Hello everyone, I'm Xiao Cai~
This article mainly introduces
docker networkThe WeChat public account has been opened, , students who didn't follow it remember to pay attention!
A small vegetable farmer who just finished a demand just wanted to open the public account "Vegetable Farmer's Day" to see the blog and paddle, and the ding ding sounded again!
"Small vegetable farmer, the server connection information of this test environment, you board and deploy the branch you just submitted through docker to test it!"
Instructor Cheng Li sent a message to the small vegetable farmer
"What kind of thing is docker? Didn't you just find a directory on the server and upload it directly and then nohup java -jar ... & a set of combined punches down?"
The small vegetable farmer suddenly turned himself off again, and since he came to the workplace, he has hit a wall everywhere! Thinking about being a good student at school is really embarrassing!
"Wait! I remember that the public account "Vegetable Farmer's Day" wrote an article about docker, hurry up and look it up"
started with Docker, after reading it, I feel that I can do it again!
After a long time, Xiaocai Nongfang came back to his senses from the article, "I can't handle it now!". He opened the server and entered docker ps tried the command
"It's interesting!" He followed the tutorial in the article and started deploying his application project. First, I wrote the dockerfile of my own application, then built my own image through docker build , and finally executed docker run to run my own image. Then I tested my functional content in the browser, and after the test passed. The small vegetable farmer fell into thinking, docker is a container that can embed an operating system, and each container is isolated from each other, so why can I access the contents of the container from the outside world? How do containers communicate with each other? How can I create a custom network?
The small vegetable farmers who think about a few questions are big! It is impossible to give up. Maybe this can become one of the stepping stones for you to get promoted and raise your salary and reach the peak of life! It can be seen from this that the small vegetable farmers are still very fighting spirit~
The docker container will automatically create three networks on the host when it is installed. Xiaocai farmers see this sentence, how to check these three networks, and see if they can find anything through the help command? He quickly docker --help into the terminal
"Oh, sure enough! Isn't network what I want!". The witty vegetable farmer began to follow the vine, and then docker network --help
" ls can view docker's network, then let me try"
On the terminal, as the vegetable farmer expected, the content he wanted to see appeared. "bridge, host, none?" The small vegetable farmer is still somewhat basic in the Internet. The first two names are a bit familiar, but what is none? A network with nothing? . After some inquiry, the small vegetable farmer did not expect it to be true. He couldn't help but admire the developer named. This is really as the name suggests~ The inquiry found that the containers hanging on this network do not have any network cards except lo.
We start the container through docker run . After this command, we can attach parameters. Through --network = none , we can specify that the container uses the none network~
"So what's the use of such a closed network, you can't access the Internet," the small vegetable farmer muttered.
That's right, can't access the Internet, some special application scenarios need to close the network, often this scenario means high security requirements, so it needs to be isolated, in this case, it can be placed on the none network to prevent being attacked. intrude.
"Since it's only needed for special scenarios, I shouldn't have access to special scenarios yet, pass pass! Let me know what network Kangkang host is."
The small vegetable farmer knows that he can specify the network type through --network . He tried to start an nginx with the network type host to check.
Seeing this network configuration, the small vegetable farmer couldn't help but fall into contemplation. How could this seem similar? He scrolled up the terminal command line a few pages, and finally found out why it looked familiar!
It turns out that he once entered ip l check the host's network when he was above. You can find that the two configurations are exactly the same! That means that the containers connected to the host network share the Docker host's network stack, and the container's network configuration is exactly the same as the host's configuration. In this case, the biggest advantage of using the Docker host network directly is the performance of . If the container has high requirements for network transmission efficiency, it can use the host network, which is equivalent to using the host's network. What are the disadvantages of this? That is, the port will conflict, and the container can no longer use the network already used on the host!
