Docker容器网络的数据链路是什么
描述
单主机容器网络可能存在多个docker,分属于不同的bridge,它们之间有通信的需求。其基础的数据链路为:
下面进行数据链路的分析。
一、环境信息:
- 系统环境
操作系统为ubuntu14.04;
Docker version 17.05.0-ce
- 查看容器网络:docker network list
NETWORK ID NAME DRIVER SCOPE
844c74ceea9d bridge bridge local
93b0f2d679ed docker_gwbridge bridge local
baa5b46a5057 host host local
852747e4d566 none null local
默认提供bridge模式的容器网络。
二、Docker基础链路
- 启动docker服务后,一个名为docker0的Linux bridge被创建,默认子网是172.17.0.0/16,docker0的地址是172.17.0.1。
(1)查询网络设备:ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:93:6f:2e:4f
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:93ff:fe6f:2e4f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21 errors:0 dropped:0 overruns:0 frame:0
TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1204 (1.2 KB) TX bytes:6659 (6.6 KB)
eth0 Link encap:Ethernet HWaddr fa:16:3e:2e:6d:3f
inet addr:30.0.1.48 Bcast:30.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fe2e:6d3f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
RX packets:28352 errors:0 dropped:0 overruns:0 frame:0
TX packets:23242 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:56315936 (56.3 MB) TX bytes:1637368 (1.6 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:480 (480.0 B) TX bytes:480 (480.0 B)
(2)查看容器网络bridge的配置信息
docker network inspect bridge
[
{
"Name": "bridge",
"Id": "844c74ceea9d98cd31a7bb7c0298894cecf8ba1b175dc74824c3688490336a3c",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
}
}
]
- Docker会对从docker0流向外部的数据包进行NAT操作。这样就可以使得多个容器共享宿主机IP地址,与其他主机的实体进行通信。
(1)查看路由:ip route
default via 30.0.1.1 dev eth0
30.0.1.0/24 dev eth0 proto kernel scope link src 30.0.1.48
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
说明:iproute2的ip route命令与net-tools的route命令类似。
(2)查看iptables规则链:iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 anywhere
MASQUERADE all -- bogon/16 anywhere
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
Docker的基础链路信息为:
三、Docker的数据链路
1.单bridge
不指定网络选项的情况下,创建新容器将默认在docker0,IP地址为172.17.0.0/16的一个未使用地址,通常按顺序分配,如172.17.0.2、172.17.0.3。
(1)启busydox容器:docker run -it -d --name=box3 busybox
说明:busybox集成常用的linux命令和工具的软件,适应于资源有限的嵌入式系统,可以看作精简版的shell。
(2)查看docker进程:docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b2a846aef8c3 busybox "sh" 2 hours ago Up 2 hours
(3)进入docker容器:docker exec -it b2a8 sh
/ # busybox ls
bin dev etc home proc root sys tmp usr var
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7996 (7.8 KiB) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
(4)访问外网:ping www.baidu.com。默认情况下,连接到docker0上的容器可以进行通信。
(5)删除SNAT规则,以序号标记查询iptables规则,执行:iptables -L -n --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
6 MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
7 MASQUERADE all -- 172.18.0.0/16 0.0.0.0/0
Chain DOCKER (2 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
2 RETURN all -- 0.0.0.0/0 0.0.0.0/0
这里可以看到POST ROUTING链,源地址为172.17.0.0,目的地址是任意地址。数据包通过这个链时,便执行了NAT操作。
删除序号为6的规则(172.17.0.0/16):iptables -t nat -D POSTROUTING 6
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
