Docker configuration fixed IP and bridge realization method _docker

The Docker default uses bridge mode, which connects to the host through the bridges, while the IP inside the container takes the unused IP from the IP segment where the bridge is located. An inconvenient place to do this is that the IP inside the container is not fixed, and you want to connect the container only by mapping to the host port, so there are many projects that use overlay to provide the network configuration for Docker, such as pipework, flannel, kubernetes, Weave, Opencontrail and so on.

To use overlay to configure a network for Docker, you need to first understand the network mode of the following Docker:

Four kinds of network models of Docker

Docker has four network modes when creating containers, and bridge is not required to specify--net by default, and the other three modes need to be specified using--net when creating containers.

1. Bridge mode, using--net=bridge to specify the default settings.
2. None mode, specified using--net=none.
3. Host mode, specified using--net=host.
4. Container mode, using--net=container: container name or ID designation. (such as:--net=container:30b668ccb630)

Bridge mode : Docker network isolation is based on the network namespace <network Namespace>, which assigns a network namespace to each Docker container when the Docker container is created on the physical machine. And the container IP bridge to the physical machine virtual Network Bridge.

None Mode : In this mode, creating a container does not configure any network parameters for the container, such as: Container network card, IP, communication routing, etc., all need to configure themselves.

Host mode : This mode creates a container that does not have its own independent network namespace, is sharing a network Namespace with the physical machine, and shares all the ports and IP of the physical machine, and this pattern is considered unsafe.

container mode : This mode is similar to host mode, except that this mode creates a container that shares the IP and port of other containers rather than the physical machine, which itself does not configure the network and port, and when it is created, the mode container You will find that the IP inside is the container IP that you specify and the port is shared, and the other is isolated, such as process.

Second, Docker configuration of their own network bridge

Example One,

1), Custom new Network Bridge

root@docker:~# Dpkg-l | grep bridge* #查看是否有安装brctl命令包 II bridge-utils 1.5-6UBUNTU2 AMD64 Utilities for configuring the Linux Ethernet BRIDG E root@docker:~# apt-get Install bridge-utils #安装brctl命令包 root@docker:~# docker-v #docker版本 Docker version 1. 5.0, build A8a31ef root@docker:~# Ps-ef |    grep Docker #正在运行 root 6834 1 0 16:28? 00:00:00/usr/bin/docker-d root@docker:~# service Docker stop #停止 root@docker:~# ifconfig | grep docker0 #docker默认网桥 Docker0 Link ENCAP: Ethernet hardware address 56:84:7a:fe:97:99 root@docker:~# ifconfig Docker0 down #停止docke R Default Bridge root@docker:~# brctl show #查看物理机上有哪些网桥 root@docker:~# brctl delbr docker0 #删除docker默认网桥 root@docker: 

~# brctl addbr docker_new0 #自定义网桥 root@docker:~# ifconfig docker_new0 192.168.6.1 netmask 255.255.255.0 #给自定义网桥指定IP和子网 root@docker:~# Ifconfig | grep docker_new0 #查看发现自定义网桥已经启动 docker_new0 Link ENCAP: Ethernet Hardware address 0a:5b:26:48:dc:04 inet address: 192.168.6.1 Broadcast: 192.168.6.2 55 Mask: 255.255.255.0

root@docker:~# Echo ' docker_opts= "-b=docker_new0" ' >>/etc/default/docker #指定网桥写入docker配置文件 root@docker:~# Service Docker start #启动docker root@docker:~# Ps-ef |    grep Docker #成功启动, and successfully loaded docker_new0 root 21345 1 0 18:44?        00:00:00/usr/bin/docker-d-b=docker_new0 root@docker:~# brctl show #查看当前网桥下是否有容器连接 bridge name Bridge ID STP-enabled Interfaces Docker_new0 8000.fa3ce276c3b9 no root@docker:~# docker RUN-ITD Tos6/bin/bash #创建容器测试 root@docker:~# Docker attach 7f8ff622237f #进入容器 [root@7f8ff622237f/]# IFC Onfig eth0 | 
     grep addr #容器IP已经和自定义网桥一个网段 that the container IP is automatically allocated for DHCP and does not belong to the specified fixed IP eth0 Link encap:ethernet hwaddr 02:42:c0:a8:06:02 inet addr:192.168.6.2 bcast:0.0.0.0 mask:255.255.255.0 inet6 addr:fe80::42:c0ff:fea8:602/64 Scope:Link root@Docker : ~# brctl show #该网桥上已经连接着一个网络设备了 bridge name Bridge ID STP enabled interfaces docker_new0 8000 . fa3ce276c3B9 No veth17f560a 

Note: The veth device appears in pairs, one end is the container's internal naming eth0, the other is a veth17f560a (usually named veth*) that is joined to the bridge and named, and they form a data transmission channel that ends up in the end, The Veth device connects two network devices     and implements data communication.

