Docker Network Settings

Several basic methods of Docker container interconnection

(1) Container Mount host directory:-v–volumns-from

(2) Interconnect between containers: –link

(3) External access container:-P

(4) Direct use of the host network

  docker run --rm=true-e MYSQL_ROOT_PASSWORD=123456 mysql  # 使用以下命令查看容器IP与主机完全一致  exec -it mydb ip addr

(5) A shared IP network for the container

  docker run --rm=true --name=mydb -e MYSQL_ROOT_PASSWORD=123456 mysql# 创建新容器，指定与已有容器共用IP  docker run --rm=true --net=container:mydb java ip addr# 共用IP的两个容器，相互怎么访问？（使用localhost）

# 用ubuntu自带工具ifconifg查看网络设置（网桥、接口等）【注意：是ifconfig不是ipconfig!^_^】  ifconifg  # 使用ip addr查看网络信息  ip addr

One, Custom bridge

The Docker0 virtual Bridge is created automatically when Docker is installed. Create your own bridge now

# Install Bridge tool brctl  sudo apt-< Span class= "Hljs-keyword" >get  install Bridge-utils #查看网桥设备  sudo brctl Show# add bridge  sudo brctl addr br0# set bridge IP  sudo ipconfig br0 192.168  .100  .1  netmask 255.255  .255  Span class= "Hljs-number" >.0  # DOCKER application specified bridge: (1) Edit configuration: docker_opts= "-b=br0"  sudo vim/etc/default /docker# Docker application specified bridge: (2) Restart Docker service  sudo service docker restart# see if Docker settings are applied  Ps-ef | grep docker# see if the Docker network settings are in effect  ipconfig  

Second, Docker container interconnection

Docker allows inter-container interconnection by default

When the container is restarted, the IP address changes, but if you use the –link connection container, the corresponding container IP assignment updates the IP of this container host referencing it (to resolve IP issues that occur between containers, run the container to specify link)

Target
1, allow the interconnection between the containers
2, blocking the interconnection between the containers
3. Allow some containers to interconnect

Preparing the Dockerfile for testing

FROM ubuntu:14.04RUN apt-get-y pingRUN apt-get updateRUN apt-get-y nginxRUN apt-get-y80CMD /bin/bash

Build image

# 构建镜像"ubuntu14:nginx" .# 创建容器 cct1docker run -it --name cct1 ubuntu14:nginx# 启动nginxnginx

1. Use link to specify a reference alias for the link container (the advantage is that aliases are used when restarting container IP changes)

# 创建容器时指定链接容器别名"/bin/bash"# 容器中访问另外一个容器时，直接使用链接别名ping webtest# 查看使用link的改变：(1)用env查看环境变量中增加的“WEBTEST_开头”的几个环境变量env# 查看使用link的改变：(2)hosts文件中增加了webtest对应的ip映射vi /etc/hosts# 测试：重启docker服务，启动cc1、cct2容器，容器的IP发生变化，在cc2中仍可ping链接别名sudo service docker restartsudo docker start cct1 cct2sudo docker attach cct2ping webtest

2. Reject container interconnection (–link–icc–iptables)

(Even –icc=false will block access between containers that use –link to establish interconnection)

# 编辑docker默认配置文件: DOCKER_OPTS="--icc=false"sudo vi /etc/default/docker# 重启docker服务sudo service docker restart# 检查配置已修改ps -ef | grep docker# 启动两个容器sudo docker start cct1 cct2# 在cct1容器中ping容器cct2的IP（不可ping通）sudo ping <cct2-ip># 在cct2容器中根据对cct1链接来ping容器cct1（可以ping通）sudo ping webtest

3. Only some containers are allowed to interconnect

# 编辑docker默认配置：DOCKER_OPTS="--icc=false --iptables=true "sudo vim /etc/default/docker# 重启docker服务sudo service docker restart--link

Sometimes you need to empty the iptables when the problem occurs iptables

# 清空iptablessudo iptables -F# 重启docker服务sudo service docker restart# 查看路由表sudo iptables -L -n

4, the Docker container and the external grid connection

(1) Docker parameter –ip-forward can set whether to access the external network (Ip-forward default true, forward traffic)

# 编辑docker默认配置：DOCKER_OPTS="--ip-forward=true --iptables=true"sudo vim /etc/default/docker# 使用系统命令查看设置sysctl net.ipv4.conifg.all.forwarding

(2) using Iptables to manage network access

# 使用filter表查看网络访问规则sudo iptables -t filter -L -n或sudo iptables -L -n

(3) Use the-p parameter to specify the container's open port

# 指定容器开放的端口80 --name cct3 ubuntu14# 查看容器映射主机的端口docker port cct3# 使用iptables查看规则变化sudo iptables -L -n

(4) Block external access to the container (other rules view the documentation for the iptables command)

-I-s<src-ip>-d<dest-ip>-p--80-j DROP

5, using the bridge to achieve cross-host container connection

Principle: The Docker bridge uses the same network segment IP as the host machine to interconnect across host containers

Environment:
Mac OSX + Parallels
Two Ubuntu 14.04 virtual machines
Installing the Bridge Management tool: Apt-get install Bridge-utils
IP Address:
host1:10.211.55.3
host2:10.211.55.5

Caveats: The reason for using parallels virtual machines instead of VMware or virtual box is that the automatic assignment of IP is inappropriate or inconvenient to implement

(1) New bridge and configure Docker to use new bridge

Modify the Host1 configuration file (host2, just modify the IP address following address)

auto10.211.55.3255.255.255.010.211.55.1bridge_ports eth0

Using Ifconfig to check the configuration

Modifying the Docker configuration/etc/default/docker

host2:  -b=br0 --fixed-cidr=10.211.55.64/26host2:  -b=br0 --fixed-cidr=10.211.55.128/26

