By default, docker uses the Bridge Mode to connect to the host machine through a bridge, while the internal IP address of the container gets unused IP addresses from the IP address segment of the bridge. This is inconvenient because the IP address inside the container is not fixed. to connect to the container, you can only map the port to the host machine, therefore, many projects use overlay to provide network configurations for docker, such as pipework, flannel, kubernetes, weave, and opencontrail.
To use overlay to configure the network for docker, you must first understand the docker Network Mode:
--net=bridge
-The default action, that connects the container to the docker bridge as described above.
--net=host
-Tells docker to skip placing the container inside of a separate network stack. In essence, this choice tells dockerNot containerize the container's networking! While container processes will still be confined to their own filesystem and process list and resource limits, a quickip addr
Command will show you that, network-wise, they live "outside" in the main docker host and have full access to its network interfaces. Note that this doesNotLet the container reconfigure the host network stack-That wowould require--privileged=true
-But it does let container processes open low-numbered ports like any other root process. it also allows the container to access local network services like D-bus. this can lead to processes in the container being able to do unexpected things like restart your computer. you shoshould use this option with caution.
--net=container:NAME_or_ID
-Tells docker to put this container's processes inside of the network stack that has already been created inside of another container. the new container's processes will be confined to their own filesystem and process list and resource limits, but will share the same IP address and port numbers as the first container, and processes on the two containers will be able to connect to each other over the loopback interface.
--net=none
-Tells docker to put the container inside of its own network stack but not to take any steps to configure its network, leaving you free to build any of the custom deployments already ed in the last few sections of this document.
In the preceding methods, only -- Net = none can assign a fixed IP address to docker to see how to operate docker.
First, configure a bridge used to create the container interface. You can use ovs or Linux bridge. Take Linux bridge as an example:
br_name=dockerbrctl addbr $br_nameip addr add 192.168.33.2/24 dev $br_nameip addr del 192.168.33.2/24 dev em1ip link set $br_name upbrctl addif $br_name eth0
Next, you can start the container. Note that -- Net = none is used to start the container:
# start new containerhostname=‘docker.test.com‘cid=$(docker run -d -i -h $hostname --net=none -t centos)pid=$(docker inspect -f ‘{{.State.Pid}}‘ $cid)
Configure the network namespace for the container and set a fixed IP Address:
# set up netnsmkdir -p /var/run/netnsln -s /proc/$pid/ns/net /var/run/netns/$pid# set up bridgeip link add q$pid type veth peer name r$pidbrctl addif $br_name q$pidip link set q$pid up# set up docker interfacefixed_ip=‘192.168.33.3/24‘gateway=‘192.168.33.1‘ip link set r$pid netns $pidip netns exec $pid ip link set dev r$pid name eth0ip netns exec $pid ip link set eth0 upip netns exec $pid ip addr add $fixed_ip dev eth0ip netns exec $pid ip route add default via 192.168.33.1
In this way, the container network is configured. If the sshd service is enabled inside the container, you can directly connect to the container through SSH Through 192.168.33.3, which is very convenient.
So how to clean up the network when the container needs to be deleted is actually very simple:
# stop and delete containerdocker stop $ciddocker rm $cid# delete docker‘s net namespace (also delete veth pair)ip netns delete $pid
For more docker network configurations, refer to the official manual.
Configure a fixed IP address for docker