Docker Network Configuration __docker

Source: Internet
Author: User
Tags iptables docker ps docker run

I. Docker use of the network

1. External access to the Docker container, you can specify port mappings by-p or-p

When the-p tag is used, Docker maps a 49000~49900 port randomly to an open network port on the internal container

--->docker run-d-p training/webapp python app.py

--->docker ps-l view port mappings

root@izrj92o440hd7iwmo9iwfgz:~# Docker run-d-p Training/webapp python app.py
8a65b840a7882d76746baba48c98227b03be2218aa0af262f8180d0dee83c361
root@izrj92o440hd7iwmo9iwfgz:~#
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8a65b840a788 training/webapp "python app.py" seconds ago up seconds 0.0.0.0:32768->5000 /tcp Big_swirles
root@izrj92o440hd7iwmo9iwfgz:~#

Another way to view this is to use Docker logs

Docker Logs-f Big_swirles
* Running on Http://0.0.0.0:5000/

-P (lowercase) specifies the port to map, and only one container can be bound on a specified port. The supported formats are

--->ip:hostport:containerport | Ip::containerport | Hostport:containerport

2. Map all interface addresses
Mapped to the container's 5000 port using the local 5000 port in the Hostport:containerport format, you can perform
--->docker run-d-p 5000:5000 training/webapp python app.py
At this point, all addresses on all interfaces are bound by default.

root@izrj92o440hd7iwmo9iwfgz:~# Docker run-d-p 5000:5000 training/webapp python app.py
5ac7269af1a91912fd55ace61c35ca314e831294524f7a5611013dc2fffc0b33

3. Map to specified port at specified address
Use the Ip:hostPort:containerPort format to specify mappings using a specific address, such as localhost address 127.0.0.1
--->docker run-d-p 127.0.0.1:5000:5000 training/webapp python app.py

root@izrj92o440hd7iwmo9iwfgz:~# Docker run-d-p 127.0.0.1:5010:5000 training/webapp python app.py
c7fb1bdfcb1bc2156ed6ef1e3ea7f95423ad9c354cf8c641dee1c2f49444f837


4. Any port mapped to the specified address
The local host automatically assigns a port to the 5000 port of the container using the Ip::containerport bound localhost any port.
--->docker run-d-p 127.0.0.1::5000 training/webapp python app.py

5. Use UDP tag to specify UDP port
---> Docker run-d-P 127.0.0.1:5000:5000/udp training/webapp python app.py

6. View mapped port configuration
Use Docker port to view the currently mapped port configuration, or to view the address of the binding
--->docker Port nostalgic_morse 5000

root@izrj92o440hd7iwmo9iwfgz:~# Docker Port Big_swirles 5000
0.0.0.0:32768

. Two. Network configuration of Docker

1. Introduction

When the Docker starts, it creates a Docker0 virtual bridge, which is actually bridges to virtual machines.

2.Docker Network-related command list

-B Bridge or--bridge=bridge--Specify the network bridges that the container is mounted on
--BIP=CIDR--Customizing the Docker0 mask
-H SOCKET ... or--host=socket ...--docker the channel on which the server receives the command
--icc=true|false-whether to support communication between containers
--ip-forward=true|false--See the communication between the containers below
--iptables=true|false--whether to allow Docker to add iptables rules
--mtu=bytes--MTU in a container network

Specify the command to be specified when starting the service

--dns=ip_address ...-using the specified DNS server
--dns-search=domain ...--Specify DNS search domain

The following options are only used when Docker run executes, and it is for the container's feature content.
-H HOSTNAME or--hostname=hostname--Configure container host name
--link=container_name:alias--a connection added to another container
--net=bridge|none|container:name_or_id|host--Configuring the container's bridging mode
-P SPEC or--publish=spec--map container port to host host
-P or--publish-all=true|false-map container all ports to host host

