容器技术中的网络配置

本文将通过对docker 和 kubernetes 中的网络配置的总结来介绍容器技术中的网络技术。

Docker 的网络系统

1. bridge: the default network driver. If you don’t specify a driver, this is the type of network you are creating. Bridge networks are usually used when your applications run in standalone containers that need to communicate.
   The bridge network represents the docker0 network present in all Docker installations.
   适用于单个host上的container之间通信。It is best when you need multiple containers to communicate on the same Docker host.
   当你安装Docker的时候，docker会创建一个桥接器docker0，通过它才让容器与容器之间、与宿主机之间通信。The bridge network represents the docker0 network present in all Docker installations.

$  ifconfig docker0
docker0   Link encap:Ethernet  HWaddr 02:42:db:c4:96:d3  
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:dbff:fec4:96d3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)
$ ip addr show
docker0   Link encap:Ethernet  HWaddr 02:42:db:c4:96:d3  
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:dbff:fec4:96d3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)
 $ docker inspect bridge

[
    {
        "Name": "bridge",
        "Id": "f65bddc829adfd9b0df91a71ef31acc52b3f450f6c13cac0a5460ded2dddf55f",
        "Created": "2017-08-07T07:04:56.06541016Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "Containers": {
            "c3ff1cd9bbe6f65a861be0134b50d4239cf4f271da5f546775de3c25c84cb311": {
                "Name": "thirsty_banach",
                "EndpointID": "31e4f25acdbbdc186bb7cb7be57a34e980315f101746f085ab72c74cb65d56e1",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

2. host: For standalone containers, remove network isolation between the container and the Docker host, and use the host’s networking directly. host is only available for swarm services on Docker 17.06 and higher. See use the host network.
   共用 host 上的network资源. It is best when the network stack should not be isolated from the Docker host, but you want other aspects of the container to be isolated.

docker run -it --network=host nginx

curl -i localhost

3. overlay: Overlay networks connect multiple Docker daemons together and enable swarm services to communicate with each other. You can also use overlay networks to facilitate communication between a swarm service and a standalone container, or between two standalone containers on different Docker daemons. This strategy removes the need to do OS-level routing between these containers.
   跨host的container之间的通信。 It is best when you need containers running on different Docker hosts to communicate, or when multiple applications work together using swarm services.

4. macvlan: Macvlan networks allow you to assign a MAC address to a container, making it appear as a physical device on your network. The Docker daemon routes traffic to containers by their MAC addresses. Using the macvlan driver is sometimes the best choice when dealing with legacy applications that expect to be directly connected to the physical network, rather than routed through the Docker host’s network stack.
   给container 分配一个mac 地址。It is best when you are migrating from a VM setup or need your containers to look like physical hosts on your network, each with a unique MAC address.

5. none: For this container, disable all networking. Usually used in conjunction with a custom network driver. none is not available for swarm services.
   允许用户自定义配置网络。一旦Docker Container采用了none网络模式，那么容器内部就只能使用loopback网络设备，不会再有其他的网络资源。

docker run -it --rm --network=none ubuntu:14.04  ifconfig

 lo       Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

6. Network plugins: You can install and use third-party network plugins with Docker. These plugins are available from Docker Hub or from third-party vendors. See the vendor’s documentation for installing and using a given network plugin.
   It is to allow you to integrate Docker with specialized network stacks.

自定义的network有自定义bridge网络，docker_gwbridge，自定义Overlay网络。

1. 自定义bridge网络
   与docker0类似，我们可以自定义bridge网络，通过使用自定义bridge网络，我们就可以实现在一台host上的多个container之间的通信。他的网络模型如下(图片来自docker官网):
   

2. docker_gwbridge
   他在本质上还是一个local的bridge网络，但是他是我们实现多个host之间的container通信的基础。通常情况下，当我们在链接swarm nodes的时候，docker_gwbridge网络就会被在每一个swarm节点上自动创建出来。

3. 自定义Overlay网络
   docker提供给我们两种方式来定义overlay网络，在docker1.12之前，我们需要依靠第三方的工具（ Consul, Etcd, and ZooKeeper (Distributed store)）来通过注册于寄存统一的“key-value”来实现“服务发现”和“DNS解析”，从而达到多个container不同host上的的通信。 但是在docker1.12之后，我们可以直接用“原生态”的swarm来实现“服务发现”和“DNS解析”。
   swarm在设计之初是为了service(一组container)而服务的，因此通过swarm创建的overlay网络在一开始并不支持单独的container加入其中。但是在docker1.13, 我们可以通过“–attach” 参数声明当前创建的overlay网络可以被container直接加入。

# docker network create --driver=overlay --attachable name=myOverlayNet

Docker 安装的时候的默认网络

Docker安装的时候默认会创建三个不同的网络。你可以通过docker network ls命令查看这些网络

docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
f65bddc829ad        bridge              bridge              local
887f3f66f5dc        host                host                local
7d7c2584672c        none                null                local

为什么docker container 可以访问网络

如果Docker容器不是使用none网络模式，默认是不需要再做任何配置就可以访问网络。但是，外部网络在默认情况下是不能访问容器的服务的。

docker run -d -P --expose 443 nginx

-P选项Docker会把Dockerfile中的通过EXPOSE指令或–expose选项暴露的端口随机映射到临时端口。默认的nginx镜像的Dockerfile中会 EXPOSE 80。

查看端口映射关系

docker port 7101c41b0ca2

80/tcp -> 0.0.0.0:32773
443/tcp -> 0.0.0.0:32772

许多Linux内核预设的临时端口范围为32768 ~ 61000，你可以通过cat /proc/sys/net/ipv4/ip_local_port_range 查看临时端口范围。

Docker会在宿主机的iptables里添加NAT规则，使得宿主机外的网络能通过宿主机ip:port使用容器提供的服务。

iptables -t nat -L

DNAT       tcp  --  anywhere         anywhere       tcp dpt:32772 to:172.17.0.2:443
DNAT       tcp  --  anywhere         anywhere       tcp dpt:32773 to:172.17.0.2:80

你也可以通过-p选项指定端口映射关系：

docker run -d -p 8080:80 nginx

这儿指定了宿主机的8080端口映射到容器的80端口。

docker ps
CONTAINER ID   IMAGE   COMMAND                  CREATED        STATUS        PORTS                 NAMES
deca43a61f37   nginx   "nginx -g 'daemon ..."   3 seconds ago  Up 1 second   0.0.0.0:8080->80/tcp  happy_austin

PORTS 这一列列出了端口映射关系。

为什么docker 的container可以互相访问

为什么docker能够做到container之间的通信呢？ 答案就是 docker 内置的 DNS server.
https://docs.docker.com/config/containers/container-networking/

参考

https://loocode.com/tutorial/10107
https://docs.docker.com/config/containers/container-networking/