docker network

使用--help查看network使用方式

[root@swcode ~]# docker network --help

Usage:  docker network COMMAND

Manage networks

Commands:
  connect     Connect a container to a network
  create      Create a network
  disconnect  Disconnect a container from a network
  inspect     Display detailed information on one or more networks
  ls          List networks
  prune       Remove all unused networks
  rm          Remove one or more networks

使用ls查看所有网络

[root@swcode ~]# docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
0bfe49ec372b   bridge    bridge    local
4f6ec0890427   host      host      local
2ca07ec568c5   none      null      local

使用inspect查看docker0

docker network inspect 0bfe49ec372b
可以看到docker0的网络详情,其包含了tomcat01、tomcat02、tomcat03
[
  {
    "Name": "bridge",
    "IPAM": {
      "Config": [
        {
          "Subnet": "172.17.0.0/16",
          "Gateway": "172.17.0.1"
        }
      ]
    },
    "Containers": {
      "062f1a9677094d08ce8bddc6e0d41b6b1a395afe95fd1fbccbc129e912e6dab7": {
        "Name": "tomcat03",
        "IPv4Address": "172.17.0.4/16",
      },
      "c1add455e03f33968ab0be978ea4d533c922cd9a4146c6a97f1c6b78e4dd511d": {
        "Name": "tomcat02",
        "IPv4Address": "172.17.0.3/16",
      },
      "f3d377a46406a15d05b45e4ee67492ac81043fd76d20c4d397f36ae0cb7fe7d2": {
        "Name": "tomcat01",
        "IPv4Address": "172.17.0.2/16",
      }
    },
    "Options": {
      "com.docker.network.bridge.name": "docker0",
    }
  }
]

理解docker0

清空所有环境

docker rmi -f $(docker images -qa)

docker0网卡

[root@swcode tomcat]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:16:3e:03:09:f5 brd ff:ff:ff:ff:ff:ff
    inet 172.31.193.36/20 brd 172.31.207.255 scope global dynamic eth0
       valid_lft 315198125sec preferred_lft 315198125sec
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:47:54:0e:ef brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
  • 1 是本机地址
  • 2 是阿里云内网地址
  • 3 是docker0地址

测试

启动一个tomcat

docker run -d -P --name tomcat01 tomcat

查看网卡,其中eth0@if31就是docker分配的

[root@swcode tomcat]# docker exec tomcat01 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
30: eth0@if31: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

如果报错,先安装iproute2

docker exec tomcat01 apt update
docker exec tomcat01 apt install -y iproute2

Linux可以ping通容器内部

[root@swcode tomcat]# ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.064 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.049 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.045 ms

原理

  • 我们每启动一个docker容器,docker就会给容器分配一个ip

  • 每一个安装了Docker的Linux主机都有一个网卡docker0

  • 桥接模式,使用技术是veth-pair技术

再次使用ip addr查看网卡信息

[root@swcode tomcat]# ip addr
1: ...
2: ...
3: ...
31: vethd439d37@if30: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 1a:6c:aa:da:11:3b brd ff:ff:ff:ff:ff:ff link-netnsid 0

当启动容器时,容器内和主机上会出现相对应的一对网卡信息,veth-pair充当一个桥梁,连接各种虚拟网络设备。

容器与容器连通

创建tomcat02容器,ping容器tomcat01

docker run -d -P --name tomcat02 tomcat
docker exec tomcat02 apt update
docker exec tomcat02 apt install -y iputils-ping

[root@swcode tomcat]# docker exec tomcat02 ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.070 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.066 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.050 ms

结论:tomcat01和tomcat02是共用的一个路由器,docker0

所有容器不指定网络的情况下,都是docker0路由的,docker会给我们的容器分配一个默认的可用IP

容器删除,对应的网桥就没了!

使用容器名连通,而非ip

启动tomcat03容器

docker run -d -P --name tomcat03 --link tomcat02 tomcat

安装iproute2

docker exec tomcat03 apt update
docker exec tomcat03 apt install -y iputils-ping

尝试tomcat03 ping tomcat02,成功

[root@swcode ~]# docker exec -it tomcat03 ping tomcat02
PING tomcat02 (172.17.0.3) 56(84) bytes of data.
64 bytes from tomcat02 (172.17.0.3): icmp_seq=1 ttl=64 time=0.075 ms
64 bytes from tomcat02 (172.17.0.3): icmp_seq=2 ttl=64 time=0.044 ms
64 bytes from tomcat02 (172.17.0.3): icmp_seq=3 ttl=64 time=0.048 ms
64 bytes from tomcat02 (172.17.0.3): icmp_seq=4 ttl=64 time=0.048 ms

