第五节、容器网络

作者: 妄语莫言 | 来源:发表于2018-09-28 14:15 被阅读0次

第五节、容器网络
docker 收录
docker容器之间通讯-network
配置网络
容器安全-容器网络
容器（11）----容器网络
容器网络
容器网络
容器网络
容器网络

容器使用的相关技术有cgroup(资源使用限制包括cpu内存的调用),namespace(名称空间)以及aufs(文件系统的联合挂载)
namespaces在内核上创建独立的名称空间隔离以下6项内容

UTS：主机名和域名，系统调用参数CLONE_NEWUTS
Mount：挂载点，文件系统，系统调用参数CLONE_NEWNS
IPC：信号量，消息队列和共享内存，系统调用参数CLONE_NEWIPC
PID：进程编号，系统调用参数CLONE_NEWPID
User：用户用户组信息，系统调用参数CLONE_NEWUSER
Network：网络设备，网络栈，端口等，系统调用参数CLONE_NEWNET
备注：namespaces需要内核版本3.10以上，centos6系统内核为2.8,因此docker至少需要centos7版本以上的系统

管理网络名称空间使用的软件包iproute

[root@localhost ~]# rpm -q iproute
iproute-3.10.0-54.el7.x86_64
[root@localhost ~]# ip
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
       ip [ -force ] -batch filename
where  OBJECT := { link | addr | addrlabel | route | rule | neigh | ntable |
                   tunnel | tuntap | maddr | mroute | mrule | monitor | xfrm |
                   netns | l2tp | tcp_metrics | token }
       OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
                    -h[uman-readable] | -iec |
                    -f[amily] { inet | inet6 | ipx | dnet | bridge | link } |
                    -4 | -6 | -I | -D | -B | -0 |
                    -l[oops] { maximum-addr-flush-attempts } |
                    -o[neline] | -t[imestamp] | -b[atch] [filename] |
                    -rc[vbuf] [size] | -n[etns] name | -a[ll] }
[root@localhost ~]# ip netns help
Usage: ip netns list
       ip netns add NAME
       ip netns set NAME NETNSID
       ip [-all] netns delete [NAME]
       ip netns identify [PID]
       ip netns pids NAME
       ip [-all] netns exec [NAME] cmd ...
       ip netns monitor
       ip netns list-id

主要使用参数netns对网络名称空间进行相应的操作

#创建独立的网络名称空间r1
[root@localhost ~]# ip netns add r1
[root@localhost ~]# ip netns list
r1
#默认只有内部的回环地址lo
[root@localhost ~]# ip netns exec r1 ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 0  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
#创建一对虚拟网卡veth1.1和veth1.2
[root@localhost ~]# ip link add name veth1.1 type veth peer name veth1.2
[root@localhost ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 00:0c:29:8f:11:87 brd ff:ff:ff:ff:ff:ff
3: veth1.2@veth1.1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether fe:79:4d:1c:7b:fc brd ff:ff:ff:ff:ff:ff
4: veth1.1@veth1.2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether ba:21:2b:61:82:b9 brd ff:ff:ff:ff:ff:ff
#正常情况下创建的虚拟网卡都在宿主机上，手动把其中一块网卡移动到指定的名称空间中
[root@localhost ~]# ip link set dev veth1.2 netns r1
[root@localhost ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether 00:0c:29:8f:11:87 brd ff:ff:ff:ff:ff:ff
4: veth1.1@if6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
    link/ether ba:21:2b:61:82:b9 brd ff:ff:ff:ff:ff:ff link-netnsid 1
#原先排在第3的veth1.2已经不可见了,被移动到名称空间r1中,验证下
[root@localhost ~]# ip netns exec r1 ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 0  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth1.2: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether fe:79:4d:1c:7b:fc  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
#手动将veth1.2改名为eth0
[root@localhost ~]# ip netns exec r1 ip link set dev veth1.2 name eth0
[root@localhost ~]# ip netns exec r1 ifconfig -a
eth0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether fe:79:4d:1c:7b:fc  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 0  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
#分别激活宿主机上的veth1.1以及r1空间中的eth0实现通信
#激活veth1.1
[root@localhost ~]# ifconfig veth1.1 10.1.0.1/24 up
[root@localhost ~]# ifconfig 
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.15.135  netmask 255.255.255.0  broadcast 192.168.15.255
        inet6 fe80::20c:29ff:fe8f:1187  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:8f:11:87  txqueuelen 1000  (Ethernet)
        RX packets 30723  bytes 7800725 (7.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5369  bytes 529758 (517.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth1.1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 10.1.0.1  netmask 255.255.255.0  broadcast 10.1.0.255
        ether ba:21:2b:61:82:b9  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
#激活r1空间中的eth0即原来的veth1.2
[root@localhost ~]# ip netns exec r1 ifconfig eth0 10.1.0.2/24 up
[root@localhost ~]# ip netns exec r1 ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.1.0.2  netmask 255.255.255.0  broadcast 10.1.0.255
        inet6 fe80::fc79:4dff:fe1c:7bfc  prefixlen 64  scopeid 0x20<link>
        ether fe:79:4d:1c:7b:fc  txqueuelen 1000  (Ethernet)
        RX packets 8  bytes 648 (648.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 648 (648.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
#宿主机上ping测试
[root@localhost ~]# ping 10.1.0.2
PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data.
64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=0.111 ms
64 bytes from 10.1.0.2: icmp_seq=2 ttl=64 time=0.045 ms
64 bytes from 10.1.0.2: icmp_seq=3 ttl=64 time=0.045 ms

