千家信息网

运维之我的docker-docker的网络管理

发表于:2025-01-19 作者:千家信息网编辑
千家信息网最后更新 2025年01月19日,docker引擎十分强大,本身包含了对容器的网络驱动的支持。默认docker会提供桥接(bridge)和覆盖网络(overlay ).桥接:物理网卡和虚拟网卡通过虚拟网络内的虚拟交换进行桥接,对外通讯
千家信息网最后更新 2025年01月19日运维之我的docker-docker的网络管理


docker引擎十分强大,本身包含了对容器的网络驱动的支持。默认docker会提供桥接(bridge)和覆盖网络(overlay ).


  • 桥接:物理网卡和虚拟网卡通过虚拟网络内的虚拟交换进行桥接,对外通讯。

  • 覆盖网络:暂时只从官方看到是使用vxlan技术的网络,swarm使用这种加密网络会更安全。

1.正常情况下如果你不实用swarm创建覆盖性网络需要安装kvstore服务支持选型,例如consuletcdzookeeper

2.一个集群主机连接到kvstore

3.在每个swarm上配置集群引擎的daemon

注意:使用覆盖性网络时如果子网重复或覆盖可能会导致容器无法使用网络


每个安装docker的用户本地都会生成三个网络如下:

[root@salt-node1 nginx-new]# docker network ls

NETWORK ID NAME DRIVER SCOPE

b60c9e065473 bridge bridge local

a603808ad4ba host host local

48d3687c03f0 none null local

桥接网卡你docker默认网卡,除非你指定使用别的网络方式。

[root@salt-node1nginx-new]# docker run -itd --name=networktest training/webappf959f1626b03d965692d0d45f5307c062facac69eff2a33779a50293c35f662e 查看桥接网络内的全部信息网段,网关,容器IP[root@salt-node1nginx-new]#  docker network inspectbridge[    {        "Name": "bridge",        "Id":"b60c9e065473e9d0f8b5eaffc520b681d812e3edd4105cdeba39b5e09bb81ba0",        "Scope": "local",        "Driver": "bridge",        "EnableIPv6": false,        "IPAM": {            "Driver":"default",            "Options": null,            "Config": [                {                    "Subnet":"172.17.0.0/16",                    "Gateway":"172.17.0.1"                }            ]        },        "Internal": false,        "Containers":{           "846953219c6d32025f2ec9b95ea57d50c2f6cc04fbf92047b8a0e5789d623026":{                "Name":"zen_varahamihira",                "EndpointID":"d2f6b8fdfa73fc369c5c77465f79f9d7ada17d9d612b5397a3da227a5e133c1b",                "MacAddress":"02:42:ac:11:00:02",                "IPv4Address":"172.17.0.2/16",                "IPv6Address":""            },           "f959f1626b03d965692d0d45f5307c062facac69eff2a33779a50293c35f662e":{                "Name":"networktest",                "EndpointID":"3017afc38daac830d872606ffafe5254a408e30e2b10a5c65b0977ba60018c38",                "MacAddress":"02:42:ac:11:00:03",                "IPv4Address":"172.17.0.3/16",                "IPv6Address":""            }        },        "Options": {           "com.docker.network.bridge.default_bridge": "true",           "com.docker.network.bridge.enable_icc": "true",           "com.docker.network.bridge.enable_ip_masquerade":"true",           "com.docker.network.bridge.host_binding_ipv4":"0.0.0.0",           "com.docker.network.bridge.name": "docker0",           "com.docker.network.driver.mtu": "1500"        },        "Labels": {}    }][root@salt-node1nginx-new]# docker psCONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                     NAMESf959f1626b03        training/webapp     "python app.py"     4 minutes ago       Up 4 minutes        5000/tcp                  networktest846953219c6d        training/webapp     "python app.py"     25 hours ago        Up 25 hours         0.0.0.0:32768->5000/tcp   zen_varahamihira