当我们使用tomcat02 ping tomcat03,失败

[root@swcode ~]# docker exec -it tomcat02 ping tomcat03
ping: tomcat03: Name or service not known

原因如下:

查看容器容器信息

查看tomcat03的信息,有对应的Links信息

docker inspect tomcat03
{
  "Links": [
    "/tomcat02:/tomcat03/tomcat02"
  ],
}

查看tomcat02的信息,没有对应的信息

docker inspect tomcat02
{
  "Links": null
}
查看host信息

查看tomcat03的host信息,可以看到tomcat02有域名的映射

[root@swcode ~]# docker exec tomcat03 cat /etc/hosts
127.0.0.1       localhost
172.17.0.3      tomcat02 c1add455e03f
172.17.0.4      062f1a967709

查看tomcat02的host信息,发现没有tomcat03的域名的映射

[root@swcode ~]# docker exec tomcat02 cat /etc/hosts
127.0.0.1       localhost
172.17.0.3      c1add455e03f

--link就是在host配置中增加了一个172.17.0.3 tomcat02 c1add455e03f映射,不建议使用!

自定义网络

使用自定义网络实现容器互联

查看所有网络

[root@swcode ~]# docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
0bfe49ec372b   bridge    bridge    local
4f6ec0890427   host      host      local
2ca07ec568c5   none      null      local

网络模式

bridge:桥接模式

none:不配置网络

host:和宿主机共享网络

container:容器网络连通(用的少,局限大)

清空容器

docker rm -f $(docker ps -aq)

创建网络

docker network create

使用帮助命令查看

docker network create --help

创建命令

docker network create --driver bridge --subnet 192.168.0.0/16 --gateway 192.168.0.1 mynet
[root@swcode ~]# docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
0bfe49ec372b   bridge    bridge    local
4f6ec0890427   host      host      local
f5c2b322c217   mynet     bridge    local
2ca07ec568c5   none      null      local
[root@swcode ~]# docker network inspect f5c2b322c217
[
    {
        "Name": "mynet",
        "Id": "f5c2b322c217623e9f4418fabe425fda8d958325d2af6a8b614afe2d92b6d584",
        "Created": "2023-02-16T19:55:37.392894743+08:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "192.168.0.0/16",
                    "Gateway": "192.168.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {},
        "Options": {},
        "Labels": {}
    }
]

启动容器到指定网络

默认的启动命令,使用的是默认的网络bridge

docker run -d -P --name tomcat01 tomcat
docker run -d -P --name tomcat01 -net bridge tomcat

指定自定义的网络

docker run -d -P --name tomcat-net-01 --net mynet tomcat
docker run -d -P --name tomcat-net-02 --net mynet tomcat

查看自定义网络信息,其中已经有了两个容器

docker network inspect mynet
{
  "Containers": {
    "60587bfd1a22715bc9b02ef0820358e4633603898902308541b4d33b713aad39": {
      "Name": "tomcat-net-02",
      "EndpointID": "f1fb35b2a348ba7dc6a251d78871529fd42fb3615c382ab146e705aaaa038a90",
      "MacAddress": "02:42:c0:a8:00:03",
      "IPv4Address": "192.168.0.3/16",
      "IPv6Address": ""
    },
    "9b8257928b66d11f9c3c2e6269ea3fd7df275b62e02c4b9504609648e54d0ad1": {
      "Name": "tomcat-net-01",
      "EndpointID": "50e1a1eb9123cd5271e84fda995b89989356861ddefbd127f1c2875648b2118d",
      "MacAddress": "02:42:c0:a8:00:02",
      "IPv4Address": "192.168.0.2/16",
      "IPv6Address": ""
    }
  }
}

测试互联

安装ping工具,有的忽略

# 01
docker exec -it tomcat-net-01 apt update
docker exec -it tomcat-net-01 apt install -y iputils-ping
# 02
docker exec -it tomcat-net-02 apt update
docker exec -it tomcat-net-02 apt install -y iputils-ping

01连通02

[root@swcode ~]# docker exec tomcat-net-01 ping tomcat-net-02
PING tomcat-net-02 (192.168.0.3) 56(84) bytes of data.
64 bytes from tomcat-net-02.mynet (192.168.0.3): icmp_seq=1 ttl=64 time=0.079 ms
64 bytes from tomcat-net-02.mynet (192.168.0.3): icmp_seq=2 ttl=64 time=0.045 ms
64 bytes from tomcat-net-02.mynet (192.168.0.3): icmp_seq=3 ttl=64 time=0.060 ms
64 bytes from tomcat-net-02.mynet (192.168.0.3): icmp_seq=4 ttl=64 time=0.048 ms

