Docker's bridge and Macvlan two network modes

The container network created by the Docker cluster deployed on the project is experiencing problems, taking the opportunity to learn about Docker's network model, other types we use not much, here only to list our commonly used bridge and Macvlan two kinds, the following description and some are directly downloaded from the Internet.

Bridge mode

Bridge mode is Docker's default network mode, when the Docker process starts, a virtual bridge named Docker0 is created on the host to connect the host and container, and the Docker container on this host is connected to the virtual bridge. A virtual bridge works like a physical switch so that all containers are connected through a switch to a two-tier network.

Docker uses Veth pair technology to create two virtual network interfaces on the host Veth0 and Veth1 (the features of the Veth pair technology ensure that any Veth received the network message will be transmitted unconditionally to the other party), Docker will Veth One end of the pair device is placed in the newly created container, named Eth0 (the container's network card, assigning an IP from the DOCKER0 subnet to the container, and setting the DOCKER0 's IP address as the container's default gateway), the other end is placed in the host, named vethxxx such a similar name, and add this network device to the Docker0 bridge. Can be viewed through the Brctl Show command, so that the container and the bridge can communicate with each other. Network structure such as:

The container communicates with the host : in bridging mode, the Docker daemon attaches the veth0 to the Docker0 bridge, ensuring that the host's messages are capable of being sent to Veth0. Add the veth1 to the network namespace to which the Docker container belongs, and ensure that the host's network messages are sent to Veth0 immediately veth1 received.

containers communicate with the outside world : If a container needs to be networked, it requires a NAT (a technique that overrides the source IP address or destination IP address when an IP packet passes through a router or firewall). To be exact, it is the NATP (network address port conversion) method. NATP contains two ways of converting: SNAT and DNAT.

• When accessing the container outside the host (modify the destination address of the packet):

Because the container IP and port are not visible to the outside, so the destination address of the packet is the host 's IP and port , for 192.168.1.10:24.

Packets are sent over the router to the host eth0, and then to the Docker0 Bridge via Eth0. Due to the existence of the DNAT rule, the destination address of the packet is converted to the container 's IP and port , which is 172.17.0.n:24.

The Docker0 bridge on the host computer identifies the container IP and port, so the packet is sent to the Veth0 interface on the Docker0 Bridge, the Veth0 interface then packets the data to the Veth1 interface inside the container, and the container receives the packet and responds.

The whole process is as follows:

• when a container accesses a host other than Modify the source address of the packet)

At this point the source address of the packet is the IP and port of the container , for 172.17.0.n:24, the Veth1 interface inside the container sends the packet to the Veth0 interface to reach the Docker0 bridge.

The Docker0 bridge on the host computer discovers that the destination address of the packet is the outside IP and port, and the packet is forwarded to eth0 and sent from Eth0. Due to the existence of the SNAT rule, the source address of the packet is converted to the host 's IP and port , which is 192.168.1.10:24.

Because the router can recognize the host's IP address, the packet is forwarded to the outside world, and the packet is accepted and responded to. At this time, in the outside world, this packet is sent from the 192.168.1.10:24, the Docker container is not visible outside.

The whole process is as follows:

Macvlan Mode

Macvlan itself is a module of Linxu kernel, which is essentially a network card virtualization technology. Its function is to allow multiple network cards on the same physical network card, through different MAC address in the data link layer of network data forwarding, a network card configured multiple MAC address (that is, multiple interface), each interface can configure their own IP, The Macvlan network of Docker is actually using the Macvlan drive provided by Linux

Because the network packets for multiple MAC addresses are transmitted from the same NIC, the promiscuous mode IP link set eth0 promisc on is required to open the network card;

Creating a Macvlan network differs from bridging mode, requiring you to specify a network segment and gateway, all of which are real, such as Docker network create-d Macvlan--subnet=10.9.8.0/24--gateway=10.9.8.254 -O parent=eth0 macvlan-test

Macvlan mode does not rely on the bridge, so Brctl show does not create a new bridge, but to view the network of the container, you will see that the virtual network card corresponds to a interface is 2

View the host network,2 is the virtual Machine network card

As can be seen, the eth0 of the container is the eth0 of the host through Macvlan virtual interface. The interface of the container is directly connected to the host's Nic, which makes it possible for the container to communicate directly with the external network without the need for NAT and port mapping (as long as there is a gateway), and there is no difference on the network from other standalone hosts. Current Network structure:

Macvlan will monopolize the host network card, that is, a network card can only create a Macvlan network, otherwise it will error, in order to support more Macvlan network, Macvlan can not only connect to interface (such as eth0), You can also connect to the sub-interface Sub-interface (such as eth0.xxx) of the NIC.

VLAN is a commonly used network virtualization technology in modern network, it can divide the physical two-layer network into up to 4,094 logical networks, which are isolated on the two layer, each logical network (that is, VLAN) is distinguished by VLAN ID, and the VLAN ID value is 1-4094. The Linux network card can also support VLANs (Apt-get install VLAN), the same interface can send and receive multiple VLAN packets, but only if you want to create a VLAN sub-interface. For example, if you want eth0 to support both VLAN10 and VLAN20, you will need to create sub-interface eth0.10 and eth0.20. The sub-interfaces created are visible as follows

On the switch, if a port can only send and receive data from a single VLAN, which is access mode, if multiple VLANs are supported, trunk mode, to implement multiple Macvlan, the NIC is connected to the trunk port of the switch.

For example, after creating 10 or 202 sub-interfaces for the NIC, the network structure after the container is created, such as:

Docker's bridge and Macvlan two network modes