Four types of Docker network models

I. Docker Networking Basics

Docker has four network modes when creating a container, and bridge is not required to be specified by default with – net, while the other three modes need to be specified using – net when creating the container.

Bridge mode, using –net=bridge to specify the default settings.
None mode, specified using –net=none.
Host mode, specified using –net=host.
Container mode, using –net=container: container name or ID specified

Bridge mode: Docker network isolation is based on a network namespace, and when you create a Docker container on a physical machine, each Docker container is assigned a network namespace, and the container IP is bridged to the virtual Bridge of the physical machine.
None Mode: Creating a container in this mode will not configure any network parameters for the container, such as: Container network card, IP, communication routing, etc., all need to configure themselves.

Host mode: The container created by this mode does not have its own independent network namespace, it is shared with the physical machine, and all ports and IPs of the physical machine are shared, and this mode is considered unsafe. \ Namespace

Container mode: This mode is similar to the host mode, except that this mode creates the container to share the IP and port of the other container instead of the physical machine, and this mode container itself is not configured with the network and port, after creating this pattern container inside, You will find that the IP inside is the container IP you specified and the ports are shared, and others are isolated, such as processes.

The Docker network initialization process is as follows:

Initialize device, initialize bridge-> initialize iptables-> initialize IP foward (kernel route forwarding), register network job function-> end

Two. Docker Network infrastructure configuration
1. Doker Network Default

[Root@foundation6 ~]# IP addr Show Docker0 
9:docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> MTU Qdisc Noqueue State up 
    link/ether 02:42:1f:31:2f:82 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 scope global Docker0
       valid_ LfT Forever Preferred_lft Forever
    inet6 fe80::42:1fff:fe31:2f82/64 scope link 
       valid_lft forever preferred_lft Forever
# #Docker a virtual bridge DOCKER0 is created at startup, the default address is 172.17.0.1/16, and the container is bridged to DOCKER0 and automatically assigned to an IP address when it is started.

2. How to modify the default network configuration for Docker (if you need to set the IP address, cannot and all IP addresses in the host are in one network segment)
1) change with command, fail after reboot

Systemctl stop docker.service

IP link set dev docker0 down


ip addr del 172.17.0.1/16 dev Docker0

ip addr Add 1 92.168.10.1/24 Dev Docker0


ip link  set dev docker0 up

systemctl start  docker.service

2) Modify the configuration file to take effect permanently

[Root@foundation6 ~]# Systemctl Stop Docker # #在修改配置文件前停掉服务 [Root@foundation6 ~]# Cp/lib/systemd/system/docker.serv

Ice/etc/systemd/system/docker.service # #配置文件的位置可以通过查看服务的状态看到, generally not with the source file changes, copy one to/etc/systemd/system/docker.service [Root@foundation6 ~]# Vim/etc/systemd/system/docker.service [Unit] description=docker application Conta Iner Engine # #一段描述这个Unit文件的文字, usually just a simple sentence documentation=https://docs.docker.com # #指定服务的文档, you can make the URL path for one or more documents After=net Work.target Docker.socket # #会在后面列出的所有模块全部启动完成以后 to start the current service Requires=docker.socket # #依赖的其他 Unit list, in which U

The NIT module is started at the same time that the service is started, and if any of the services fail to start, the service will be terminated. [Service] # #这个段是. service file is unique, and is the most important part of Type=notify # #服务的类型 execstart=/usr/bin/d Ocker daemon-h fd://--bip= "192.168.10.1/24"--insecure-registry 172.25.254.66:5000 # #指定服务启动的主要命令,--bip= "192.168.1 0.1/24 "Set Bridge address Mountflags=slave limitnofile=1048576 limitnproc=1048576 limitcore=infinity TimeoutStartSec=0 [Install] # #这部分配置需要通过 systemctl enable command to activate, and can be disabled by systemctl disable command Wantedby=multi-user.targ ET # #列出依赖当前服务的模块 [root@foundation6 ~]# systemctl daemon-reload # #重新加载 [root@foundation6 ~]# systemctl Start Dock ER # #启动服务 [root@foundation6 ~]# IP addr Show Docker0 9:docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> MTU Qdi SC noqueue State down Link/ether 02:42:1f:31:2f:82 BRD ff:ff:ff:ff:ff:ff inet **192.168.10.1/24** Scope Global Do Cker0 Valid_lft Forever Preferred_lft forever inet6 fe80::42:1fff:fe31:2f82/64 scope link Valid_lft for
Ever preferred_lft forever [root@foundation6 ~]# ping 192.168.10.1 ping 192.168.10.1 (192.168.10.1) (+) bytes of data. Bytes from 192.168.10.1:icmp_seq=1 ttl=64 time=0.033 ms

3) A detailed description of the Docker network model
Bridge connection

In bridge mode, containers connected to the same bridge can communicate with each other (or, if for security reasons, they can be set to prohibit communication), the container can communicate with the outside, the packet comes out of the container, because the container is bridged to the DOCKER0, so the packet is sent to the DOCKER0, Viewing the Iptables policy, you will find a policy to convert the source address from the 172.17.0.1 package to the source address of the Cheng host, (note the IP foward function to turn on) so as long as the host can communicate with the outside, then the container can communicate with the outside.