结合上述情况可以在宿主机上创建一对虚拟网卡，然后分别指定给两个不同的名称空间r1,r2，接着分别激活两个网卡,就能实现两个不同名称空间之间的通信,即两个容器之间的通信

Docker容器的四种网络通信模式

1、封闭式容器：容器内只有本地回还lo接口，无法与外部通信
2、桥接式容器：创建一对虚拟网卡,一半在容器内，一半桥接在宿主机的docker0网桥上
3、联盟式容器：两个容器A和B共享一个网络名称空间,这样容器A和B之间的进程可以通过本地回还lo进行通信
4、共享宿主机名称空间的容器：是3模式的延伸
在虚拟机上实现4中通信模式,利用busybox镜像启动容器

#默认为第2中桥接模式有eth0以及本地回还lo
[root@localhost ~]# docker container run --name b1 -it --rm busybox
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:03  
          inet addr:172.17.0.3  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:508 (508.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

/ # exit
#启动容器时候指定网络模式为none，就是第一种封闭式容器,指定模式为bridge就是第2中桥接式容器,指定模式为host就是第4种共享主机名称空间的容器
创建封闭式容器同时在创建时注入主机名
[root@localhost ~]# docker container run --name b1  -h hx.edu.com -it  --network none --rm busybox
/ # ifconfig
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
/ # hostname
hx.edu.com
/ # cat /etc/hosts
127.0.0.1   localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

创建bridge桥接式容器

[root@localhost ~]# docker container run --name b1 -h hx.edu.com -it  --network bridge --rm busybo
/ # cat /etc/resolv.conf 
# Generated by NetworkManager

nameserver 114.114.114.114
# No nameservers found; try putting DNS servers into your
# ifcfg files in /etc/sysconfig/network-scripts like so:
#
# DNS1=xxx.xxx.xxx.xxx
# DNS2=xxx.xxx.xxx.xxx
# DOMAIN=lab.foo.com bar.foo.com
/ # nslookup  -type=A www.baidu.com
Server:     114.114.114.114
Address:    114.114.114.114:53

Non-authoritative answer:
www.baidu.com   canonical name = www.a.shifen.com
Name:   www.a.shifen.com
Address: 180.97.33.108
Name:   www.a.shifen.com
Address: 180.97.33.107
#容器直接挂载宿主机的/etc/resolv.conf 文件,连接DNS服务器做域名解析

创建联盟式容器，两个容器共享一个网络名称空间

#利用busybox镜像创建容器b1
[root@localhost ~]# docker container run --name b1  -h hx.edu.com  -it --rm busybox
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:03  
          inet addr:172.17.0.3  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:508 (508.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
#创建容器b2指定使用容器b1的网络名称空间
[root@localhost ~]#  docker container run --name b2 --network container:b1 -it --rm busybox
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:03  
          inet addr:172.17.0.3  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:648 (648.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
/ # hostname
hx.edu.com

可以看到联盟式的容器b1和b2的eth0的网卡地址是一致的，而且由于创建b1的时候已经通过参数h注入了主机名,b2就不能再注入主机名,否则创建容器时报错信息如下：

[root@localhost ~]#  docker container run --name b2 --network container:b1 -h hx.edu.com -it --rm busybox
docker: Error response from daemon: conflicting options: hostname and the network mode.
See 'docker run --help'.

