Anattality Welcome reprint, Please also keep this statement. Thank you!
Source: https://andyyoung01.github.io/or http://andyyoung01.16mb.com/
This article explores Docker's stand-alone container network, which provides a basis for subsequent understanding of network patterns across a single docker host.
The establishment and control of Docker's default container network is a comprehensive solution combining network Namespace,iptables,linux Bridge and route table, this article focuses on how to use the various modes of single host network, Do not do too much exploring the details of implementation (this article http://tonybai.com/2016/01/15/understanding-container-networking-on-single-host/ The implementation mechanism of Docker single host network is explored in detail.
Docker's network mode
The following are some of the main network modes supported by Docker:
None
When the container is started, parameters are used --network="none"
. In this mode, the container and the external network are not connected. There is only a loopback network interface in the container, but it does not have any external routes.
Bridge
When the container is started, parameters are used --network="bridge"
or this parameter is not specified. This is the default network mode for Docker. It allows containers on this host to communicate with each other and also allows the container to access the host's external network. Shows the Docker Bridge network:
On the host, Docker creates a bridge that is typically named Docker0, where its IP is set to 172.17.0.1. When each container is created, a pair of Veth network interfaces are created at the same time. One end of the interface is connected to the Docker0 bridge, and the other end is connected to the inside of the container. The connection from the container to the external network is implemented by the IP forwarding and the Iptables rules that set the NAT rules (green arrows in the figure). The connection from the external network to the inside of the container uses a completely different path. If the container maps its own port to the host, Docker initiates a docker-proxy process for listening, which forwards the data to the container (the red arrow in the figure).
By default, containers on the same Docker host can communicate with each other through their IP addresses. If you need to communicate through the host name of the container, you must set up link between the containers.
Host
When the container is started, parameters are used --network="host"
. In this mode, the container shares the host's networking namespace, so the network interface on the host is available to the container, while the various network settings made by Docker in bridge mode are skipped, which means that the network performance of the container and the normal host network performance As fast . Use this mode when you are running some applications that have high network performance requirements, such as a load balancer or a high-performance Web server.
However, this mode gives the container full access to the local system service, so it is less secure than other modes.
Container
When the container is started, parameters are used --network="container:<name|id>"
. In this mode the container uses the networking namespace of the other container, which means it shares the network stack with another container.
user-defined Network
In this mode, users can use Docker network driver or external network driver plugin to create a custom network. Users can connect multiple containers to the same network. Once a container is connected to a user-defined network, the container can use another container's IP address or name to communicate with each other. This feature requires a version after Docker 1.10. A DNS server is built into the newer version of Docker Daemon, which provides built-in service discovery capabilities for any container that has a name or Net-alias specified at creation time or that provides an alias via link. This eliminates the need to use the DNS services provided by third-party software (the method provided in the article "using resolvable to find containers through DNS" is no longer required).
For overlay networks or containers that use plug-ins that support multi-host connections, containers that are connected to the same multi-host network but launched from different hosts can also communicate in this way.
Docker's Network command
Docker's network command can be used for both single-host networks and for multi-host overlay networks, and this article mainly uses its commands related to a single-host network.
Create a network
When Docker is installed on the host, the Docker engine automatically creates three networks and lists the default three networks using the following command:
[[email protected] ~]$ Docker network lsnetwork ID NAME DRIVER SCOPE2a820cde1d0c Bridge Bridge Local 54BE0BC791BF host host local 8488a8a4ca59 None local
In addition, users can create their own bridge or overlay network. If you run the docker network create
command and specify a network name, this command creates a bridge network for the user:
[email protected] ~]$ Docker network Create Simple-networka88875cc258fb24bbf55db67efefd05976dc8d1a8e25a2166a1acbd1dc9e125a[[email protected] ~]$ Docker Network Inspect simple-network[{"Name":"Simple-network", "Id": " a88875cc258fb24bbf55db67efefd05976dc8d1a8e25a2166a1acbd1dc9e125a ", " Scope ": "local", "Driver": "bridge", " ENABLEIPV6 ": false, " IPAM ": {" Driver ": "default", "Options": {}, "Config": [{ Span class= "hljs-string" > "Subnet": "172.18.0.0/16", "Gateway" : "172.18.0.1/16"}]}, "Internal": false, " Containers ": {}, " Options ": {}, " Labels ": {}}]
Connecting containers
Containers can be dynamically connected to one or more networks. Once connected, the container can communicate through the IP address or name of the other container. Take a look at the example below:
First create two containers:
Runrun -itd--name=container2 busybox 126cf3af1ddd033a0925ca879e8d744293cb95949d560877ca630a29b4630630
Then create a network of isolated bridge for testing:
--subnet 172.25.0.0/16 isolated_nw38159357c0979fdbc6ca0be29475867115e002ef27d8f79fee014b03ffd86b8d
--subnet
the subnet segment used by the container is specified here through the command line arguments. The following connects Container2 to the network you just created:
[email protected] ~]$ Docker Network Connect ISOLATED_NW Container2
Then start the third container, connect it to the ISOLATED_NW network while it is started, and manually specify the IP of the container:
Run --network=isolated_nw--ip=172.25.3.3-itd--name=container3 busyboxd649491fd218c65fb0dc26aa79cb0d6f43dabac2bdc2f404c515f97042e60206
You can specify an IP address for a container as long as the container is connected to a network that is specified by the user on the subnet segment (through --subnet
).