root@docker:~# wget https://github.com/jpetazzo/pipework/archive/master.zip #下载 pipework root@docker:~# Unzip Master.zip #解压 root@docker:~# CP pipework-master/pipework/usr/bin/#拷贝pipework到/usr/bin/Lower root@docker:~ # chmod +x/usr/bin/pipework #赋予该命令执行权限 root@docker:~# pipework docker_new0-i eth1 $ (Docker run-itd-p 9197:80-CentOS: Centos6/bin/bash) 192.168.6.27/24@192.168.6.1 #创建容器 and specifies a fixed IP format: Pipework Network Bridge name-i specifies the configuration < container name or container id> within the specified container on that network card ip/       Subnet @ Network Attention: Container intranet is the physical machine bridge IP root@docker:~# Docker attach 2966430e2dbe #进入新容器 [root@2966430e2dbe/]# ifconfig #容器内IP为指定的IP 192.168.6.27 eth0 Link encap:ethernet hwaddr 02:42:c0:a8:06:05 inet addr:192.168.6.7 Bca 
     st:0.0.0.0 mask:255.255.255.0 #docker_new0网桥创建容器时DHCP分配的IP eth1 Link encap:ethernet hwaddr 82:db:f7:a3:33:92  inet addr:192.168.6.27 bcast:0.0.0.0 mask:255.255.255.0 #pipework指定的固定IP, Network Bridge or Docker_new0 [root@2966430e2dbe/]# Route -N #查看路由路径 Kernel IP routing Table destination Gateway genmask Flags Metric Ref use iface 0.0.0.0 192.168.6.1 0.0.0.0 UG 0 0 0 eth0 192.168.6.0 0.0.0.0 255.255.255.0 u 0 0 0 eth0 192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 [root@
2966430e2dbe/]# Ping www.linuxidc.com #测试网络 ping www.linuxidc.com (119.75.218.70) bytes of data.


Bytes from 119.75.218.70:icmp_seq=1 ttl=127 time=3.98 ms-bytes from 119.75.218.70:icmp_seq=2 ttl=127 time=2.98 ms [Root@2966430e2dbe/]# Netstat-anptu | grep #容器内80端口已经开启 TCP 0 0:::::* listen-root@docker:~# telnet 192.168.
6.27 #物理机上测试指定的IP是否和映射的端口等通信正常 Trying 192.168.6.27 ...
Connected to 192.168.6.27.

Escape character is ' ^] '. root@docker:~# iptables-save > Iptables-rules #拷贝防火墙规则到本地文件 root@docker:~# vi iptables-rules #打开规则文件查看你会发现你物理机的防 The firewall has automatically added a lot of rules, this is the address conversion communication rules of the container to the network Bridge to the local network card to the public network.

Example two:

First, configure a network bridge to create container interface, either with OvS or Linux bridges, for example:

Br_name=docker
brctl addbr $br _name
ip addr add 192.168.33.2/24 dev $br _name
ip addr del 192.168.33.2/24 dev E M1
IP link set $br _name up
brctl addif $br _name eth0

Next, you can start the container, and note that it starts in--net=none mode:

# Start new container
hostname= ' docker.test.com '
cid=$ (Docker run-d-i-h $hostname--net=none-t centos)
pi d=$ (Docker inspect-f ' {{. State.pid} ' $cid)

Below, configure the network namespace for the container and set the fixed IP:

# set up Netns
mkdir-p/var/run/netns
ln-s/proc/$pid/ns/net/var/run/netns/$pid
# set up bridge
IP link Add Q$pid type Veth peer name r$pid
brctl addif $br _name q$pid
IP link set q$pid up
# set up Docker interface
fixed_ip= ' 192.168.33.3/24 '
gateway= ' 192.168.33.1 '
IP link set r$pid netns $pid
IP netns exec $pid IP  Link Set Dev r$pid name eth0
IP netns exec $pid IP link set eth0 up
IP netns exec $pid IP addr add $fixed _ip Dev eth0
IP netns exec $pid IP route add default via 192.168.33.1

In this way, the container network is configured, if the container inside the sshd service, through the 192.168.33.3 can be directly connected to the container ssh, very convenient. The above steps are relatively long, you can use pipework to set fixed IP for the container (in addition to setting IP, also encapsulates the configuration gateway, Macvlan, VLAN, DHCP and other functions):

Pipework Docker0 be8365e3b2834 10.88.88.8/24

So, when the container needs to delete, how to clean up the network, in fact, is also very simple:

# Stop and delete container
Docker stop $cid
Docker rm $cid
# Delete Docker ' s net namespace (also delete Veth Pair)
IP netns Delete $pid

More Docker network configuration, you can refer to the official manual.

Thank you for reading, I hope to help you, thank you for your support for this site!