联盟式容器共享的仅仅是网络名称空间，其他所有的都是相互隔离的
同理创建容器时候指定参数--network host就可以共享宿主机的网络名称空间

修改docker默认的docker0网桥需要修改对应的配置文件/etc/docker/daemon.json
，这也是安装docker服务时定义国内镜像加速的文件，添加如下的key-value键值对

[root@localhost ~]# cat /etc/docker/daemon.json 
{
    "registry-mirrors": [ "https://4mii0w1b.mirror.aliyuncs.com","https://hub-mirror.c.163.com","https://registry.docker-cn.com" ],
    "bip":"10.0.0.1/16",
    "dns":["114.114.114.114","221.228.255.1"]
}
#bip定义了docker桥的网段,dns定义了域名服务器最多3个，加速器定义了国内多个加速网址
[root@localhost ~]# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 10.0.0.1  netmask 255.255.0.0  broadcast 10.0.255.255
        inet6 fe80::42:10ff:feb2:4ed2  prefixlen 64  scopeid 0x20<link>
        ether 02:42:10:b2:4e:d2  txqueuelen 0  (Ethernet)
        RX packets 10  bytes 516 (516.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 18  bytes 1565 (1.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Docker服务的远程控制

一般docker服务通过连接本地的/var/run/docker.sock文件实现和容器的通信，当需要使用其他服务器访问本地的容器需改/etc/docker/daemon.json 文件添加如下字段

"hosts" : ["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"]

这样可以监听远程服务器的端口
在其他主机上显示docker相关的命令

docker container  -H 172.168.1.11:2375  ps  -a

创建自定义网桥

[root@localhost ~]# docker network create -d bridge --subnet "172.16.0.0/16" --gateway "172.16.0.1" mybr0
21f8eb3af218fabb9e10b3e1cef6cb3f81e7e60cd08c0f8501652f36e16c832f
[root@localhost ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
ee23b9572a17        bridge              bridge              local
604ecd04c910        host                host                local
21f8eb3af218        mybr0               bridge              local
4ae3bb4d9a74        none                null                local
[root@localhost ~]# ifconfig
br-21f8eb3af218: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.16.0.1  netmask 255.255.0.0  broadcast 172.16.255.255
        ether 02:42:38:51:e6:7f  txqueuelen 0  (Ethernet)
        RX packets 13  bytes 1026 (1.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13  bytes 1026 (1.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

安装工具包查看容器的网络桥接情况

[root@localhost ~]# yum install bridge-utils -y
[root@localhost ~]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::42:10ff:feb2:4ed2  prefixlen 64  scopeid 0x20<link>
        ether 02:42:10:b2:4e:d2  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 648 (648.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.15.135  netmask 255.255.255.0  broadcast 192.168.15.255
        inet6 fe80::20c:29ff:fe8f:1187  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:8f:11:87  txqueuelen 1000  (Ethernet)
        RX packets 23415  bytes 7302710 (6.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4507  bytes 438926 (428.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vethb4339ef: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::8491:9cff:fea7:2f27  prefixlen 64  scopeid 0x20<link>
        ether 86:91:9c:a7:2f:27  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16  bytes 1296 (1.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@localhost ~]# brctl show
bridge name bridge id       STP enabled interfaces
docker0     8000.024210b24ed2   no      vethb4339ef

第五节、容器网络
容器使用的相关技术有cgroup(资源使用限制包括cpu内存的调用),namespace(名称空间)以及aufs(...
docker 收录
查看容器ip 传送文件容器 -> 宿主宿主 -> 容器进入容器错误日志查看网络访问容器访问宿主网络，输...
docker容器之间通讯-network
docker为容器创建独立的网络环境，实现宿主和容器、容器之间的网络隔离，默认使用bridge模式的网络，实现容器...
配置网络
概述容器网络是容器选择连接到其他容器、主机和外部网络的机制。容器的 runtime 提供了各种网络模式，每种模式...
容器安全-容器网络
1、docker network 从4种容器中各取一个来解释容器网络： 1、docker run --networ...
容器（11）----容器网络
Docker使用Linux桥接，在宿主机虚拟一个Docker容器网桥(docker0)，Docker启动一个容器时...
容器网络
1. 容器网络模式 1.1 bright 模式 1.2 host 模式 1.3 none模式 1.4 contai...
容器网络
容器网络如何创建自定义网络、容器之间如何通信、容器如何与外界交互docker network ls 查看dock...
容器网络
和容器打交道感觉就像魔法。理解的人就会得心应手，不理解的会觉得很难。幸运的是，我们已经对容器技术有一定的掌握，甚至...
容器网络
网络栈”，就包括：网卡（Network Interface）、回环设备（Loopback Device）、路由表和...