Docker Network Settings __docker

Source: Internet
Author: User
Tags get ip iptables docker ps docker run

several basic methods of Docker container interconnection

(1) Container Mount host directory:-v–volumns-from

(2) Interconnection between containers: –link

(3) External access container:-P

(4) Direct use of host network

  Docker run--rm=true--net=host--name=mydb-e mysql_root_password=123456 MYSQL
  # Use the following command to see that the container IP is fully consistent with the host
  Docker Exec-it mydb IP Addr

(5) Container sharing one IP network

  Docker run--rm=true--name=mydb-e mysql_root_password=123456 MYSQL
# Creates a new container that specifies a shared IP
  Docker run--rm=true with existing containers- Net=container:mydb java IP Addr
# Two containers of shared IP, how to access each other. (using localhost)
# with Ubuntu with tools IFCONIFG View network settings (bridge, interface, etc.) "Note: Ifconfig is not ipconfig! ^_^"
  IFCONIFG  
# Use IP addr to view network information
  IP addr
first, the custom Network Bridge

The DOCKER0 virtual Network Bridge is created automatically when the Docker is installed. Now create your own network Bridge

# Install bridge tool brctl
sudo apt-get install bridge-utils

#查看网桥设备
sudo brctl show

# Add Network bridge
sudo brctl addr br0< c5/># Set Network bridge IP
sudo ipconfig br0  192.168.100.1 netmask 255.255.255.0

# Docker apply the specified Network bridge: (1) Edit configuration: docker_opts= " -b=br0 "
sudo vim/etc/default/docker
# Docker application-specified Network bridge: (2) Restart Docker Services
sudo service docker restart
# See if the Docker setting applies
ps-ef | grep Docker
# to see if the Docker network settings are effective
ipconfig
Ii. Interconnection of Docker containers

Docker allows interconnection between containers by default

When the container is restarted, the IP address changes, but if the –link connection container is used, the corresponding container IP assignment updates the IP of this container host referencing it (when resolving IP issues between containers, the runtime container specifies link)

Target
1, allow the interconnection between containers
2, prevent the interconnection between containers
3, allow part of the container interconnection

Prepare the Dockerfile for testing

From ubuntu:14.04
run apt-get install-y ping
run apt-get update
run apt-get install-y nginx
Run apt- Get install-y Curl
expose
Cmd/bin/bash

Building Mirrors

# build Mirror
docker build-t "Ubuntu14:nginx".
# Create container Cct1
Docker run-it--name cct1 ubuntu14:nginx
# start Nginx
nginx
1. Use link to specify the reference alias of the link container (The advantage is: the alias is used when restarting the container IP change)
# When you create a container, you
use a link alias when you specify a link container alias Docker run--name cct2-it--link cct1:webtest ubuntu14 "/bin/bash"
# Container to access another container Ping webtest

# View changes using Link: (1) Use Env to view several environment variables with the added "Webtest_" in environment variable
env
# View changes using Link: (2) The Hosts file adds webtest corresponding IP mapping
vi/etc/hosts

# Test: Restart the Docker service, start cc1, Cct2 container, change the IP of the container, and still ping the link alias
in CC2 sudo service docker restart
sudo docker start cct1 cct2
sudo docker attach cct2
ping webtest
2, the refusal of the container Interconnection (–link–icc–iptables)

(Even –icc=false blocks access using –link to establish interconnection between containers)

# Edit Docker Default profile: docker_opts= "--icc=false"
sudo vi/etc/default/docker
# Restart Docker Services sudo service
Docker Restart
# Check configuration modified
Ps-ef | grep Docker
# start two containers
sudo docker start cct1 cct2
# Ping the container cct1 IP in the Cct2 container (no Ping
the sudo ping <cct2-ip>
# in the Cct2 container ping the container according to the Cct1 link cct1 (can ping)
sudo ping webtest
3. Allow only some containers to interconnect
# Edit Docker default configuration: docker_opts= "--icc=false--iptables=true"
sudo vim/etc/default/docker
# restart Docker service
sudo service docker restart
--link