3. View mount information using the Mount command

root@izrj92o440hd7iwmo9iwfgz:~# Mount
/dev/vda1 on/type ext4 (rw,errors=remount-ro)
proc On/proc type proc ( Rw,noexec,nosuid,nodev)
Sysfs on/sys type Sysfs (Rw,noexec,nosuid,nodev)
None On/sys/fs/cgroup type TMPFS (rw) None On/sys/fs/fuse/connections type Fusectl (rw)
None On/sys/kernel/debug type Debugfs (rw)
None On/sys/ker Nel/security type SECURITYFS (rw)
Udev on/dev type DEVTMPFS (rw,mode=0755)
devpts on/dev/pts type devpts (Rw,noe xec,nosuid,gid=5,mode=0620)
Tmpfs on/run type TMPFS (rw,noexec,nosuid,size=10%,mode=0755)
None On/run/lock Type TMPFS (rw,noexec,nosuid,nodev,size=5242880)
None On/run/shm type Tmpfs (Rw,nosuid,nodev)
None On/run/user t Ype Tmpfs (rw,noexec,nosuid,nodev,size=104857600,mode=0755)
None On/sys/fs/pstore type Pstore (rw)
Systemd on/s YS/FS/CGROUP/SYSTEMD type Cgroup (rw,noexec,nosuid,nodev,none,name=systemd)
root@izrj92o440hd7iwmo9iwfgz:~#

4. Manually specify the configuration of the container

-H HOSTNAME or--hostname=hostname sets the host name of the container, which is written to the/etc/hostname and/etc/hosts within the container. However, it is not visible outside the container, neither in Docker PS nor in the/etc/hosts of other containers.

The--link=container_name:alias option adds a host name from another container to the/etc/hosts file when the container is created, allowing the new container's process to connect to it using the hostname ALIAS.

--dns=ip_address adds a DNS server to the container's/etc/resolv.conf and lets the container use this server to resolve all host names that are not in/etc/hosts.

--dns-search=domain to set the search domain for the container, when the search domain is set to. example.com, DNS searches for a host named hosts and searches for host.example.com. Note: If you do not have the last 2 options above, Docker will default to configure the container with the/etc/resolv.conf on the host

Three. Access to containers

1. Container access to external network implementation

Access to the external network requires local system forwarding support to see if forwarding is open command

root@izrj92o440hd7iwmo9iwfgz:~# Sysctl Net.ipv4.ip_forward
Net.ipv4.ip_forward = 1

If Net.ipv4.ip_forward = 0, execute the following command

root@izrj92o440hd7iwmo9iwfgz:~# Sysctl Net.ipv4.ip_forward
Net.ipv4.ip_forward = 0
root@izrj92o440hd7iwmo9iwfgz:~# sysctl-w net.ipv4.ip_forward=1
Net.ipv4.ip_forward = 1

2. The containers are accessible to each other and the following conditions need to be met

Whether the network topology of the container is interconnected. By default, all containers will be connected to the DOCKER0 Network Bridge.
Firewall software for the local system--iptables is allowed through

A. Access to all ports

When the Docker service is started, a forwarding policy is added to the Iptables FORWARD chain by default. Whether the policy is passed (ACCEPT) or blocked (DROP) depends on the configuration--icc=true (default) or--icc=false. Of course, iptables rules are not added if you manually specify--iptables=false. Visible, by default, network interoperability is allowed between different containers. If for security reasons, you can configure Docker_opts=--icc=false in the/etc/default/docker file to disable it

B. Accessing the specified port

After you turn off network access through-icc=false, you can also access the open ports of the container through the--link=container_name:alias option. For example, when you start the Docker service, you can use the Icc=false--iptables=true parameter to turn off allowing mutual network access and allow Docker to modify the Iptables rules in the system. At this point, the iptables rule in the system may be similar

root@izrj92o440hd7iwmo9iwfgz:~# IPTABLES-NL
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination

Chain FORWARD (Policy ACCEPT)
Target Prot opt source destination
Docker-isolation All--0.0.0.0/0 0.0.0.0/0
Docker All--0.0.0.0/0 0.0.0.0/0
ACCEPT All--0.0.0.0/0 0.0.0.0/0 ctstate related,established
ACCEPT All--0.0.0.0/0 0.0.0.0/0
ACCEPT All--0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination

Chain Docker (1 references)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 192.168.0.2 TCP dpt:7054
ACCEPT TCP--0.0.0.0/0 192.168.0.3 TCP dpt:7053
ACCEPT TCP--0.0.0.0/0 192.168.0.3 TCP dpt:7051
ACCEPT TCP--0.0.0.0/0 192.168.0.3 TCP dpt:7050
ACCEPT TCP--0.0.0.0/0 192.168.0.4 TCP dpt:5000
ACCEPT TCP--0.0.0.0/0 192.168.0.5 TCP dpt:5000
ACCEPT TCP--0.0.0.0/0 192.168.0.6 TCP dpt:5000

Chain docker-isolation (1 references)
Target Prot opt source destination
Return all--0.0.0.0/0 0.0.0.0/0
root@izrj92o440hd7iwmo9iwfgz:~#
...

