.0.0.1) 8 scope host lo valid_lft forever preferred_lft forever13: eth0@if14: mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00 : 02 brd ff:ff:ff:ff:ff:ff inet 172.17.0.2 brd ff:ff:ff:ff:ff:ff inet 16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever/ # / # hostname2ce8cf2a2f28/ # / # wget-O-Q 127.0.0.1test page/ #

The hostname, address and IPC of both containers are the same.

Start the process in one container and access it with 127.0.0.1 in another

But the file systems of the two containers are not shared, such as files or directories created on one host, which cannot be accessed in the other host.

2. Add the container to the namespace of the host

[root@host1] # docker run-- name httpd1-it-- rm-- network host busybox / # ip addr1: lo: mtu 65536 qdisc noqueue qlen 1000 link/loopback 0000 scope host valid_lft forever preferred_lft forever2: ens33: mtu 1500 qdisc pfifo_fast Qlen 1000 link/ether 00:0c:29:3f:bf:cf brd ff:ff:ff:ff:ff:ff inet 192.168.114.132/24 brd 192.168.114.255 scope global dynamic ens33 valid_lft 1653sec preferred_lft 1653sec inet6 fe80::b487:3618:3453:eabe/64 scope link valid_lft forever preferred_lft forever3: ens37: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:3f:bf:d9 brd ff: Ff:ff:ff:ff:ff inet 192.168.64.130/24 brd 192.168.64.255 scope global dynamic ens37 valid_lft 1648sec preferred_lft 1648sec inet 172.16.100.5/24 brd 172.16.100.255 scope global ens37 valid_lft forever preferred_lft forever inet6 fe80::e81:e5e0:505:f39b/64 scope link valid_lft forever preferred_lft forever4: docker0: mtu 1500 qdisc noqueue link/ether 02:42: 37:b9:09:55 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:37ff:feb9:955/64 scope link valid_lft forever preferred_lft forever/ # hostnamehost1/ #

Fifth, modified default network and bridge

1. Modify Docker0

The default address of the docker0 bridge is 172.17

Modifying this requires modifying the configuration file: / etc/docker/daemon.json

Bip knows the ip address of docker0.

2. Create a custom bridge

Create a bridge named mybr0

[root@host1] # docker network create\ >-- subnet "30.0.0.0 docker network lsNETWORK ID NAME DRIVER SCOPE5e905c47ac51 bridge bridge local386d8dc4beb8 host host local256a8b6832cb mybr0 8"-- gateway "30.0.0.1"\ > mybr0 [root@host1 ~] # docker network lsNETWORK ID NAME DRIVER SCOPE5e905c47ac51 bridge bridge local386d8dc4beb8 host host local256a8b6832cb mybr0 Bridge localeb7b7cf29f29 none null local

Mybr0 is the network name, not the network interface name

[root@host1 ~] # ip addr... 15: br-256a8b6832cb: mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:c9:f6:5d:cd brd ff:ff:ff:ff:ff:ff inet 30.0.0.1 scope global br-256a8b6832cb valid_lft forever preferred_lft forever 8 brd 30.255.255.255

Create a container to use this bridge device

[root@host1 ~] # docker run-- name httpd1-it-- rm-- network mybr0 busybox / # ip addr1: lo: mtu 65536 qdisc noqueue qlen 1000 link/loopback 0000 link/loopback 0000 brd 0000 brd 0000GetWord ("0000"); 0000; 0000LV; 0000LV; 0000LV; 0000GUBG; inet 127.0.0.1; 8 scope host lo valid_lft forever preferred_lft forever16: eth0@if17: mtu 1500 qdisc noqueue link/ether 02:42:1e:00 : 00:02 brd ff:ff:ff:ff:ff:ff inet 30.0.0.2/8 brd 30.255.255.255 scope global eth0 valid_lft forever preferred_lft forever/ #

Extension: make two bridges on a host (which is actually equivalent to two virtual switches), and then install a container on each switch that is not on the same network segment

If you want to communicate between two containers, you only need to start routing and forwarding on the host for two reasons.

The gateway of the container points to the virtual switch address

The virtual switch itself is on the host computer.

It is important to note that some rules are added to the firewall by default to prevent communication between containers in this case, so to achieve communication between containers, you need to modify the itpables rules.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.