Shulou(Shulou.com)06/02 Report--

Docker Network Foundation

Docker will automatically create a docker0 virtual bridge on the host when it starts, which is actually a Linux bridge, which can be understood as a software switch, which will be mounted to its network port for forwarding. When creating a Docker container, a pair of veth pair interfaces will be created similarly.(When a packet is sent to an interface, another interface can receive the same packet), the interface is in the container at one end, that is, eth0; the other end is local and mounted to the docker0 bridge, and the name starts with veth.

DNS and hostname of Docker container

In fact, there are three files in the/etc directory in the container that are overwritten by virtual files after the container is started. They are/etc/hostname,/etc/hosts, and/etc/resolve.conf. You can view them by running the mount command in the container.

Docker Container 5 Network Modes

When creating a docker container using docker run, you can specify the network mode of the container with the--net option. Docker has the following five network modes:

1. bridge model

The bridge mode is Docker's default network setting, specified using docker run --net=bridge, which assigns a Network Namespace, sets IP, etc. to each container and connects Docker containers on a host to a virtual bridge. This mode uses NAT protocol to communicate with the outside world, which increases the complexity of communication. There will be many uses in complex scenarios.

Limitations.

route -n View IP routing tables;

iptables -t nat -L -n View iptables rules.

2. host mode

Use docker run --net=host to specify that Docker Server will not create a network protocol stack for Docker containers in this mode, that is, it will not create an independent network namespace. The processes in Docker containers are in the network environment of the host, which is equivalent to Docker containers. The hosts share the same network namespace, using the host's network card, IP, port and other information. This mode has no network isolation and causes competition and conflict for network resources.

3. container mode

Use docker run --net=container:othercontainer_name to specify that this pattern is similar to host pattern, specifying that a newly created container shares the same network namespace with an existing container. Both of the following patterns share the network namespace, the difference being that host pattern shares with the host, while container pattern shares with an existing container. In container mode, processes of two containers can communicate through lo loopback network devices, increasing the convenience and efficiency of communication between containers. The container pattern is used in scenarios where multiple components of an application can be placed in different container toes, and these containers are organized into a container-pattern network so that they can provide services as a whole. with

This pattern also reduces the isolation between containers.

docker run -it --name helloworld busybox sh docker run -it --name helloword-con --

net=container:helloword busybox sh

4. none mode

Use docker run --net=none to specify that in this mode the Docker container has its own Network

Namespace, however, does not perform any network configuration for Docker containers. In other words, this Docker container has no network card, IP, routing and other information. We need to add network cards and configure IP for Docker containers ourselves. This pattern is not usable without specific configuration, but it also gives users maximum freedom to customize the container's network environment.

5. overlay mode

Overlay Network Features:

cross-host communication

No port mapping required

No need to worry about IP conflicts

Service discovery with k/v storage: etcd, consume

Native network [root@localhost ~]# docker pull busybox//Download a busybox[root@localhost ~]# docker network ls//View native network

1. None: nothing on the network

[root@localhost ~]# docker run -itd --name none --network none busybox:latest//Create a container based on busybox, network card none[root@localhost ~]# docker exec -it none /bin/sh//Enter the container you just created/ # ip a//Check IP

When using a container with None network, you will find that it only has a Loop back address, no Mac address, IP and other information, which means that it cannot communicate with the outside world and is an isolated network. We need to add network cards and configure IP for Docker containers ourselves. This pattern is not usable without specific configuration, but it also gives users maximum freedom to customize the container's network environment.

Usage scenario:

Isolation means security, so the network can run security related services such as Captcha and Validity Codes.

Host network: Host-based network

[root@localhost ~]# docker run -itd --name host --network host busybox:latest//Create a container based on busybox, the network card is host[root@localhost ~]# docker exec -it host /bin/sh//Enter the container you just created/ # ip a//Check IP

The container using the Host network has the same network as the host, because the container was created without isolating its Net stack, but directly using the host's network stack.

Usage scenario:

The network configuration is exactly the same as dockerHost, and the performance is good, but the inconvenience is that the flexibility is not high. This mode has no network isolation, and port conflicts occur between containers and hosts.

Bridge: Bridge network

[root@localhost ~]# brctl show//Check out the bridged network

docker0: When we install docker, the default will produce- -a network card for docker0. Generally, the default IP is 172.17.0.1/16.

[root@localhost ~]# docker run -itd --name test1 busybox:latest//Create a container from busybox [root@localhost ~]# docker exec -it test1 /bin/sh//Enter the container you just created/ # ip a//Check IP

/ # exit//exit container [root@localhost ~]# ip a//check IP, * you will find an extra NIC (if6 in NIC @ container of docker0)*

[root@localhost ~]# brctl show//Check the bridged network, * there is also an extra NIC *

The default network used by the container is docker0 network, docker0 is equivalent to a router at this time, based on this network container, the network segment is the same as docker0.

custom network

Comes with a Container DNS server function (domain name resolution)

1.bridge

[root@localhost ~]# docker network create -d bridge my_net//Create a bridge network named my_net-d: Set the network card mode [root@localhost ~]# ip a//Check ip, you will find an extra network card

[root@localhost ~]# brctl show//Check the bridged network, there is also an extra NIC here

[root@localhost ~]# docker run -itd --name test3 --network my_net busybox:latest//Open a container, the NIC is my_net[root@localhost ~]# docker exec -it test3/bin/sh//Enter the container just created/ # ip a//Check IP

[root@localhost ~]# ip a//check ip, you will find an extra network card

[root@localhost ~]# brctl show//Check the bridged network, there is also an extra NIC here

[root@localhost ~]# docker run -itd --name test4 --network my_net busybox:latest//Open a container, the NIC is my_net[root@localhost ~]# docker exec -it test3/bin/sh/ # ping test4//ping the name of the container just created

Custom network advantages, which can be communicated by container name.

2. Specify container IP

[root@localhost ~]# docker run -itd --name t1 --network my_net --ip 172.18.0.8 busybox:latest//Open a container and specify IP

[root@localhost ~]# docker network create -d bridge --subnet 172.30.16.0/24--gateway 172.30.16.1 my_net3//Create a custom network and specify gateways and network segments [root@localhost ~]# docker network ls//View network

[root@localhost ~]# ip a

If you want to specify IP addresses for containers, you must specify gateway and subnet segment options when customizing the network.

Open two containers and test it.

[root@localhost ~]# docker run -itd --name test5--network my_net3 --ip 172.30.16.5 busybox:latest//Open a container test5 and specify IP[root@localhost ~]# docker exec -it test5/bin/sh/ # ip a

[root@localhost ~]# docker run -itd --name test6--network my_net3 --ip 172.30.16.6 busybox:latest//Open a container test6 and specify IP[root@localhost ~]# docker exec -it test6/bin/sh/ # ip a

/ # ping test5

3. Network cards interworking

[root@localhost ~]# iptables-save

//View the configuration rules of the NIC information (you can see the firewall rules. When another NIC information comes to you, you can discard it directly)

[root@localhost ~]# docker network connect my_net3 test4//my_net3 NIC bridge test4 [root@localhost ~]# docker exec -it test5/bin/sh/ # ping test4

The rest of the analogy, and then you can communicate with each network card

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.