Check Configuration

# 检查配置| grep docker

(2) Container access to other hosts

In the Host2 Docker,

  # 启动容器    run -it ubuntu /bin/bash  # ping host1主机    10.211.55.3

(3) Cross-host inter-container access

In the Host1 Docker,

  # 启动容器    run -it ubuntu /bin/bash  # ping host2的容器IP（ifconfig查看ip）    10.211.55.129

Advantages
Simple configuration, no reliance on third-party software
Disadvantages
With the host on the same network segment, carefully divide the IP address
Need network segment control, not easy to implement in production environment
Not easy to manage, poor compatibility

6, using open vswitch to achieve cross-host container connection (cross-network segment)

【环境】  主机软件：mac OSX + virtualbox + 两台Ubuntu14.04虚拟机  双网卡: Host-Only & NAT  安装Open vSwitch: apt-get install openvswitch-switch  安装网桥管理工具：apt-get install bridge-utils  IP地址： host1: 192.168.59.103             host2: 192.168.59.104

(1) Establish the OvS Bridge and add the GRE connection (following the example of Host1 setting)

# 在创建网桥前后分别查看ovs信息变化   sudo# 创建ovs网桥obr0   sudo ovs-vsctl add-br obr0   sudo ovs-vsctl add-port obr0 gre0   sudosettype=gre options:remote_ip=192.168.59.104

(2) Add OvS interface for Virtual bridge

# 创建网桥br0并建立与obr0连接   sudo brctl addbr br0   sudo192.168.1.1255.255.255.0   sudo# 查看网桥信息   sudo brctl show

(3) Configuring the Docker container virtual bridge

# 编辑配置文件/etc/default/docker   # 重启docker服务   sudo service docker restart  

"Test 1" tests the Docker container's access to HOST2 (across network segments) in Host1

  # host1运行容器    run -it ubuntu /bin/bash  # 查看容器ip（一般为192.16.1.2）    ipconfig  # ping host2主机    192.168.59.104

Test 2 sets the Docker bridge Br0, Virtual Bridge obr0 on the HOST2 host in the same way, noting that br0 on Host2 is 192.168.2.1 for different network segments (as distinct from host1 on 192.168.1.1). Virtual Bridge obr0 Remote IP point to host1 address 192.168.59.103

  # 在host2中启动容器，并查看ip地址192.168.2.4（假设）  # 在host1中ping主机host2中的容器(结果ping不通：原因不同网段无法访问)    ping192.168.2.4

(5) Adding different Docker container segment routes

# 查看host1路由信息(在添加路由信息前后查看变化）   route# 向host1添加192.168.2.0/24网段的路由   192.168.2.0/24192.168.59.104 dev eth0

"Test 3"

  # 在host1容器(192.168.1.2)中再次ping主机host2的容器(192.168.2.4)：访问成功    ping192.168.2.4  # 反过来，在host2容器(192.168.2.4)中ping主机host1的容器(192.168.1.2)，也是成功的    ping192.168.1.2

7, using weave to achieve cross-host container connection

Weave is a container interconnect technology based on Docker.

Http://weave.works

Https://github.com/weaveworks/weave#readme

"Environment Preparation"

  主机软件：mac OSX + virtualbox + 两台Ubuntu14.04虚拟机  双网卡: Host-Only & NAT  IP地址： host1: 192.168.59.103             host2: 192.168.59.104

"Software Installation" installs weave on both machines

# 下载安装weave  sudo wget -O /usr/bin/weave https://raw.githubusercontent.com/zettio/weave/master/weave# 更改weave文件夹模式使其可执行  sudo chmod a+x /usr/bin/weave# 启动weave(运行一个weave的容器,使用docker ps -l查看正在运行的weave容器）  weave launch

Connection

# in Host2 connection host1 (192.168.59.103)Weave Launch192.168.. 103# Create a container using weave (container ID to C2) in Host2c2=$ (Weave Run192.168. 1. 2/ --it Ubuntu/bin/bash)# Enter the containerDocker Attach $c 2# View added Ethwe network device in container (IP is 192.168.1.2)Ifconfig# Start a container wc1 (the IP of the container is 192.168.1.10) using weave in Host1Weave Run192.168. 1. Ten/ --it--name WC1 Ubuntu/bin/bash# Enter the container WC1Docker Attach WC1# container WC1 can be directly pinghost2 on the containerPing192.168. 1. 2

8. Cross-host container access

环境：centoshost1:  192.168.18.130  docker0 172.17.42.1/16host2:  192.168.18.128  docker0 172.18.42.1/16

(1) Modify the DOCKER0 network address (to meet the above address requirements)

# 编辑配置  vi /usr/lib/systemd/system/docker.serviceExecStart=/usr/bin/docker daemon --bip=172.18.42.1/16 -Hfd:// -H=unix:///var/run/docker.sock# 重启dockersystemctl daemon-reload# 查看dockerIPip addr

(2) Add a route to the host to connect to another host

# 在host1上添加route172.18.0.0/16192.168.18.128# 在host2上添加172.17.0.0/16192.168.18.130# 查看本机路由，检查路由是否添加正确 ip route

(3) Start the container ping another host on the host

# 从host1启动容器（保持运行状态）  docker run --rm=true -it java /bin/bash# 获取ip地址（假如获取ip是172.17.0.1）  ip addr

(4) Ping the local container IP on another host

# 在host2上ping一下host1的容器地址172.17.0.1# 显示结果是：目标主机host1禁止，原因是172.17.0.1不属于host2物理网卡上,防火墙规则导致ping禁止。# 解决办法是清空路由表 iptables -F  或 iptables -t nat -F# 再ping 172.17.0.1

Docker Network Settings