一 简介
在Docker的世界里面
network起到了非常关键的作用。主要担任的工作有:与宿主机通信、容器与容器通信。在之前的讲解中我们让容器与容器通信是通过
--link来完成,但在官方文档中可以看出--link已经标记为删除,可能在后面的版本中会直接删除该指令。从安全性角度考虑及官方文档都建议使用
docker network来完成容器之间的通信。
docker network的常用命令如下:
C:\Users\zsl-pc>docker network --help
Usage: docker network COMMAND
Manage Docker networks
Options:
--help Print usage
Commands:
connect Connect a container to a network
create Create a network
disconnect Disconnect a container from a network
inspect Display detailed information on one or more networks
ls List networks
rm Remove one or more networks
Run 'docker network COMMAND --help' for more information on a command.
docker network connect:将容器加入到指定网络中;
docker network create:创建网络;
docker network disconnect:将容器从指定网络中移除;
docker network inspect:查看指定网络的详情信息;
docker network ls:列表所有网络;
docker network rm:删除指定网络。
通过这些命令可以看出:在Docker里面可以组建自己的网络,容器与容器之间可以在所组建的网络中通信,也可以从指定的网络中移除容器。这就类似于我们的物理机组建自己的局域网。
二、 容器默认网络bridge
在Docker服务安装成功后默认有三个网络(docker network ls):
C:\Users\zsl-pc>docker network ls
NETWORK ID NAME DRIVER SCOPE
992344cd89fe bridge bridge local
06445f4f5774 host host local
2d964ece79b9 none null local
bridge:是容器的默认网络,可以配置后与宿主机通信从而与互联网互联互通。
host和none:是属于无网络(可以使用docker network inspect host查看,其中无子网和网关),容器添加到这两个网络时时将容器添加到特定的容器网络堆栈,是不能与外界网络通信的。
每当使用docker run启动一个容器时,这个容器都会有一个默认的网络,即bridge。
可以通过inspect命令查看各网络中的容器(查看bridge网络):
C:\Users\zsl-pc>docker network inspect bridge
[
{
"Name": "bridge",
"Id": "992344cd89fe90aa240651e7497131e5dc40539d3f1ad540f973feab6b345b3c"
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Internal": false,
"Containers": {},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
在Containers中看到是空,表示目前还没有任何容器加入到这个网络。
启动容器:
docker run -d -it --name c1 centos /bin/bash -c "while true; do echo hello; sleep 1; done"
说明:启动了一个名为c1的Centos的容器,每隔一秒输出hello,可以通过docker logs c1查看输出信息。
此时再查看bridge网络(docker network inspect bridge):
C:\Users\zsl-pc>docker network inspect bridge
…………
"Containers": {
"7883225f9192cb4eb68283fd47bc9435ab70dd76803ede1d926f30db3bb1101f": {
"Name": "c1",
"EndpointID": "e784f093b0c810f5c5112235e2e8502f6193077fa5da44a9a527aa9086894382",
"MacAddress": "02:42:ac:11:00:02",
"IPv4Address": "172.17.0.2/16",
"IPv6Address": ""
}
}
…………
说明:可以看到bridge网络中已经有一个容器c1,且IP地址是172.17.0.2。
通过这个例子可以看出在docker run启动容器时在未指定网络情况下默认使用了bridge这个网络。
在容器中查看网络
C:\Users\zsl-pc>docker exec -it c1 /bin/bash
[root@7883225f9192 /]# more /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 7883225f9192
[root@7883225f9192 /]#
可以看到主机名7883225f9192对应的IP地址正是前面所说的172.17.0.2。也可通过ifconfig查看容器内部的网络信息,如果提示:bash: ifconfig: command not found可以先安装网络工具:yum install -y net-tools,安装完成后再输入:ifconfig
[root@7883225f9192 /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 0.0.0.0
inet6 fe80::42:acff:fe11:2 prefixlen 64 scopeid 0x20<link>
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 2057 bytes 7829768 (7.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1873 bytes 105536 (103.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0就是这个容器的网卡信息,也可以看出IP地址是172.17.0.2。
再启动一个容器与其他容器通信
docker run -d -it --name c2 centos /bin/bash -c "while true; do echo hello; sleep 1; done"
