Let's review some basics:
the machine needs a network interface to send and receive packets, and a routing table to define how to reach which address segments. The network interface here
may not be a physical interface. In fact, the LO Loopback interface (also available in the Docker container) on each Linxu machine is a complete
The Linux kernel virtual interface, which copies the packets in the send cache directly into the receive cache. Docker allows host hosts and containers to use special
virtual interface to communicate-the 2 end of the communication is called "peers", they are connected together in the host core, so they can communicate with each other. Create
They are very simple, described earlier.
the steps for Docker to create a container are as follows:
? Create a pair of virtual interfaces
? Where the host host side uses a name such as VETH65F9, he is unique, the other end is bridged to the default Docker0, or
Other bridge adapters that you specify.
The name of the Veth65f9 on the host is typically eth0 in the container, the isolated network in which the interface is mapped to the new new container.
namespace, it is unique, there will be no other interface name and it conflicts.
? Get an idle address from the address segment of the host bridge adapter to Eth0, and set the default route to the bridged network card.
when this is done, the container can use the Eth0 virtual network card to connect to other containers and other networks.
You can also set specific parameters for a particular container and use--net at Docker run, which has 4 optional parameters:
--net=bridge-. The default connection to the Docker0 bridge.
--net=host-tells Docker not to place the container in the isolated network stack. Essentially, this option tells Docker
do not containerized the network of containers! Although the container still has its own file system, process list, and resource constraints. But using the IP addr command this
command to know that the container is actually at the same network level as the Docker host host, which has a fully hosted host
access rights for the machine interface. Although it does not allow the container to reconfigure the host's network stack unless the--privileged=true-container process
as with other root processes, you can open low-number ports, access local network services such as D-bus, and allow containers to do
some unexpected things, such as restarting the host, use this option to be very careful!
--net=container:name_or_id-tells Docker to place the process of the new container into the network heap of an already existing container
Stack, the new container process has its own file system, process list, and resource limits, but it will share IP with that existing container
and ports that can communicate between them via the loopback interface.
--net=none-tells Docker to put the new container in its own network stack, but not to configure its network, similar to
VMware's host-only. This allows you to create any custom configurations that will be introduced in the last paragraph of this article.
This is done by configuring a container to start with--net=none, so that he has access to the network as usual. To introduce
How Docker is connected to the container.
# Start a/bin/bash specified--net=none
$ sudo docker run-i-t--rm--net=none Base/bin/bash
[Email protected]:/#
# Open a new terminal, look for the container's process ID, then create its namespace, and the IP netns will use the
$ sudo docker inspect-f ' {{. State.pid}} ' 63f36fc01b5f
2778
$ pid=2778
$ sudo mkdir-p/var/run/netns
$ sudo ln-s/proc/$pid/ns/net/var/run/netns/$pid
#检查桥接网卡的ip和子网掩码
$ IP Addr Show Docker0
21:docker0: ...
inet 172.17.42.1/16 Scope Global Docker0
...
# Create a pair of "peer" interfaces A and B, bind a to the bridge, and enable it
$ sudo ip link add A type Veth peer name B
$ sudo brctl addif docker0 A
$ sudo ip link set A up
# Place B in the container's network namespace, named Eth0, to configure an idle IP
$ sudo ip link set B netns $pid
$ sudo ip netns exec $pid IP link set dev B name eth0
$ sudo ip netns exec $pid IP link set eth0 up
$ sudo ip netns exec $pid IP addr add 172.17.42.99/16 dev eth0
$ sudo ip netns exec $pid IP route add default via 172.17.42.1
#自此, you can use the Internet as usual.
when you exit the shell, Docker empties the container, the container's eth0 is destroyed with the network namespace, and the A interface is automatically
Docker0 Cancel registration. Everything was cleaned up without the other orders!
Note the IP netns EXEC command, which allows us to configure the network namespace as root. But cannot be used inside the container, because
for a unified security policy, Docker restricts the container process to configure its own network. Using IP netns exec lets us not set--
Privileged=true can perform some potentially dangerous operations.
For more highlights, please follow: http://bbs.superwu.cn
Focus on the two-dimensional code of Superman Academy:
How Docker connects to a container