Bridge bridging mode is implemented in the following steps:

1 Docker Daemon uses Veth pair technology to create two virtual network interface devices on a host, assuming Veth0 and veth1. The characteristics of Veth pair technology can guarantee that no matter which Veth receives the network message, it will be reported to the other side.

2 Docker Daemon attaches veth0 to the Docker0 Bridge created by Docker Daemon. Ensure that the host's network messages can be sent to Veth0

3 Docker Daemon adds veth1 to the namespace that the Docker Container belongs to and is renamed Eth0. In this way, to ensure that the host network messages to Veth0, will be immediately received by eth0, the host to the Docker Container network connectivity, but also ensure that the Docker Container separate use of eth0 to achieve the isolation of the container network environment.

The Docker Container in

Bridge bridging mode is not intended for developers when used. Most obviously, this mode, Docker Container does not have a public IP, that is, and the host's eth0 is not in the same network segment. The result is that the world outside the host cannot communicate directly with the container. Although NAT mode is implemented through intermediate processing, there are still problems and inconveniences in NAT mode, such as: containers need to compete on the host port, the container internal service visitors need to use the service discovery to learn the external port of the service, etc. In addition, the NAT mode is implemented on the three layer network, so it will certainly affect the transmission efficiency of the network.

[Root@foundation6 ~]# Docker run-d--name web1 nginx 90bf8ed3e5b93011d17ad3a8fe055858e75b16773de0f72dcf5c1519133a4d7c # #使用docker镜像nginx: Latest start a container in background mode and name the container web1,-d into the background and return to the container id,--name specify the container name [Root@foundation6 ~]# Docker run-d-- Name Web2-p 8000:80 nginx 6B9A27A9A78B1F4276337776B3401F11F9B52EAA096FEA673E67B4C7439BBC08 # # Use mirror nginx:latest to start a container in background mode, the container's 80 port map to the host's 8080 port, that is, when accessing the host's 8000 port will go to the container 80 port, that is, Nginx interface-P port mapping,

Map the 80 port of the container web2 to port 8000 of the host, and when you are done viewing iptables will find one more policy [root@foundation6 ~]# iptables-t nat-nl .... DNAT TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:8000 to:172.17.0.3:80 [Root@foundation6 ~]# Docker                           PS CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS        NAMES 6b9a27a9a78b nginx "nginx-g ' daemon off" 7 seconds ago up 4 seconds 443/tcp, 0.0.0.0:8000->80/tcp web2 90bf8ed3e5b9 nginx "Nginx-g" DaemoN off "5 minutes ago up 5 minutes 80/tcp, 443/tcp Web1
 

Test: Access 172.17.0.3 and 127.25.254.66:8000 on the host to see the Nginx test page

To view ports:

[Root@foundation6 ~]# NETSTAT-ANTLP |grep:80
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1479/ httpd          
TCP        0      0 192.168.0.126:56394     203.208.43.122:80       established 9432/firefox       
[ Root@foundation6 ~]# NETSTAT-ANTLP |grep:8000
tcp        0      0 172.25.254.66:36688     172.25.254.66:8000      established 9432/firefox        
tcp6       0      0::: 8000                 :::*                    LISTEN      

Host network mode: Using the same namespace as the host
The host mode is a good complement to bridge bridging mode. With the host mode Docker Container, you can use the host's IP address to communicate with the outside world directly, if the host's eth0 is a public IP, then the container also owns this public IP. Ports in the container service can also use the host's port without additional NAT translation. Of course, there is such a convenience, it will certainly lose some of the other features, most notably, the Docker Container network environmental isolation weakening, that is, the container no longer has an isolated, independent network stack. In addition, the use of the host mode Docker Container can make the service and the traditional situation in the container no difference, no transformation, but because of the weakening of network isolation, the container will share the competition with the host network stack, in addition, the container will no longer have all the port resources, The reason is that some of the port resources have already been occupied by the host itself, and some ports have already been used for bridge network mode container port mappings.

