四种网络模式配置
bridge模式配置
[root@localhost ~]# docker run -it --name ti --rm busybox / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02 inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1032 (1.0 KiB) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
在创建容器时添加--network bridge与不加--network选项效果是一致的
[root@localhost ~]# docker run -it --name t1 --network bridge --rm busybox / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02 inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:696 (696.0 B) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
none模式配置
[root@localhost ~]# docker run -it --name t1 --network none --rm busybox / # ifconfig -a lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
container模式配置
启动第一个容器
[root@localhost ~]# docker run -dit --name b3 busybox
af5ba32f990ebf5a46d7ecaf1eec67f1712bbef6ad7df37d52b7a8a498a592a0
[root@localhost ~]# docker exec -it b3 /bin/sh
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:906 (906.0 B) TX bytes:0 (0.0 B)
1
2
3
4
5
6
7
8
9
10
11
启动第二个容器
[root@localhost ~]# docker run -it --name b2 --rm busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03
inet addr:172.17.0.3 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:516 (516.0 B) TX bytes:0 (0.0 B)
1
2
3
4
5
6
7
8
可以看到名为b2的容器IP地址是10.0.0.3,与第一个容器的IP地址不是一样的,也就是说并没有共享网络,此时如果我们将第二个容器的启动方式改变一下,就可以使名为b2的容器IP与B3容器IP一致,也即共享IP,但不共享文件系统。
[root@localhost ~]# docker run -it --name b2 --rm --network container:b3 busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1116 (1.0 KiB) TX bytes:0 (0.0 B)
此时我们在b1容器上创建一个目录
/ # mkdir /tmp/data
/ # ls /tmp
data
1
2
3
4
5
6
7
8
9
10
11
12
13
到b2容器上检查/tmp目录会发现并没有这个目录,因为文件系统是处于隔离状态,仅仅是共享了网络而已。 在b2容器上部署一个站点
/ # echo 'hello world' > /tmp/index.html
/ # ls /tmp
index.html
/ # httpd -h /tmp
/ # netstat -antl
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 :::80 :::* LISTEN
1
2
3
4
5
6
7
在b1容器上用本地地址去访问此站点
/ # wget -O - -q 172.17.0.2:80
hello world
1
host模式配置
启动容器时直接指明模式为host
[root@localhost ~]# docker run -it --name b2 --rm --network host busybox / # ifconfig docker0 Link encap:Ethernet HWaddr 02:42:B8:7F:8E:2C inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0 inet6 addr: fe80::42:b8ff:fe7f:8e2c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3 errors:0 dropped:0 overruns:0 frame:0 TX packets:20 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:116 (116.0 B) TX bytes:1664 (1.6 KiB) ens33 Link encap:Ethernet HWaddr 00:0C:29:95:19:47 inet addr:192.168.203.138 Bcast:192.168.203.255 Mask:255.255.255.0 inet6 addr: fe80::2e61:1ea3:c05a:3d9b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:9626 errors:0 dropped:0 overruns:0 frame:0 TX packets:3950 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3779562 (3.6 MiB) TX bytes:362386 (353.8 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) veth09ee47e Link encap:Ethernet HWaddr B2:10:53:7B:66:AE inet6 addr: fe80::b010:53ff:fe7b:66ae/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3 errors:0 dropped:0 overruns:0 frame:0 TX packets:19 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:158 (158.0 B) TX bytes:1394 (1.3 KiB)
此时如果我们在这个容器中启动一个http站点,我们就可以直接用宿主机的IP直接在浏览器中访问这个容器中的站点了。
容器的常用操作
查看容器的主机名
[root@localhost ~]# docker run -it --name t1 --network bridge --rm busybox / # hostname 48cb45a0b2e7
在容器启动时注入主机名
[root@localhost ~]# docker run -it --name t1 --network bridge --hostname ljl --rm busybox / # hostname ljl / # cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.17.0.3 ljl / # cat /etc/resolv.conf # Generated by NetworkManager search localdomain nameserver 192.168.203.2 / # ping www.baidu.com PING www.baidu.com (182.61.200.7): 56 data bytes 64 bytes from 182.61.200.7: seq=0 ttl=127 time=31.929 ms 64 bytes from 182.61.200.7: seq=1 ttl=127 time=41.062 ms 64 bytes from 182.61.200.7: seq=2 ttl=127 time=31.540 ms ^C --- www.baidu.com ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 31.540/34.843/41.062 ms
手动指定容器要使用的DNS