The small vegetable farmer felt that it should not be so simple. He checked the usage scenarios of the host network and found out after a while. Another purpose of using the host network is that allows the container to directly configure the host network. For example, some need to cross-host The network solutions of iptables themselves also run in the form of containers. These solutions need to configure the network, such as the management of iptables and other scenarios.
"It's really the mother-in-law who looks at the man, the more you look at it, the more you love it~" The small vegetable farmer has become a little obsessed with docker, and the deeper he goes, the more interesting he finds. "There are still bridge network types left, let me be healthy!"
A bridge is a network in bridge mode, as the name implies, one end is here and the other is there. The small vegetable farmer made a bold guess again, that must be one end on the container and the other on the host! Next is verified
The small vegetable farmer remembered a command brctl be used to setup, maintain and check the ethernet bridge configuration in the linux kernel.
Children's shoes that cannot use the brctl command can be installed with the following command
yum install -y bridge-utils
He checked the bridge configuration of the host through brctl show and found that there was a bridge named docker0, and then he continued to observe the changes of the bridge by starting a container:
The small vegetable farmer found that the content of interface has changed! There is a new network interface veth9b75794 hanging on docker 0, and veth9b75794 is the network card that just created the container, Xiaocai farmers then check the network configuration of the newly created container
There is a eth0@if67 network card in the container, and the small vegetable farmer smiled knowingly
"Hey, I found it, if I hadn't been able to click on the Internet, I would have been fooled by this. The network interface I just checked above is veth9b75794 , and here is eth0@if67 The children's shoes on the Internet must be confused, how are these two different! In fact, eth0@if67 and veth9b75794 are a pair of veth pair , veth pair is a special network configuration that I guessed to appear in pairs. In that way, the network bridge can be imagined as a pair of network cards connected by a virtual network cable. One end of the network card (eth0@if67) is in the container, and the other end (veth9b75794) is hung on the bridge docker0, the effect is Also hang eth0@if67 on "
And the IP 172.17.0.2/16 is also configured by the host machine. The small vegetable farmer checked the bridge configuration of docker.
It is found that the subnet with a bridge network configuration is 172.17.0.0/16, and the gateway is 172.17.0.1. Then this gateway is docker 0! The vegetable farmer enters ifconfig' on the host for verification
At this time, a picture appeared in the small vegetable farmer's mind.
At this point, Xiaocai farmers are already familiar with the three network types of docker, so they start to think about how to customize the network. There must be many scenarios where users need to create a custom network according to their business to meet their needs. When the small vegetable farmer wanted to query the network configuration of docker, he had entered the command docker network --help . When the result was output, the small vegetable farmer was a little impressed that there seemed to be a command of create , and quickly entered it again to confirm:
Sure enough, docker already supports users to create custom networks. soon! The small vegetable farmer entered the command to create the network in the terminal:
The sharp-eyed vegetable farmer noticed something was wrong at a glance. When he created the network, he did not specify DRIVER ! The network driver created at this time is bridge by default, which means that it is possible to create other network-driven networks? The small vegetable farmer tried again, but this time the result confirmed that the small vegetable farmer hit a wall
"Can we only create bridge-driven networks?" the small vegetable farmer murmured. Still not giving up, I went to a search engine to find the results. After searching, I found that Docker provided three network drivers of user-defined , namely bridge , overlay and macvlan . overlay and macvlan for creating a network across hosts!
"Cross-host? That's the cluster! At present, there is only one server assigned to me by the tutor, and it seems that I can't verify it. I can only verify it after the subsequent permissions are larger, hehe!" Since the other two cannot be verified, then Let's understand bridge first~ The small vegetable farmer laughed badly!
A bridge driver type network has been created above, and the network configuration of the host should have changed. The vegetable farmer entered brctl show to view:
Sure enough, there is a bridge named br-76c202387b0c at this time. Through ifconfig , it can be found that the network segment has also been allocated:
And this should be the gateway of the new network~ Small vegetable farmers are getting more and more proficient. It seems that learning can really make people confident!