6 MASQUERADE all -- 172.18.0.0/16 0.0.0.0/0
Chain DOCKER (2 references)
num target prot opt source destination
1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
2 RETURN all -- 0.0.0.0/0 0.0.0.0/0
说明:MASQUERADE与SNAT类似,可以从服务器的网卡上自动获取当前ip地址来做NAT。
此时,ping www.baidu.com,则无法访问。
这样,单个主机的Docker容器网络为:
再新启docker进程,docker run -it -d --name=busybox1 busybox
Docker容器网络为:
2.双bridge
默认情况下,连接到docker0上的容器可以进行通信,但不同bridge上的容器是无法通信的。
(1)创建名为nwtest的bridge,子网为10.0.0.0/24
docker network create --driver=bridge --subnet=10.0.0.0/24 nwtest
(2)查看网络设备:ifconfig
br-8d3ef22d71a6 Link encap:Ethernet HWaddr 02:42:11:0d:c7:67
inet addr:10.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
docker0 Link encap:Ethernet HWaddr 02:42:c9:84:d8:fc
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:c9ff:fe84:d8fc/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:4667 (4.6 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:480 (480.0 B) TX bytes:480 (480.0 B)
vethdb9a3fb Link encap:Ethernet HWaddr 7e:9c:93:1d:1d:81
inet6 addr: fe80::7c9c:93ff:fe1d:1d81/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:46 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:7996 (7.9 KB)
vethec487c4 Link encap:Ethernet HWaddr 6e:90:8e:40:5c:1d
inet6 addr: fe80::6c90:8eff:fe40:5c1d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:3399 (3.3 KB)
(3)查看docker网络:docker network list
NETWORK ID NAME DRIVER SCOPE
57d56a34c3c8 bridge bridge local
93b0f2d679ed docker_gwbridge bridge local
baa5b46a5057 host host local
852747e4d566 none null local
8d3ef22d71a6 nwtest bridge local
(4)新建Docker容器,执行命令
dockerrun -it -d --network=nwtest --name=busybox6 busybox
(5)将容器busybox1关联到网络nwtest
dockernetwork connect nwtest busybox1
(5)容器busybox1执行命令,测试是否能连通
docker exec -it 99f9 sh
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7996 (7.8 KiB) TX bytes:0 (0.0 B)
eth1 Link encap:Ethernet HWaddr 02:42:0A:00:00:03
inet addr:10.0.0.3 Bcast:0.0.0.0 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3398 (3.3 KiB) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ # ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: seq=0 ttl=64 time=0.952 ms
64 bytes from 10.0.0.2: seq=1 ttl=64 time=0.124 ms
64 bytes from 10.0.0.2: seq=2 ttl=64 time=0.188 ms
64 bytes from 10.0.0.2: seq=3 ttl=64 time=0.168 ms
64 bytes from 10.0.0.2: seq=4 ttl=64 time=0.186 ms
64 bytes from 10.0.0.2: seq=5 ttl=64 time=0.160 ms
综上,Docker容器网络的数据链路为:
声明:本文内容及配图由入驻作者撰写或者入驻合作网站授权转载。文章观点仅代表作者本人,不代表电子发烧友网立场。文章及其配图仅供工程师学习之用,如有内容侵权或者其他违规问题,请联系本站处理。
举报投诉
-
Matlab仿真1090ES数据链路2013-04-16 0
-
Docker开源开发平台运行容器化应用程序2018-07-06 0
-
如何在Docker中创建容器2019-01-03 0
-
如何利用Simulink进行猝发通信系统数据链系统仿真设计?2019-07-31 0
-
武器数据链测试系统是什么组成的?2019-08-23 0
-
什么是基于PCI-9846武器数据链测试技术?2019-08-29 0
-
基于isoSPI数据链路的高可靠性车载电池系统设计2019-09-02 0
-
高级数据链路控制的操作方式是什么?2019-11-01 0
-
TLP的数据链路层组成与操作2021-01-08 0
-
高速串行数据链路一致性测试的难点有哪些,该如何应对?2021-04-09 0
-
Docker容器管理命令(二)2022-04-21 0
-
docker容器删除后数据还在吗2023-11-23 687
-
docker容器与容器之间通信2023-11-23 550
-
docker进入容器的方法有哪些2023-11-23 3490
-
docker容器有几种状态2023-11-23 846
全部0条评论
快来发表一下你的评论吧 !