Sometimes iptables can be problematic when you need to clear the iptables

# empty iptables
sudo iptables-f
# Restart Docker Services
sudo service docker restart
# View routing table
sudo iptables-l -N
4, the Docker container and the external grid connection

(1) Docker parameter –ip-forward can set whether to access the extranet (ip-forward default true, forwarding traffic)

# Edit Docker default configuration: docker_opts= "--ip-forward=true--iptables=true"
sudo vim/etc/default/docker
# Use system commands to view settings
Sysctl net.ipv4.conifg.all.forwarding

(2) using Iptables to manage network access

# Use the filter table to view network access rules
sudo iptables-t filter-l-n
or
sudo iptables-l-n

(3) using the-p parameter to specify the open port of the container

# Specify container open ports
Docker run-it-p--name cct3 ubuntu14
# View Container map host ports
Docker Port Cct3
# Use Iptables to view rule changes 
  sudo iptables-l-N

(4) Prevent external access to the container (other rules view documents for the Iptables command)

sudo iptables-i docker-s <src-ip>-D <dest-ip>-P TCP--dport 80-j DROP
5, using the Network Bridge to achieve a cross-host container connection

Principle: The Docker Network Bridge uses the IP of the same network segment as the host machine, realizes the interconnection of the cross-host container

Environment:
MAC OS X + parallels
Two Ubuntu 14.04 virtual machines
Install Bridge management tool: Apt-get install Bridge-utils
IP Address:
host1:10.211.55.3
host2:10.211.55.5

Note: The reason for using the parallels virtual machine, not VMware or virtual box, is to automatically assign IP on inappropriate or inconvenient implementation (1) New Network Bridge and configure Docker to use the new network Bridge

Modify the Host1 configuration file (Host2 is similar, only modify the IP address after addressing)

Auto Br0
iface br0 inet static address
10.211.55.3 netmask
255.255.255.0
Gateway 10.211.55.1
Bridge_ports eth0

Use Ifconfig to check configuration

Modify Docker Configuration/etc/default/docker

Host2:
  -b=br0--fixed-cidr=10.211.55.64/26
host2:
  -b=br0--FIXED-CIDR=10.211.55.128/26

Check Configuration

# Check configuration
ps-ef | grep docker
(2) container access to other hosts

In the Docker of Host2

  # start Container
    docker run-it ubuntu/bin/bash
  # ping host1 host
    Ping 10.211.55.3
(3) cross-host access between containers

In the Docker of Host1

  # start Container
    docker run-it ubuntu/bin/bash
  # ping host2 container IP (ifconfig view IP)
    Ping 10.211.55.129

Advantages
Simple configuration, no reliance on third party software
Shortcomings
With the host in the same network segment, carefully dividing the IP address
Network segment control is needed, which is not easy to realize in production environment.
Not easy to manage, compatibility difference 6, use open vswitch to achieve cross-host container connection (cross-network segment)

"Environment"
  host software: Mac OS X + VirtualBox + two Ubuntu14.04 virtual machine
  Dual network adapters: Host-only & NAT
  installation open Vswitch:apt-get Install Openvswitch-switch
  Installation Network Bridge management tool: Apt-get install bridge-utils
  IP address: host1:192.168.59.103 
            host2: 192.168.59.104
(1) Establish the OVS Network Bridge and add the GRE connection (following the Host1 setting as an example)
# view OvS information changes before and after creating a network Bridge
   sudo ovs-vsctl show
 # create OvS bridges obr0
   sudo ovs-vsctl add-br obr0
   sudo ovs-vsctl Add-port obr0 gre0
   sudo ovs-vsctl set interface gre0 Type=gre options:remote_ip=192.168.59.104
(2) Add OvS interface for Virtual bridge
# Create Network Bridge BR0 and build obr0 connection
   sudo brctl addbr br0
   sudo ifconfig br0 192.168.1.1 netmask 255.255.255.0
   sudo brctl addif Br0 obr0
 # View Network Bridge information
   sudo brctl show
(3) Configure Docker container virtual Network Bridge
# Edit Profile/etc/default/docker
   -b=br0
 # Restart Docker Services sudo service
   Docker restart  