说明:又启动了一个容器,名称为c2,与c1做的事情一样。再使用docker network inspect bridge可以看到:
C:\Users\zsl-pc>docker network inspect bridge
…………
"Containers": {
"7117f84edc269c5f61052a136791e775e26372c2b977db77081cd78533e5721e": {
"Name": "c2",
"EndpointID": "78be5b7b0737d23082607fd016664017df77ceb1d469d9a3972033796ac8d761",
"MacAddress": "02:42:ac:11:00:03",
"IPv4Address": "172.17.0.3/16",
"IPv6Address": ""
},
"7883225f9192cb4eb68283fd47bc9435ab70dd76803ede1d926f30db3bb1101f": {
"Name": "c1",
"EndpointID": "859ff1ec55e136c5ec431df7baaf42af8f2a3e872a7472e16e392a9fa68d797d",
"MacAddress": "02:42:ac:11:00:02",
"IPv4Address": "172.17.0.2/16",
"IPv6Address": ""
}
}
…………
可以看出:c1和c2是在一个局域网内,c2的IP地址是172.17.0.3,可以尝试互相ping一下看是否能ping通:
C:\Users\zsl-pc>docker exec -it c2 /bin/bash
[root@7117f84edc26 /]# ping -w 4 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.044 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.114 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.120 ms
64 bytes from 172.17.0.2: icmp_seq=4 ttl=64 time=0.121 ms
64 bytes from 172.17.0.2: icmp_seq=5 ttl=64 time=0.115 ms
--- 172.17.0.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3996ms
rtt min/avg/max/mdev = 0.044/0.102/0.121/0.032 ms
[root@7117f84edc26 /]# exit
C:\Users\zsl-pc>docker exec -it c1 /bin/bash
[root@7883225f9192 /]# ping -w 4 172.17.0.3
PING 172.17.0.3 (172.17.0.3) 56(84) bytes of data.
64 bytes from 172.17.0.3: icmp_seq=1 ttl=64 time=0.048 ms
64 bytes from 172.17.0.3: icmp_seq=2 ttl=64 time=0.107 ms
64 bytes from 172.17.0.3: icmp_seq=3 ttl=64 time=0.089 ms
64 bytes from 172.17.0.3: icmp_seq=4 ttl=64 time=0.113 ms
64 bytes from 172.17.0.3: icmp_seq=5 ttl=64 time=0.114 ms
--- 172.17.0.3 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3996ms
rtt min/avg/max/mdev = 0.048/0.094/0.114/0.025 ms
[root@7883225f9192 /]#
在c2里面是可以ping通c1的IP地址,在c1里面也可以ping通c2的IP地址,说明在一个网络下的容器是可以相互通信的。
三、 自定义网络
- 创建网络
C:\Users\zsl-pc>docker network create test-net
39b38d32553cb89085bccb6d1359e3e1ebba570147c31c64c58e40d7967f9e50
说明:这里创建了一个名为test-net的网络,创建成功后会得到该网络的ID
- 列表网络
C:\Users\zsl-pc>docker network ls
NETWORK ID NAME DRIVER SCOPE
86423d2ba03a bridge bridge local
06445f4f5774 host host local
2d964ece79b9 none null local
39b38d32553c test-net bridge local
说明:此时列表出来的结果除了默认的三个网络外,又增加了一个刚刚创建的test-net;其DRIVER是bridge说明在创建网络时的默认驱动是bridge;SCOPE指定了网络的作用范围,local表示只在当前宿主机生效。
- 查看网络详情
C:\Users\zsl-pc>docker network inspect test-net
[
{
"Name": "test-net",
"Id": "39b38d32553cb89085bccb6d1359e3e1ebba570147c31c64c58e40d7967f9e50",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.18.0.0/16",
"Gateway": "172.18.0.1/16"
}
]
},
"Internal": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]
- 启动容器并指定网络
docker run -d -it --name c3 --network test-net centos /bin/bash -c "while true; do echo hello; sleep 1;done"
0968be0ab042ec35121774227bbecf5c5fd8a1faf0f7fd3b5ac0069af64e7709
说明:使用指令--network来指定容器的网络
- 与名为
bridge的网络中的容器c2通过
在《16 - Docker network第二讲-容器默认网络bridge》中我们创建了两个容器c1和c2,这两个容器都是属于名为bridge的默认网络中,下面尝试与任意一个容器通信(以c2为例,其IP地址为172.17.0.3):
C:\Users\zsl-pc>docker exec -it c3 /bin/bash
[root@0968be0ab042 /]# ping 172.17.0.3
PING 172.17.0.3 (172.17.0.3) 56(84) bytes of data.