[root@foundation6 ~]# Docker run-it--name web4--net host Ubuntu # #使用镜像ubuntu以交互式运行一个容器,-i-finger run Interactive,-t reassign a pseudo terminal to the container,--name specifies the network connection type for the container named Web4,--net, specifying the host mode root@foundation6:/# IP addr 1:lo: <loopback, Up,lower_up> MTU 65536 qdisc noqueue State UNKNOWN Group default Link/loopback 00:00:00:00:00:00 BRD 00:00:00:00:0 
       0:00 inet 127.0.0.1/8 Scope host lo valid_lft forever Preferred_lft Forever Inet6:: 1/128 Scope Host

Valid_lft Forever Preferred_lft forever .... [Root@foundation6 ~]# docker exec web3 IP addr 1:lo: <LOOPBACK,UP,LOWER_UP> MTU 65536 qdisc noqueue State UNKNOWN G Roup default Link/loopback 00:00:00:00:00:00 BRD 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo Valid_lf T forever Preferred_lft Forever INET6:: 1/128 scope host Valid_lft forever Preferred_lft forever ... # #we B3 and Web4 use bridged mode, which directly uses the host's network 

Test:
On the Web page to access the host's 80 port will find access to the Nginx page is not the host real Apache interface, our host does not configure Nginx service:

Container Network mode:
(1) Find the network namespace of other container (that is, the container that needs to be shared network environment);
(2) namespace of the newly created Docker Container (also a container that needs to share other networks), using the namespace of other Container.
The other Container network mode of Docker Container can be used to better serve the communication between containers. In this mode, Docker Container can access other containers under namespace through localhost, which is more efficient to transfer. Although multiple containers share a network environment, the overall formation of multiple containers still forms a network isolation from the host and other containers. In addition, this model also saves a certain amount of network resources. However, it is important to note that it does not improve the container's communication with the world outside the host.

[Root@foundation6 ~]# Docker run-it--name web5--net container:web4 Ubuntu # #web5会直接使用web4的网络, Because WEB4 is using the host model for the host network, WEB5 displays the host's network **root@foundation6:/# IP addr** 1:lo: <LOOPBACK,UP,LOWER_UP> MTU 65536 qdisc noqueue State UNKNOWN Group default Link/loopback 00:00:00:00:00:00 BRD 00:00:00:00:00:00 inet 127.0. 0.1/8 Scope host lo valid_lft forever Preferred_lft Forever Inet6:: 1/128 scope host Valid_lft Forever Preferred_lft Forever 2:ENP7S0F1: <NO-CARRIER,BROADCAST,MULTICAST,UP> MTU qdisc pfifo_fast Master br0 State do WN Group default Qlen link/ether f0:76:1c:81:e3:b6 brd ff:ff:ff:ff:ff:ff 3:wlp8s0: <BROADCAST,MULTICAST> m Tu qdisc noop state down group default Qlen link/ether c4:8e:8f:0c:a9:71 brd ff:ff:ff:ff:ff:ff 4:br0: <n  O-carrier,broadcast,multicast,up> MTU Qdisc noqueue State down group default Link/ether f0:76:1c:81:e3:b6 BRD Ff:ff:ff:ff:ff:ff inet 172.25.254.66/24 BRD 172.25.254.255 scope Global br0 Valid_lft forever Preferred_lft Forever inet 172.25.66.250/24 BRD 172.25.66.255 Scope Global br0 Valid_lft Forever Preferred_lft Forever 5:virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> MTU Q Disc noqueue state down group default Link/ether 52:54:00:e2:0c:7d BRD ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 BR D 192.168.122.255 Scope Global virbr0 Valid_lft forever Preferred_lft Forever 6:virbr0-nic: <broadcast,multicas T> MTU Qdisc pfifo_fast Master virbr0 State down group default Qlen link/ether 52:54:00:e2:0c:7d BRD ff:ff : Ff:ff:ff:ff 7:VIRBR1: <NO-CARRIER,BROADCAST,MULTICAST,UP> MTU Qdisc noqueue State down group default Lin K/ether 52:54:00:91:4b:52 BRD ff:ff:ff:ff:ff:ff 8:virbr1-nic: <BROADCAST,MULTICAST> MTU, Qdisc pfifo_fast mast Er virbr1 state down group default Qlen link/ether 52:54:00:91:4b:52 brd ff:ff:ff:ff:ff:ff 9:docker0: &LT;BROADCA st,multicast,up,lower_up&Gt MTU Qdisc noqueue State up group default Link/ether 02:42:75:58:f2:fa BRD ff:ff:ff:ff:ff:ff inet 192.168.10. 
       1/24 scope Global Docker0 Valid_lft forever Preferred_lft forever inet6 fe80::42:75ff:fe58:f2fa/64 Scope link Valid_lft Forever Preferred_lft Forever # #Docker A virtual bridge DOCKER0 is created at startup and is bridged to DOCKER0 when the container is started and automatically assigned to an IP address 11:vet H3FC6EDA@IF10: <BROADCAST,MULTICAST,UP,LOWER_UP> MTU qdisc noqueue Master Docker0 State up group default L Ink/ether 62:fa:23:8b:95:9f BRD ff:ff:ff:ff:ff:ff inet6 fe80::60fa:23ff:fe8b:959f/64 scope link Valid_lft fore Ver preferred_lft Forever 13:vethb285c19@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> MTU Qdisc noqueue Master doc  Ker0 state up group default Link/ether 66:fa:71:07:e2:1a BRD ff:ff:ff:ff:ff:ff inet6 fe80::64fa:71ff:fe07:e21a/64 Scope link Valid_lft forever preferred_lft forever [Root@foundation6 ~]# Docker stop ' Docker Ps-aq ' # #停止所有 The container c6e2fe90a785 3314207A76DD b81172cd9aef 6b9a27a9a78b 90bf8ed3e5b9 [root@foundation6 ~]# Docker rm ' Docker ps-aq ' # #删除所有的容器 c6e2f e90a785 3314207A76DD B81172CD9AEF 6b9a27a9a78b 90bf8ed3e5b9