[root@localhost ~]# docker run -it --name t1 --network bridge --hostname ljl --dns 114.114.114.114 --rm busybox / # cat /etc/resolv.conf search localdomain nameserver 114.114.114.114 / # nslookup -type=a www.baidu.com Server: 114.114.114.114 Address: 114.114.114.114:53 Non-authoritative answer: www.baidu.com canonical name = www.a.shifen.com Name: www.a.shifen.com Address: 182.61.200.6 Name: www.a.shifen.com Address: 182.61.200.7
手动往/etc/hosts文件中注入主机名到IP地址的映射
[root@localhost ~]# docker run -it --name t1 --network bridge --hostname ljl --add-host www.a.com:1.1.1.1 --rm busybox / # cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 1.1.1.1 www.a.com 172.17.0.3 ljl
开放容器端口
执行docker run的时候有个-p选项,可以将容器中的应用端口映射到宿主机中,从而实现让外部主机可以通过访问宿主机的某端口来访问容器内应用的目的。
-p选项能够使用多次,其所能够暴露的端口必须是容器确实在监听的端口。
-p选项的使用格式:
-p containerPort
将指定的容器端口映射至主机所有地址的一个动态端口
-p hostPort : containerPort
将容器端口 containerPort 映射至指定的主机端口 hostPort
-p ip :: containerPort
将指定的容器端口 containerPort 映射至主机指定 ip 的动态端口
-p ip : hostPort : containerPort
将指定的容器端口 containerPort 映射至主机指定 ip 的端口 hostPort
动态端口指的是随机端口,具体的映射结果可使用docker port命令查看。
[root@localhost ~]# docker run -dit --name web1 -p 192.168.203.138::80 httpd e97bc1774e40132659990090f0e98a308a7f83986610ca89037713e9af8a6b9f [root@localhost ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e97bc1774e40 httpd "httpd-foreground" 6 seconds ago Up 5 seconds 192.168.203.138:49153->80/tcp web1 af5ba32f990e busybox "sh" 48 minutes ago Up 48 minutes b3 [root@localhost ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 192.168.203.138:49153 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 [::]:22 [::]:*
以上命令执行后会一直占用着前端,我们新开一个终端连接来看一下容器的80端口被映射到了宿主机的什么端口上
[root@localhost ~]# docker port web1
80/tcp -> 192.168.203.138:49153
1
由此可见,容器的80端口被暴露到了宿主机的49153端口上,此时我们在宿主机上访问一下这个端口看是否能访问到容器内的站点
[root@localhost ~]# curl http://192.168.203.138:49153
<html><body><h1>It works!</h1></body></html>
iptables防火墙规则将随容器的创建自动生成,随容器的删除自动删除规则。
[root@localhost ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 3 164 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4 261 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 0 0 MASQUERADE tcp -- * * 172.17.0.3 172.17.0.3 tcp dpt:80 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2 120 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 1 60 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0 1 60 DNAT tcp -- !docker0 * 0.0.0.0/0 192.168.203.138 tcp dpt:49153 to:172.17.0.3:80
将容器端口映射到指定IP的随机端口
[root@localhost ~]# docker run -dit --name web1 -p 192.168.203.138::80 httpd
在另一个终端上查看端口映射情况
[root@localhost ~]# docker port web1
80/tcp -> 192.168.203.138:49153
1
自定义docker0桥的网络属性信息
自定义docker0桥的网络属性信息需要修改/etc/docker/daemon.json配置文件
[root@localhost ~]# cd /etc/docker/ [root@localhost docker]# vim daemon.json [root@localhost docker]# systemctl daemon-reload [root@localhost docker]# systemctl restart docker { "registry-mirrors": ["https://4hygggbu.mirror.aliyuncs.com/"], "bip": "192.168.1.5/24" } EOF
[root@localhost ~]# vim /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock [root@localhost ~]# systemctl daemon-reload [root@localhost ~]# systemctl restart docker
在客户端上向dockerd直接传递“-H|--host”选项指定要控制哪台主机上的docker容器
[root@localhost ~]# docker -H 192.168.203.138:2375 ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e97bc1774e40 httpd "httpd-foreground" 30 minutes ago Up 11 seconds 192.168.203.138:49153->80/tcp web1 af5ba32f990e busybox "sh" About an hour ago Up 14 seconds b3
创建新网络
[root@localhost ~]# docker network create ljl -d bridge 883eda50812bb214c04986ca110dbbcb7600eba8b033f2084cd4d750b0436e12 [root@localhost ~]# docker network ls NETWORK ID NAME DRIVER SCOPE 0c5f4f114c27 bridge bridge local 8c2d14f1fb82 host host local 883eda50812b ljl bridge local 85ed12d38815 none null local
创建一个额外的自定义桥,区别于docker0
使用新创建的自定义桥来创建容器:
[root@localhost ~]# docker run -it --name b1 --network br0 busybox / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:C0:A8:02:02 inet addr:192.168.2.2 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:962 (962.0 B) TX bytes:0 (0.0 B)
再创建一个容器,使用默认的bridge桥:
[root@localhost ~]# docker run --name b2 -it busybox / # ls bin dev etc home proc root sys tmp usr var / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:C0:A8:01:03 inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:516 (516.0 B) TX bytes:0 (0.0 B)