When the above command finishes running, the network status on the entire host is as follows:
Use the Docker attach command to connect to the inside of the running Container2 container and view its network stack:
[email protected] ~]$ Docker attach container2/# ifconfigeth0 Link encap:ethernet HWaddr02:42:AC:11:00:inet Addr:172.17.0.5 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr:fe80::42:ACFF:FE11:5/Scope:link up broadcast RUNNING multicast MTU:Metric:1 RX PacketS:9 ErrorS:0 dropped:0 overruns:0 Frame:0 TX PacketS:8 ErrorS:0 dropped:0 overruns:0 Carrier:0 collisions:0 Txqueuelen:0 RX Bytes:718 (718.0 B) TX bytes:648 (648.0 B) eth1 Link encap:ethernet HWaddr02:42:AC:19:00:inet Addr:172.25.0.2 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr:fe80::42:ACFF:FE19:2/Scope:link up broadcast RUNNING multicast MTU:Metric:1 RX PacketS:32 ErrorS:0 dropped:0 overruns:0 Frame:0 TX PacketS:8 ErrorS:0 dropped:0 overruns:0 Carrier:0 collisions:0 Txqueuelen:0 RX Bytes:3282 (3.2 KiB) TX bytes:648 (648.0 B)Lo Link encap:local Loopback inet Addr:127.0.0.1 Mask:255.0.0.0 Inet6 addr::: 1/128 scope:host up LOOPBACK RUNNING mtu:65536 metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 Txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Visible eth0 is connected to the default bridge network, ETH1 is connected to a user-created ISOLATED_NW network that can be used by Docker's built-in DNS server for name resolution of other containers. So in Container2, you can ping through Container3 by name:
/# ping-w 4 Container3PingContainer3 (172.25.3.3): Data bytes64 bytesFrom 172.25.3.3:seq=0 ttl=Time=0.146 msbytesFrom172.25.3.3:seq=1 ttl=Time=0.113 ms64 bytes from 172.25.3.3:seq=2 ttl=64 Time=0.100 ms64 bytes from 172.25.3.3:seq= 3 ttl=64 time=0.112 ms---Container3 Ping statistics---4 packets transmitted, 4 packets Received, Span class= "Hljs-number" >0% packet lossround-trip Min/avg/max = 0.100/0.117/0.146 ms
In the default bridge network, however, this is not the case. In the default bridge network, Docker does not support automatic service discovery:
/# Ping-4 container1pin' container1 '
In the default bridge network, you can use traditional docker run --link
commands to enable parsing by name. Of course, when not in use --link
, you can communicate with each other's IP addresses.
Exit the Container2 terminal, use the shortcut key ctrl-p and then ctrl-q.
In this example, Container2 is connected to two networks, so it can communicate with Container1 and Container3. But Container1 and Container3 are not in a network so they can't communicate. Next, connect to the CONTAINER3 console and test (Container1 's IP is 172.17.0.4):
172.17.0. 2 (172.17. 0.172.17. 0.2 Ping Statistics---100% packet loss
Disconnecting a container
A user can docker network disconnect
disconnect a container from a network by command, and when this connection is disconnected, the container cannot communicate with other containers through this network:
[[email protected] ~]$ Docker network disconnect ISOLATED_NW Container2[[email protected] ~]$ Docker attach container2/# Ifconfig eth0 Link encap:ethernet HWaddr02:42:AC:11:00:inet Addr:172.17.0.5 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr:fe80::42:ACFF:FE11:5/Scope:link up broadcast RUNNING multicast MTU:Metric:1 RX PacketS:17 ErrorS:0 dropped:0 overruns:0 Frame:0 TX PacketS:16 ErrorS:0 dropped:0 overruns:0 Carrier:0 collisions:0 Txqueuelen:0 RX Bytes:1222 (1.1 KiB) TX bytes:1152 (1.1 KiB)Lo Link encap:local Loopback inet Addr:127.0.0.1 Mask:255.0.0.0 inet6 Addr:::1/Scope:host up LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:16 errors:0 dropped:0 overruns:0 frame:0 TX Packet s:16error< C8>s:0 dropped:0 overruns:0 Carrier:0 Collisions:0 Txqueuelen:0 RX bytes:922 (922.0 B ) TX bytes:922 (922.0 B)/# ping Container3pinG: Bad address ' Container3 '
Removing a network
When all the containers in a network are stopped or disconnected, you can remove the network:
[[email protected] ~]$ Docker network disconnect ISOLATED_NW Container3[[email protected] ~]$ Docker network RM isolated_n Wisolated_nw[[email protected] ~]$ Docker network lsnetwork ID NAME DRIVER SCOPE2a820cde1d0c Bridge Bridge local 54BE0BC791BF host host local 8488a8a4ca59 none null local
Docker's single-host container network