02连通01

[root@swcode ~]# docker exec tomcat-net-02 ping tomcat-net-01
PING tomcat-net-01 (192.168.0.2) 56(84) bytes of data.
64 bytes from tomcat-net-01.mynet (192.168.0.2): icmp_seq=1 ttl=64 time=0.031 ms
64 bytes from tomcat-net-01.mynet (192.168.0.2): icmp_seq=2 ttl=64 time=0.071 ms
64 bytes from tomcat-net-01.mynet (192.168.0.2): icmp_seq=3 ttl=64 time=0.049 ms

网络连通

自定义网络之间的连接

启动容器

启动到默认网络

docker run -d -P --name tomcat01 tomcat
docker run -d -P --name tomcat02 tomcat

查看默认网络

docker network inspect bridge
{
  "Containers": {
    "42f031f8dfb55a1bd6d29c60bf2ca59a070bedff2a3628f5dc7911810f922363": {
      "Name": "tomcat02",
      "IPv4Address": "172.17.0.3/16"
    },
    "6c5896c588bf848c1a7eda4086f66d8ae056c794a2de0b80a39d441b0f40ed0d": {
      "Name": "tomcat01",
      "IPv4Address": "172.17.0.2/16"
    }
  }
}

异网容器连通

不同网络中容器之间连通

测试两个网络中容器之间的互联,失败。。。

docker exec -it tomcat-net-01 ping 172.17.0.2
docker exec -it tomcat01 ping 192.168.0.2

docker network connect

查看帮助文档

[root@swcode ~]# docker network connect --help

Usage:  docker network connect [OPTIONS] NETWORK CONTAINER

Connect a container to a network

Options:
      --alias strings           Add network-scoped alias for the container
      --driver-opt strings      driver options for the network
      --ip string               IPv4 address (e.g., 172.30.100.104)
      --ip6 string              IPv6 address (e.g., 2001:db8::33)
      --link list               Add link to another container
      --link-local-ip strings   Add a link-local address for the container

使用命令连通网络

docker network connect mynet tomcat01

查看mynet的变化,直接将tomcat01加到了mynet中

docker network inspect mynet
{
  "Containers": {
    "60587bfd1a22715bc9b02ef0820358e4633603898902308541b4d33b713aad39": {
      "Name": "tomcat-net-02",
      "IPv4Address": "192.168.0.3/16"
    },
    "6c5896c588bf848c1a7eda4086f66d8ae056c794a2de0b80a39d441b0f40ed0d": {
      "Name": "tomcat01",
      "IPv4Address": "192.168.0.4/16"
    },
    "9b8257928b66d11f9c3c2e6269ea3fd7df275b62e02c4b9504609648e54d0ad1": {
      "Name": "tomcat-net-01",
      "IPv4Address": "192.168.0.2/16"
    }
  }
}

查看tomcat01的hosts,发现tomcat01可通往mynat

[root@swcode ~]# docker exec tomcat01 cat /etc/hosts
127.0.0.1       localhost
172.17.0.2      6c5896c588bf
192.168.0.4     6c5896c588bf

测试

tomcat-net-01 ping tomcat01

[root@swcode ~]# docker exec -it tomcat-net-01 ping tomcat01
PING tomcat01 (192.168.0.4) 56(84) bytes of data.
64 bytes from tomcat01.mynet (192.168.0.4): icmp_seq=1 ttl=64 time=0.033 ms
64 bytes from tomcat01.mynet (192.168.0.4): icmp_seq=2 ttl=64 time=0.034 ms
64 bytes from tomcat01.mynet (192.168.0.4): icmp_seq=3 ttl=64 time=0.043 ms

tomcat01 ping tomcat-net-01

[root@swcode ~]# docker exec -it tomcat01 ping tomcat-net-01
PING tomcat-net-01 (192.168.0.2) 56(84) bytes of data.
64 bytes from tomcat-net-01.mynet (192.168.0.2): icmp_seq=1 ttl=64 time=0.031 ms
64 bytes from tomcat-net-01.mynet (192.168.0.2): icmp_seq=2 ttl=64 time=0.045 ms
64 bytes from tomcat-net-01.mynet (192.168.0.2): icmp_seq=3 ttl=64 time=0.050 ms

快来参与讨论吧~