^C
--- 172.17.0.3 ping statistics ---
18 packets transmitted, 0 received, 100% packet loss, time 17008ms
说明:可以看出现在c3是无法与c2进行通信的。要让这两个容器通信需要让他们在同一个网络里面(就像局域网中的物理机一样)。
C:\Users\zsl-pc>docker network connect test-net c2
C:\Users\zsl-pc>docker inspect c2
…………
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "86423d2ba03ab5d46d66fe39bbba75d0d47d0fcc7dcbf250fcbbaa4b0085a029",
"EndpointID": "78be5b7b0737d23082607fd016664017df77ceb1d469d9a3972033796ac8d761",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.3",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:03"
},
"test-net": {
"IPAMConfig": {},
"Links": null,
"Aliases": [
"7117f84edc26"
],
"NetworkID": "39b38d32553cb89085bccb6d1359e3e1ebba570147c31c64c58e40d7967f9e50",
"EndpointID": "071d239a9758d380fc265345030393cee3fc6d2d746b36af44bf6a6c5aeecd60",
"Gateway": "172.18.0.1",
"IPAddress": "172.18.0.3",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:12:00:03"
}
}
说明:使用命令docker inspect c2查看c2容器的详情信息时可以看到其Networks中有两个网络信息bridge和test-net说明我们已经让c2与test-net连接在一起了,且c2在test-net这个网络中的IP地址是:172.18.0.3,此时再来检测c2和c3的通信情况:
C:\Users\zsl-pc>docker exec -it c3 /bin/bash
[root@0968be0ab042 /]# ping -w 4 172.18.0.3
PING 172.18.0.3 (172.18.0.3) 56(84) bytes of data.
64 bytes from 172.18.0.3: icmp_seq=1 ttl=64 time=0.048 ms
64 bytes from 172.18.0.3: icmp_seq=2 ttl=64 time=0.077 ms
64 bytes from 172.18.0.3: icmp_seq=3 ttl=64 time=0.247 ms
64 bytes from 172.18.0.3: icmp_seq=4 ttl=64 time=0.137 ms
64 bytes from 172.18.0.3: icmp_seq=5 ttl=64 time=0.045 ms
--- 172.18.0.3 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3996ms
rtt min/avg/max/mdev = 0.045/0.110/0.247/0.076 ms
[root@0968be0ab042 /]#
说明:c2和c3可以正常通信了,只是c2现在拥有两个网络信息:默认的bridge和自定义的test-net。c2可以通过bridge网络与c1通信,也可以通过test-net网络与c3通信,但c1和c3没有共同的网络,所以它们不可以通信。
- 从网络中移除容器
C:\Users\zsl-pc>docker network disconnect bridge c2
C:\Users\zsl-pc>docker inspect c2
…………
"Networks": {
"test-net": {
"IPAMConfig": {},
"Links": null,
"Aliases": [
"7117f84edc26"
],
"NetworkID": "39b38d32553cb89085bccb6d1359e3e1ebba570147c31c64c58e40d7967f9e50",
"EndpointID": "071d239a9758d380fc265345030393cee3fc6d2d746b36af44bf6a6c5aeecd60",
"Gateway": "172.18.0.1",
"IPAddress": "172.18.0.3",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:12:00:03"
}
}