Docker container access to host2 in Test 1 Test host1 (cross-network segment)

  # Host1 Run container
    docker run-it ubuntu/bin/bash
  # View container IP (generally 192.16.1.2)
    ipconfig
  # ping Host2 host
    Ping 192.168.59.104

Test 2 sets the Docker bridge Br0 and Virtual Bridge obr0 on the HOST2 host in the same way, noting host2 br0 for different segments 192.168.2.1 (host1 on 192.168.1.1), Virtual Network Bridge obr0 remote IP point host1 address 192.168.59.103

  # Start the container in Host2 and view the IP address 192.168.2.4 (assuming)
  # Ping the container in the host Host2 in host1 (result ping is not reachable: Reason different network segment cannot access)
    ping 192.168.2.4
(5) Adding different Docker container Network segment Routing
# View Host1 routing information (see changes before and after adding routing information)
   Route
 # Add 192.168.2.0/24 to host1 Route
   sudo ip route add 192.168.2.0/24 via 192.168.59.104 Dev eth0

"Test 3"

  # in Host1 container (192.168.1.2) again ping host Host2 container (192.168.2.4): Access successful
    ping 192.168.2.4
  # Conversely, in Host2 container (192.168.2.4) Ping the host host1 container (192.168.1.2) and also a successful
    ping 192.168.1.2
7, using weave to achieve a cross-host container connection

Weave is based on the Docker of a container interconnect technology.

Http://weave.works

Https://github.com/weaveworks/weave#readme

"Environmental Preparedness"

  Host software: Mac OS X + VirtualBox + two Ubuntu14.04 virtual machine
  Dual network adapters: Host-only & NAT
  IP address: host1:192.168.59.103 
            host2:192. 168.59.104

"Software Installation" installs weave on two machines

# download installation weave
  sudo wget-o/usr/bin/weave https://raw.githubusercontent.com/zettio/weave/master/weave
# Change the Weave folder mode so that it can execute
  sudo chmod a+x/usr/bin/weave
# Start weave (Run a weave container, use Docker ps-l to view the running Weave container)
  Weave Launch

Connection

# in Host2 connection host1 (192.168.59.103)
  weave launch 192.168.59.103
# in Host2 Create container (container ID to weave) c2 using c2=$
  (weave Run 192.168.1.2/24-it Ubuntu/bin/bash)
# into
  the container docker attach $c 2
# View the container adds Ethwe network device (IP is 192.168.1.2) C16/>ifconfig
# in host1 use weave to start a container wc1 (the IP of the container is 192.168.1.10)
  weave run 192.168.1.10/24-it--name ubuntu /bin/bash
# into the container WC1
  Docker attach WC1
# in the container WC1 you can ping pinghost2 on the container directly 192.168.1.2
  
8. Cross-host container access
Environment: CentOS
host1:  192.168.18.130
  docker0 172.17.42.1/16 host2
:  192.168.18.128
  Docker0 172.18.42.1/16
(1) Modify the DOCKER0 network address (meet the above address requirements)
# Edit Configuration
  vi/usr/lib/systemd/system/docker.service

execstart=/usr/bin/docker daemon--bip=172.18.42.1/16-h FD ://-h=unix:///var/run/docker.sock
# reboot Docker
systemctl daemon-reload
# view Dockerip
IP Addr
(2) Add a route to the host to connect to another host
# Add route on host1
 add-net 172.18.0.0/16 GW 192.168.18.128
 # Add host2 Route add-net
 GW 192 on 172.17.0.0/16. 168.18.130

 # View native routes, check to see if the route adds the correct
 IP route
(3) Start the container on the host ping another host
# Boot container from host1 (keep running state)
  Docker run--rm=true-it java/bin/bash
# Get IP address (if IP is 172.17.0.1)
  IP addr
(4) Ping the local container IP on another host

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.