Everything is as expected, 172.18.0.1 is the IP network segment automatically allocated by Docker
"But if there are more custom networks, the allocated network segments must also increase, then the network segments allocated by docker must be random and inconvenient to remember. Can specify the IP network segment by yourself?" Whimsy, input docker network create --help will you find something?
Seeing this result, the small vegetable farmer couldn't help laughing, it really belongs to me! Isn't this subnet and gateway what I want! ~
Isn't this done! And there is a new network on the host, the network segment is 172.10.0.0/16 , and the gateway is 172.10.0.1
Now that he has created his own network, Xiaocai farmers are suddenly full of accomplishment, so he must start a container to try his own network!
You can see that the container started using the network configured by yourself is assigned an IP address of 172.10.0.2/16 . "Since the IP of the container is automatically allocated from the subnet by docker, can I specify a static IP?" Xiaocai Nong proposed again. Doubt, then we can only resort to the old routine --help to solve it! The small vegetable farmer docker run --help | grep 'ip' see the results
The small vegetable farmer's smile gradually changed, but he didn't expect that he had mastered the help artifact! It seems that you can specify the IP you want through --ip xxx , and the technique of typing commands is gradually becoming more skilled. No, the result will come out after a while:
So far, the small vegetable farmer has started three containers
And the topological relationship between the networks suddenly appeared, and the small vegetable farmer hurriedly drew it, so as not to forget it!
The small vegetable farmer stared at the picture for a while. The picture is actually quite clear. nginx-custom and nginx-ip can definitely be connected to each other. The small vegetable farmer can verify the conjecture.
The result is correct, can nginx-default communicate with the other two containers? Check it out and you'll know!
It can be seen that containers and gateways in the same network are connected, but containers belonging to different bridges cannot communicate with each other. Is this the end? Is it true that containers between two different networks cannot communicate? The small vegetable farmer was unwilling to give up like this, staring at the screen for a while in a daze, "Yes! If you add a route, then the two networks should be able to communicate!" If there is only one route for each network on the host, At the same time, ip forwarding is enabled on the operating system, then the host will form a router, and the networks attached to different bridges can communicate!
The vegetable farmer checks the routing table on the host through ip r
It can be seen that the two routes 172.17.0.0/16 and 172.10.0.0/16 have been defined. The next step is to check whether the ip forwarding has been enabled. The vegetable farmer quickly typed the command sysctl net.ipv4.ip_forward
You can see that ip forwarding has also been turned on. At this time, you only need to add a c-custom network card to the nginx-default container to communicate! Everything is ready, just owe the east wind~
Small vegetable farmers still use familiar recipes to view the steps for adding network cards
After understanding, start to operate
My eyes widened, it was the first time I felt such a sense of achievement, I didn't expect that I was really tossed out by myself! The small vegetable farmer was so excited that he almost stood up and wanted to laugh out loud, but he knew that this was only the first step in his growth, and he had already successfully stepped out! I calmed down my excited heart and came to a conclusion I just experimented with.
two containers to communicate, they must have a network card belonging to the same network. When this condition is met, the containers can interact through ip.
The conclusion is not easy to come by, and the small vegetable farmer quickly recorded it in his small notebook! The small vegetable farmers who have tasted the sweetness continue to search on the Internet to see if there are other ways to communicate between containers. After all, using IP to communicate is still relatively basic~ Soon, the small vegetable farmers found the answer, Yes! which way can containers communicate with each other?
- IP
- Docker DNS Server
- joined
IP communication has been experimented by itself, and the other two methods will be tried next. Docker DNS Server ? See the explanation is through the way of container name, in the container created above, the small vegetable farmers have already specified the container name, then just carry out the experiment.
Sure enough! It can be accessed through the container name, which means that it is not necessary to memorize such a long list of IPs!
