docker1.13 new feature Network focus point

Network allows docker runConnecting to the specified swarm modeof network

https://github.com/docker/docker/pull/25962

After the release of the new Swarm mode in Docker 1.12, many people have asked this question, how can docker run a container be connected to the Swarm mode service overlay network? The answer is no, because swarm the overlay network is swarm mode service prepared, relatively robust, and directly used docker run , it can destroy the security model.

However, because of the many needs, we offer a compromise approach. 1.13 When the network is allowed to be set up, the network is configured to attachable allow subsequent docker run containers to be connected to the network.

We create a default, disallowed attach network:

$ docker Network Create- D overlay Mynet1xmgoco2vfrtp0ggc5r0p5z4mg

Then create an allowed attach network that will use the 1.13 newly added --attachable parameters:

$ docker Network Create- D overlay--attachable Mynet2YVCYHOC6NI0436JUX9AZC4CJT

Then we start a web service that connects to both networks:

$ Docker Service Create \--name Web \--network mynet1 \--network mynet2 \nginxvv91wd7166y80lbl833rugl2z

Now let's docker run start with a container to connect to the first network:

$ docker run-it--rm--network mynet1 busyboxdocker:error response from Daemon:could don't attach to network Mynet1:rpc Error:code = 7 desc = Network Mynet1 not manually attachable.

Because mynet1 manual is not allowed attach , this error is here.

In the case of 1.12, it is reported that the network could not be docker run used:

Docker:error Response from Daemon:swarm-scoped Network (MYNET1) are not compatible with ' Docker create ' or ' Docker run '. This network can is only is used by a Docker service. See ' Docker run--help '.

However, the --attachable network's security model is actually opened with a notch, so this is not the default setting and is not recommended. When users use this option to build a network, be sure to know what they are doing.

Allow docker service createMap the host port instead of the boundary load Balancer Network port

https://github.com/docker/docker/pull/27917
https://github.com/docker/docker/pull/28943

docker service create--publishThere are further changes in the format. (During RC 1.13, once removed --publish , instead --port , after discussion, decide to remain consistent, continue using --publish , without using the new --port option.) ）

In 1.12, the docker service create ports of the --publish 80:80 boundary (ingress) network are allowed to be mapped using such forms as parameters, which can enjoy boundary load balancing and routing mesh.

Starting with 1.13, adding another mapping mode, called host a pattern, means that a port mapped with this pattern will only be mapped to the host on which the container is running. This is the same as in a generation of Swarm. Although the boundary load balancer has been lost, the mapping point has been identified, which is sometimes required.

Now --publish the new Parameter form and --mount almost. The parameter values are , comma-separated key-value pairs, with the key values separated by an = equal sign. Currently supports 4 items of content:

• protocol: Support tcp orudp
• mode: Support ingress orhost
• target: Port number of the container
• published: The port number mapped to the host

For example, the -p 8080:80 --publish new format option with the equivalent is:

--publish protocol=tcp,mode=ingress,published=8080,target=80

Of course we can continue to use it -p 8080:80 , but the new option format adds more possibilities. For example, use 1.13 to start the host mapping mode:

[Email protected]:~$ docker service Create--name Web \--publish mode=host,published=80,target=80 \nginx

After running successfully, look at the node that the service container is running on:

[Email protected]:~$ docker node LsID HOSTNAME STATUS availability MANAGER statusntjybj51u6zp44akeawuf3i05 D2 ready Active TP7ICVJZVXLA2N18J3NZTGJZ6 D3 Ready activevyf3mgcj3uonrnh5xxquasp38 * D1 ready Active leader[email protected]:~$ Docker SE Rvice PS WebID NAME IMAGE NODE desired State Current state ERROR PORTS5TIJ5SJVFPSF web.1 nginx:latest D3 Running Running 5 Minutes ago *:80->80/tcp

As we can see, the cluster has 3 nodes, and the service is a copy, running up to the d3 top. If this is a previous network using a boundary load balancer ingress , then we will see the page on the port that we access any node 80 .

However, host unlike mode, it only maps the port on which the container is hosted. So, if we do curl d1 , we should not see the page, and curl d3 then we will see the page:

[Email protected]:~$ Curl Localhostcurl: (7) Failed to connect to localhost port 80:connection refused

[Email protected]:~$ Curl localhost<! DOCTYPE Html>

docker1.13 new feature Network focus point