从桥接网络移除指定容器

[root@salt-node1nginx-new]# docker network disconnect bridge networktest

创建一个自己的桥接网络

docker引擎天生再带桥接网络和覆盖性网络,docker桥接网络仅限于单机运行,如果出现多机集群就有问题了。这时候覆盖型网络更能满足你的需求,它可以包括多个主机,是一种高级的主题。

docker network create -d [network type] [network name]

[root@salt-node1nginx-new]# docker network create -d bridge nginxs-bridge-networkb67220ae9284c802cd48dca1239026b7539c58b97ef19b19ae8b5d7c7ce13d62[root@salt-node1nginx-new]# docker network lsNETWORK ID          NAME                    DRIVER              SCOPEb60c9e065473        bridge                  bridge              local              a603808ad4ba        host                    host                local              b67220ae9284        nginxs-bridge-network   bridge              local              48d3687c03f0        none                    null                local

查看新的网络信息

[root@salt-node1nginx-new]# docker network inspect nginxs-bridge-network[    {        "Name":"nginxs-bridge-network",        "Id":"b67220ae9284c802cd48dca1239026b7539c58b97ef19b19ae8b5d7c7ce13d62",        "Scope": "local",        "Driver": "bridge",        "EnableIPv6": false,        "IPAM": {            "Driver":"default",            "Options": {},            "Config": [                {                    "Subnet":"172.18.0.0/16",                    "Gateway":"172.18.0.1/16"                }            ]        },        "Internal": false,        "Containers": {},        "Options": {},        "Labels": {}    }]

添加一个容器到指定网络

创建一个网络使得你的web应用在不通的网络下进行隔离这样才是安全的。当你第一次运行一个容器的时候你可以把它添加到一个新的网络。默认情况下两个桥接网络的容器是完全不能相互通讯的,要想两个网络下的指定容器可以互相通讯会做介绍。

参数:--net=[network name]

[root@salt-node1nginx-new]# docker run -d --net=nginxs-bridge-network --name dbtraining/postgresUnable to find p_w_picpath'training/postgres:latest' locallylatest: Pulling fromtraining/postgresa3ed95caeb02: Pullcomplete6e71c809542e: Pullcomplete2978d9af87ba: Pullcompletee1bca35b062f: Pullcomplete500b6decf741: Pullcomplete74b14ef2151f: Pullcomplete7afd5ed3826e: Pullcomplete3c69bb244f5e: Pullcompleted86f9ec5aedf: Pullcomplete010fabf20157: PullcompleteDigest:sha256:a945dc6dcfbc8d009c3d972931608344b76c2870ce796da00a827bd50791907eStatus: Downloadednewer p_w_picpath for training/postgres:latest4b0bc86f18596e6c24a505a40c759e09c1fd7520a487bf2f278348c641c5240f

查看指定容器的网络配置

[root@salt-node1nginx-new]# docker inspect --format='{{json .NetworkSettings.Networks}}'  db{"nginxs-bridge-network":{"IPAMConfig":null,"Links":null,"Aliases":["4b0bc86f1859"],"NetworkID":"b67220ae9284c802cd48dca1239026b7539c58b97ef19b19ae8b5d7c7ce13d62","EndpointID":"99b9f2f973335447640639e146614ab6f4857b0d1e30f5ed6f9b507f645e137a","Gateway":"172.18.0.1","IPAddress":"172.18.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:12:00:02"}} [root@salt-node1 ~]#docker inspect --format='{{range.NetworkSettings.Networks}}``.`IPAddress``end`' db172.18.0.2

指定容器可以连接到指定网络

docker network connect [network name] [CONTAINER NAME]

[root@salt-node1 ~]#docker network connect nginxs-bridge-network db2 [root@salt-node1nginx-new]# docker exec -it db2 bashroot@cf9b593a29bc:/#ping 172.18.0.2PING 172.18.0.2(172.18.0.2) 56(84) bytes of data.64 bytes from172.18.0.2: icmp_seq=74 ttl=64 time=0.130 ms64 bytes from172.18.0.2: icmp_seq=75 ttl=64 time=0.116 ms64 bytes from172.18.0.2: icmp_seq=76 ttl=64 time=0.119 ms


0