The first two methods have already been tested, and the small vegetable farmer of joined is a little confused again. joins? The small vegetable farmer continued to read the explanation below
Joined containers are another way to implement communication between containers
The joined container is very special, it can make two or more containers share a network stack, share network card and configuration information, and the joined containers can communicate directly through 127.0.0.1
"It's amazing, the docker is full of surprises!", the small vegetable farmer then tried it
It is worth noting here that two containers share the same network stack, so the ports cannot conflict, so the ports need to be separated when starting
At this point, the small vegetable farmer couldn't help but feel satisfied. Just as he was about to log out of the server and start working, he was attracted by his own webpage. On the webpage, the docker project that the small vegetable farmer had just started was opened. "Hey, how does the outside world connect with the container?" The small vegetable farmer asked again, how the container access the outside world? , How can the outside world access the container? It seems that I still have to continue to study (paddle)!
The small vegetable farmer switches to the server page again and tries to access the outside world from inside the container
In fact, there is no need to try, the small vegetable farmer also knows that the container can definitely access the outside world, otherwise how can the external interface be called~ But why can it be accessed? The vegetable farmer checked the iptables rules of the host
You can see that there are two rules, one is docker 0, and the other is just customized by the small vegetable farmer. What does it mean? The small vegetable farmer was confused again, and looked at the boss Xiao next to him, isn't there a ready-made boss to ask! Boss Xiao was a little curious, what kind of demand did the small vegetable farmer receive? Barabara began to explain, and the small vegetable farmer also heard in a fog, "Does this make it clear?". "Ah? Oh! I almost know what this means, hehe, thank you Boss Xiao", "You're welcome, you won't remember to come to me next time you meet me", Boss Xiao's slightly rough voice made the small vegetable farmers feel more Warm! Summarizing the explanation of Xiao Xiao: If the bridge docker 0 receives an outgoing packet from the 172.17.0.0/16 network segment, it will hand it over to MASQUERADE for processing, and MASQUERADE's processing method is to replace the source address of the packet with host The address is sent out, that is, a network address translation NAT is done.
In this case, you should be able to see the process of network address conversion by capturing packets. Xiaocai Nong plans to use tcpdump to do a simple packet capture to check the results. First, he set up two terminals, one terminal sends network packets through ping www.baidu.com , A packet grabs network information via tcpdump -i docker0 -n icmp
172.17.0.2 is the IP of the nginx-default container. Through subcontracting, it can be found that the IP address is sending data packets to 180.101.49.11 . Here, the small vegetable farmer has completed the first step, accepting and continuing to view the network outflow information of the host through tcpdump -i eth0 -n icmp
"Aha! Sure enough, it has changed. At this time, the original address of the ping packet has become the IP 0621b4baf56ffd of 172.26.19.234 "
After figuring out that the inside of the container accesses the outside world , then the next step is to figure out if the outside world of accesses the container
The small vegetable farmer remembered that after starting the container by himself, there was a display port at PORTS , so he could access it successfully after trying it in the browser! Small vegetable farmers set up another container for experiment
After starting the container, you can use the port number 32771 to access, and the port 32771 is automatically allocated by the host, and the small vegetable farmer tried his own designated port access.
After specifying the port, it can also be accessed through the port specified by itself, and the reason for this, the small vegetable farmer also found through the query that it was achieved through docker-proxy
For each mapped port, the host starts a docker-proxy process to handle traffic to the container.
At this point, the small vegetable farmer understands the network usage in Docker, but the small vegetable farmer frowned. Today, he is playing on a single machine, so how to access the network in the cluster?
Don't talk empty-handed, don't be lazy, and be a programmer with who is bragging about X as an architecture~ Just follow and be a companion, so that Xiaocai is no longer alone. See you below!
If you work harder today, tomorrow you will be able to say one less thing to ask for help!
I am Xiao Cai, a man who grows stronger with you.
💋The WeChat public account has been opened, , students who didn't pay attention remember to pay attention!
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。