The--link=container_name:alias option is used after the startup container (Docker run). Docker adds a ACCEPT rule to each of the two containers in iptable, allowing access to the open ports (depending on the expose line in Dockerfile). When the--link=container_name:alias option is added, the iptables rule is added.

root@izrj92o440hd7iwmo9iwfgz:~# IPTABLES-NL
Chain Docker (1 references)
Target Prot opt source destination
ACCEPT TCP--0.0.0.0/0 192.168.0.2 TCP dpt:7054
ACCEPT TCP--0.0.0.0/0 192.168.0.3 TCP dpt:7053
ACCEPT TCP--0.0.0.0/0 192.168.0.3 TCP dpt:7051
ACCEPT TCP--0.0.0.0/0 192.168.0.3 TCP dpt:7050
ACCEPT TCP--0.0.0.0/0 192.168.0.4 TCP dpt:5000
ACCEPT TCP--0.0.0.0/0 192.168.0.5 TCP dpt:5000
ACCEPT TCP--0.0.0.0/0 192.168.0.6 TCP dpt:5000

Note: The container_name in--link=container_name:alias must now be the Docker assigned name, or the name specified using the--name parameter. Host name will not be recognized

Four. Configure DOCKER0 Network Bridge

1. When the service is started to configure

--BIP=CIDR--IP address mask format, such as 192.168.1.5/24
--mtu=bytes--Overriding the default Docker MTU configuration

2. Configure docker_opts in the configuration file, after restarting the service, use the command to view the following

root@izrj92o440hd7iwmo9iwfgz:~# brctl show
Bridge name    bridge id         STP enabled    interfaces
docker0         8000.02423a7a1457    no        veth6955a50
                              veth8201676
                             veth8a171bb
                             vethceec7c6
                              VETHFB21FCA
root@izrj92o440hd7iwmo9iwfgz:~#

3. Each time a new container is created, Docker selects an idle IP address from the available address segments to assign to the container's eth0 port. Use the IP of the Docker0 interface on the local host as the default gateway for all containers

root@izrj92o440hd7iwmo9iwfgz:~# Docker run-i-T--rm Training/webapp/bin/bash
root@f003ed71da11:/opt/webapp# IP Addr Show eth0
181:eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> MTU 1500 Qdisc noqueue State up Group default
Link/ether 02:42:c0:a8:00:07 BRD FF:FF:FF:FF:FF:FF
inet 192.168.0.7/20 Scope Global eth0
Valid_lft Forever Preferred_lft Forever
Inet6 FE80::42:C0FF:FEA8:7/64 Scope link
Valid_lft Forever Preferred_lft Forever
root@f003ed71da11:/opt/webapp# IP route
Default via 192.168.0.1 Dev eth0
192.168.0.0/20 Dev eth0 proto kernel scope link src 192.168.0.7
root@f003ed71da11:/opt/webapp# exit
Exit
root@izrj92o440hd7iwmo9iwfgz:~#

Five. Custom Network Bridge

In addition to the default Docker0 Network Bridge, users can also specify a network bridge to connect each container. At the start of the Docker service, use-B bridge or--bridge=bridge to specify the bridges to use. If the service is already running, then you need to stop the service and remove the old network Bridge.
---> Service docker stop
---> IP link set dev Docker0 down
---> Brctl delbr docker0

Then create a network bridge BRIDGE0.
---> Brctl addbr bridge0
---> IP addr add 192.168.5.1/24 dev bridge0
---> IP link set dev bridge0 up

Check to make sure the bridge is created and started.

Addr Show Bridge0
4:BRIDGE0: <BROADCAST,MULTICAST> MTU 1500 Qdisc noop State up Group default
Link/ether 66:38:d0:0d:76:18 BRD FF:FF:FF:FF:FF:FF
inet 192.168.5.1/24 Scope Global BRIDGE0
Valid_lft Forever Preferred_lft Forever

Configure the Docker service, which is the default bridge to the created Network Bridge.
--->echo ' docker_opts= "-b=bridge0" ' >>/etc/default/docker
---> Service docker start
Start the Docker service. Create a new container, and you can see that it's already bridged to the BRIDGE0.




Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.