docker-Network mode

Docker Network Implementation principle:

The network interface in Docker is the virtual interface by default. One of the advantages of virtual interfaces is the high efficiency of forwarding. Linux implements data forwarding between virtual interfaces by in-line data replication in the kernel, and packets in the send cache of the sending interface are copied directly to the receiving cache of the receive interface . For local systems and in-container systems it seems like a normal Ethernet card, but it does not need to be really set up to communicate with the external network, the speed is much faster; the Docker container network leverages this technology to create a separate virtual interface within the local host and container and connect them to each other (such a pair of interfaces is called Veth pair)

When Docker creates a container, the following actions are performed:

• Create a pair of virtual interfaces, which are placed in the local host and the new container respectively;

• The local host end is bridged to the default DOCKER0 or specified bridge and has a unique name, such as VETHF9;

• One end of the container is placed in a new container, and the name is modified as eth0, and this interface is only visible in the container's namespace;

• From the bridge available address segment, get an idle address assigned to the container's eth0, and configure the default route to bridge the NIC Vethf9.

Once this is done, the container can use the Eth0 virtual network card to connect to other containers and other networks

The network mode needs to turn on the Linux system forwarding function to see if the forwarding function is turned on in the Linux system:

#sysctl Net.ipv4.ip_forward

Net.ipv4.ip_forward = 1

Settings:sysctl-w net.ipv4.ip_forward=1

Several network modes:

• Nat --net=bridge (the default bridge), Docker connects to the internal and host networks via the host's Bridge (DOCKER0), enabling network communication between the container and the host and the outside world

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/83/47/wKiom1dulh2yrIN2AAGTl56K4HY447.png "title=" 01.png "alt=" Wkiom1dulh2yrin2aagtl56k4hy447.png "/>650" this.width=650; "title=" 670825.png "alt=" 670825.png "src="/e/ U261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") No-repeat center;border:1px solid #ddd; "/>

Bridge bridging mode is mainly implemented as follows:
(1) Docker Daemon uses veth pair technology to create two virtual network interface devices on a host, assuming Veth0 and veth1. The characteristics of Veth pair technology can guarantee that no matter which Veth receives the network message, it will be reported to the other side.
(2) Docker Daemon attaches veth0 to the Docker0 bridge created by Docker Daemon. Ensure that the host's network messages can be sent to Veth0.
(3) Docker Daemon adds veth1 to the namespace that the Docker container belongs to and is renamed Eth0. In this way, to ensure that the host network messages to Veth0, will be immediately received by eth0, the host to the Docker container network connectivity, but also ensure that the Docker container separate use of eth0 to achieve the isolation of the container network environment.
At the same time, the Docker uses the NAT (network address translation, the Net addresses translation) way (can self-query realizes the principle), lets the world outside the host computer can voluntarily send the network message to inside the container.
Through the Bridger Bridge mode implementation:
(1) The container has a separate, isolated network stack
(2) The world outside the container and the host hosts communication through NAT

• host --net=host (tell Docker not to put the container network in the quarantined name container, that is, do not container the network within the container, the Docker container in this mode and host hosts share the same network namespace, i.e. container and host, use the host's eth0)
  

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/83/46/wKioL1dulqmTJgLdAAFw8MGrZXo278.png "title=" 02.png "alt=" Wkiol1dulqmtjgldaafw8mgrzxo278.png "/>

The host network mode of the Docker container is not involved in the implementation of the DOCKER0 and Veth pair because it does not require additional bridges and virtual network cards. When the parent process creates a child process, if the Clone_newnet parameter flag is not used, the child process that is created will share the same network namespace with the parent process. Docker uses this simple principle, in the process of creating a process to start the container, there is no incoming clone_newnet parameter flag, implement Docker container and host to share the same network environment, that is, implement the host network mode.
In the network mode of Docker container, the host mode is a good complement to bridge bridging mode. With the host mode Docker Container, you can use the host's IP address to communicate with the outside world directly, if the host's eth0 is a public IP, then the container also owns this public IP. Ports in the container service can also use the host's port without additional NAT translation. Of course, there is such a convenience, it will certainly lose some of the other features, most notably, the Docker container network environmental isolation weakening, that is, the container no longer has an isolated, independent network stack. In addition, the use of the host Mode Docker container can make the service and the traditional situation in the container no difference, no transformation, but because of the weakening of network isolation, the container will share the competition with the host network stack, in addition, the container will no longer have all the port resources, The reason is that some of the port resources have already been occupied by the host itself, and some ports have already been used for bridge network mode container port mappings.

• Other container --net=container:name_or_id (let Docker place the process of creating a new container into a network stack that already exists, and the new container process has its own file system, process list, and resource constraints, However, network resources such as IP addresses and ports will be shared with existing containers, and both processes can communicate directly through the LO loopback interface.
  

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/83/47/wKiom1dulv7gYHzNAAEMt_iJ7EU066.png "title=" 03.png "alt=" Wkiom1dulv7gyhznaaemt_ij7eu066.png "/>

The Docker Container on the right uses the other Container network mode, which is the network environment for the left Docker Container Brdige bridge mode
The other container network mode of Docker container in the implementation process, does not involve the network bridge, also does not need to create the virtual network card Veth pair.

Completing the creation of other container network mode requires only two steps:
(1) Find the network namespace of other container (that is, the container that needs to be shared network environment);
(2) namespace of the newly created Docker Container (also a container that needs to share other networks), using the other Container namespace
In this mode, Docker container can access other containers under namespace through localhost, which is more efficient to transfer. Although multiple containers share a network environment, the overall formation of multiple containers still forms a network isolation from the host and other containers. In addition, this model also saves a certain amount of network resources. However, it is important to note that it does not improve the container's communication with the world outside the host.

• None --net=none (let Docker put the new container in the isolated network stack, but not network configuration, then the user can configure themselves, the container can only use loopback network devices, no additional network resources)

Network-related commands:

-B Bridge or--bridge=bridge--Specifies the bridge to which the container is mounted
--BIP=CIDR--Custom Docker0 masks
-H SOCKET ... or--host=socket ...--docker the channel where the server receives the command
--icc=true|false-whether to support communication between containers
--ip-forward=true|false--Communication between containers
--iptables=true|false--prohibit Docker from adding iptables rules
--mtu=bytes--MTU in a container network

The following 2 command options can be specified when the service is started or when the Docker container starts (Docker run). When the Docker service is started, the designation becomes the default value, and the default value of the setting can be overridden when the Docker run is executed:
--dns=ip_address--Using the specified DNS server
--dns-search=domain ...--Specify DNS search domain

The following parameters are only used when Docker run executes, primarily for container features:
-H HOSTNAME or--hostname=hostname--Configure container host name
--link=container_name:alias--Adding a connection to another container
--net=bridge|none|container:name_or_id|host--Configuring the container's bridging mode
-P SPEC or--publish=spec--map container port to host host
-P or--publish-all=true|false--map container all ports to host host

The above network model theory mainly comes from the link:

Http://www.infoq.com/cn/articles/docker-source-code-analysis-part7

This article from the "Day Up goto" blog, please be sure to keep this source http://ttxsgoto.blog.51cto.com/4943095/1792919

docker-Network mode