Shulou(Shulou.com)06/01 Report--

This article shows you how the Docker container accesses the outside world, which is concise and easy to understand, and can definitely brighten your eyes. I hope you can gain something through the detailed introduction of this article.

Container access to the outside world

In our current experimental environment, docker host can access the external network.

The container can access the public network by default.

Please note: here the public network refers to the network environment outside the container network, not the internet.

The phenomenon is simple, but more important: we should understand the nature of the phenomenon.

In the above example, busybox is located in the private bridge network docker0 (172.17.0.0 ping 16). How does the packet reach bing.com when the bing.com is ping out of the container?

The key here is NAT. Let's look at the iptables rules on docker host

In the NAT table, there is a rule:

-A POSTROUTING-s 172.17.0 MASQUERADE 16!-o docker0-j MASQUERADE

The implication is that if the bridge docker0 receives an outgoing packet from 172.17.0. 0. 0. 0. 0. 0. 0. 00, the outgoing packet is handed over to the MASQUERADE for processing. The processing method of MASQUERADE is to replace the source address of the packet with the address of host, that is, to do a network address translation (NAT).

Let's take a look at how addresses are translated through tcpdump. First look at the routing table of docker host:

The default route is sent through enp0s3, so we need to monitor icmp (ping) packets on both enp0s3 and docker0.

When busybox ping bing.com, the tcpdump output is as follows:

Docker0 receives the ping packet from busybox, and the source address is container IP 172.17.0.2. This is no problem, and leave it to MASQUERADE for processing. At this point, we see a change on enp0s3:

The source address of the ping packet becomes the IP 10.0.2.15 of enp0s3

This is the result of iptable NAT rule processing to ensure that packets can reach the external network.

Busybox sends ping packet: 172.17.0.2 > www.bing.com.

Docker0 received the packet, found that it was sent to the public network, and handed it over to NAT for processing.

NAT changes the source address to enp0s3's IP:10.0.2.15 > www.bing.com.

The ping packet is sent from enp0s3 to www.bing.com.

The access to the external network of the container is realized through NAT,docker.

The above is how the Docker container accesses the outside world. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.