wangteng 2017-06-21
Docker容器的网络可分为四种类型,Closed、Bridged、Joined、Open
其结构图如下:(来源:《Docker In Action》)
1、Closed
不允许网络访问,容器内的进程只能访问回调接口(loopback interface),程序的网络访问只能在容器内部进行,不能够访问容器外部网络,创建容器时使用--net none 参数。
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --net none alpine ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever
场景:需要网络高度隔离或者应用程序不需要网络访问。例如终端文本编辑器不需要网络访问,或者程序在容器内生成密码
2、Bridged
该模式是容器生成的默认选项,容器拥有一个私有的回调接口和一个私有接口,用于连接宿主机的网桥,使用该模式,主要是容器内的进程需要访问网络资源,创建容器时可以忽略 --net选项或者指定为bridge。
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --net bridge alpine ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 157: eth0@if158: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP link/ether 02:42:ac:12:00:04 brd ff:ff:ff:ff:ff:ff inet 172.18.0.4/16 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::42:acff:fe12:4/64 scope link tentative valid_lft forever preferred_lft forever
bridge模式支持自定义域名功能,使用--hosename参数指定
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --hostname barker alpine nslookup barker nslookup: can't resolve '(null)': Name does not resolve Name: barker Address 1: 172.18.0.4 barker
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --dns 8.8.8.8 alpine nslookup docker.com nslookup: can't resolve '(null)': Name does not resolve Name: docker.com Address 1: 52.205.177.26 ec2-52-205-177-26.compute-1.amazonaws.com Address 2: 52.54.245.124 ec2-52-54-245-124.compute-1.amazonaws.com Address 3: 52.73.59.133 ec2-52-73-59-133.compute-1.amazonaws.com
参数值必须为ip;支持数组,可以指定多个DNS服务;支持容器守护进程模式运行(-d)
可以指定多个,类似为域名添加一个前缀,查找registry.hub.docker.com
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --dns-search docker.com busybox nslookup registry.hub Server: 100.100.2.138 Address 1: 100.100.2.138 Name: registry.hub Address 1: 52.86.136.227 ec2-52-86-136-227.compute-1.amazonaws.com Address 2: 34.200.149.55 ec2-34-200-149-55.compute-1.amazonaws.com Address 3: 52.45.79.109 ec2-52-45-79-109.compute-1.amazonaws.com
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --hostname mycontainer --add-host docker.com:127.0.0.1 --add-host test:172.0.2.2 alpine cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 127.0.0.1 docker.com 172.0.2.2 test 172.18.0.4 mycontainer
cp:随机映射一个宿主机端口到容器端口上
hp:cp:同时指定端口
ip:cp:将容器端口绑定到指定ip的随机端口上
ip:hp:cp:将容器端口绑定到指定的ip及端口上
--expose:开放容器端口
-P,--publish-all,将容器所有开放的端口映射到宿主机的随机端口上
0.0.0.0:32775->5000/tcp, 0.0.0.0:32774->6000/tcp, 0.0.0.0:32773->7000/tcp
--bip参数指定IP段,设置docker0的ip及允许的ip范围
--bip "192.168.0.128/25" 后128个ip(32-25=7, 2^7=128)
--fixed-cidr 指定IP可以被分配到新的容器
新容器接受的ip段 docker -d --fixed-cidr "192.168.0.192/26"(后64个ip,192-255,32-26=6,2^6=64)
–mtu,指定以太网接口的网络包大小,默认1500字节
docker -d –mtu 1200,指定为1200字节
-b/--bridge,指定Docker守护进程的网桥,默认为docker0
docker -d -b mybridge docker -d --bridge mybridge
3、Joined
容器共享同一个网络,也就意味着减少了控制和安全,联合容器是由特殊容器为新容器提供访问接口。
创建一个封闭的容器
docker run -d --name brady --net none alpine nc -l 127.0.0.1:3333创建一个联合容器
docker run -it --net container:brady alpine netstat -al Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:36328 0.0.0.0:* LISTEN Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path使用场景:
不同的容器使用同一个会调接口进行通信时,可以通过创建联合容器来实现
4、Open
该模式没有网络容器,直接完全访问宿主机网络,存在网络安全隐患,不得已情况下不推荐使用,创建容器时使用--net host来实现
[root@iz2ze7sp5njgaf81ekoudez ~]# docker run --rm --net host alpine ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 …… 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 …… 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP …… 30: br-662aeb7954f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN …… 102: vethc3eb910@if101: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue master docker0 state UP link/ether 42:7f:7b:ee:f1:a0 brd ff:ff:ff:ff:ff:ff 154: veth69e1658@if153: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue master docker0 state UP link/ether a6:78:6e:81:7a:24 brd ff:ff:ff:ff:ff:ff [root@iz2ze7sp5njgaf81ekoudez ~]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 …… 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 …… 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP …… 30: br-662aeb7954f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN …… 102: vethc3eb910@if101: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP …… 154: veth69e1658@if153: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP ……同宿主机的网络信息一致