None Network mode:
The network environment is none, that is, not for Docker Container any network environment. Once the Docker Container uses the None network mode, the container can only use the loopback network device and no additional network resources. It can be said that the none mode for Docker Container do a very few network settings, in the absence of network configuration, as a Docker developer, in this foundation to do other unlimited possible network customization development. This also coincides with the opening of the Docker design concept.

Assign a fixed IP in the None network mode:
Netns is a project that provides network virtualization in Linux, and the use of NETNS network space virtualization can be virtualized on-premises in multiple network environments, and currently netns is used in LXC containers to provide networks for containers. The network space created with Netns is independent of the current system's network space, and the network devices and iptables rules are independent, as if they had entered another network.

[Root@foundation6 ~]#  Docker run-it--net none--name vm1 ubuntu 
# #使用镜像ubuntu以交互式运行一个容器,-i-finger run interactive,-t Reassign a pseudo terminal to the container,--name specifies the network connection type for the container named Vm1,--net, specifying the None mode
root@e0146efca427:/# 
root@e0146efca427:/# IP addr
1:lo: <LOOPBACK,UP,LOWER_UP> MTU 65536 qdisc noqueue State UNKNOWN Group default 
    link/loopback 00:0 0:00:00:00:00 BRD 00:00:00:00:00:00
    inet 127.0.0.1/8 Scope host lo
       valid_lft
    forever Preferred_lft Forever INET6:: 1/128 scope host 
       Valid_lft forever Preferred_lft Forever           # #没有ip

Inter-container interconnection:
The –link parameter can establish a secure connection between two containers without mapping the port, and the –link parameter can connect one or more containers to the container that will be created, –link means adding a connection to another container.
The format of the –link parameter is –link Name:alias, where name is the name of the container to be linked, and alias is the alias of the connection.

[root@foundation6 ~]# IP link add veth0 type Veth peer name Veth1 # #将veth设备一端接入ovs网桥br-int [R       Oot@foundation6 ~]# brctl addif docker0 veth0 # #将veth0加入网桥 [Root@foundation6 ~]# brctl Show bridge name Bridge ID      
STP enabled Interfaces Br0 8000.f0761c81e3b6 no enp7s0f1 docker0 8000.02427558F2FA no Veth0 # #可以看到vnet0已经加入网桥 virbr0 8000.525400e20c7d Yes virbr0-nic virbr1 8000.525400914b52 Yes Virbr1-ni c [root@foundation6 ~]# IP link set up veth1 # #启动新加端口 [root@foundation6 ~]# IP link set up Veth0 [Root@foundat Ion6 ~]# Docker Inspect VM1 | grep pid # #配置容器的网络namespace "pid": 6328, "Pidmode": "", "Pidslimit": 0, [Root@found Ation6 ~]# cd/proc/6328/ns/[root@foundation6 ns]# ls IPC mnt net PID user UTS [root@foundation6 ns]# ll Total 0 LRW xrwxrwx 1 root root 0 07:51 IPC, ipc:[4026532403] lrwxrwxrwx 1