说明:使用docker network disconnect命令来将容器移出网络,这里将c2容器从bridge网络中移除,再使用docker inspect c2来查看容器详情信息时,在Networks中只会看到test-net一个网络,此时c2将只能与c3通信,不能与c1通信。
- 删除网络
C:\Users\zsl-pc>docker network rm test-net
Error response from daemon: network test-net has active endpoints
注意:当网络中还有容器时,此网络不能被删除。rm后面可以跟多个网络名称,以空格隔开。
在前面例子中容器与容器之间的通信都是通过网络中的IP地址来完成的,这种方式显然是不合理的,因为这个IP地址可能会在启动容器时发生变化,而且也比较难记。
那么解决这一问题的方法就是使用网络别名,容器在网络是是允许有别名的,且这个别名在所在网络中都可以直接访问,这就类似局域网在各物理机的主机名。
- 启动容器指定网络及网络别名
docker run -d -it --name c4 --network test-net --network-alias c4-alias centos /bin/bash -c "while true; do echo hello; sleep 1; done"
e51b0ccd566709595c136d3ec41a72652843880184052324e5702bbdc82e0c22
说明:使用--network来指定网络,使用--network-alias来指定网络别名,也就是说c4这个容器在test-net这个网络中的别名是c4-alias,在这个网络中的其他容器可以通过这个别名来访问该容器。
- 查看网络中的容器
C:\Users\zsl-pc>docker network inspect test-net
…………
"Containers": {
"0968be0ab042ec35121774227bbecf5c5fd8a1faf0f7fd3b5ac0069af64e7709": {
"Name": "c3",
"EndpointID": "1a2062123d61774cd49d074f5dc8705fd0189c24657c7eb2002de4ad908810f0",
"MacAddress": "02:42:ac:12:00:03",
"IPv4Address": "172.18.0.3/16",
"IPv6Address": ""
},
"7117f84edc269c5f61052a136791e775e26372c2b977db77081cd78533e5721e": {
"Name": "c2",
"EndpointID": "f3c3a919d92c1213da1a13879e75e4e2fe09ed619c65abad0751f8e76f19c2d9",
"MacAddress": "02:42:ac:12:00:02",
"IPv4Address": "172.18.0.2/16",
"IPv6Address": ""
},
"e51b0ccd566709595c136d3ec41a72652843880184052324e5702bbdc82e0c22": {
"Name": "c4",
"EndpointID": "ab60608e5f26d370b71eb3f4e051f133649de35dff1bae0dcbec17684dca7cb5",
"MacAddress": "02:42:ac:12:00:04",
"IPv4Address": "172.18.0.4/16",
"IPv6Address": ""
}
}
…………
说明:可以看出现在在test-net中已经有三个容器了。
- 查看容器详情信息
C:\Users\zsl-pc>docker inspect c4
…………
"Networks": {
"test-net": {
"IPAMConfig": null,
"Links": null,
"Aliases": [
"c4-alias",
"e51b0ccd5667"
],
"NetworkID": "39b38d32553cb89085bccb6d1359e3e1ebba570147c31c64c58e40d7967f9e50",
"EndpointID": "ab60608e5f26d370b71eb3f4e051f133649de35dff1bae0dcbec17684dca7cb5",
"Gateway": "172.18.0.1",
"IPAddress": "172.18.0.4",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:12:00:04"
}
}
…………
说明:通过查看c4的详情信息可以看出,在Networks里面可以看到该容器所拥有的网络为test-net(这是使用--network来指定的),在test-net里面可以看到Aliases里面有个c4-alias(这是使用--network-alias来指定的),说明c4的网络别名已经设置好了。
- 通过网络别名与其他容器通信
进入test-net网络中的任意容器(这里选择c3)测试与c4通信:
C:\Users\zsl-pc>docker exec -it c3 /bin/bash
[root@0968be0ab042 /]# ping -w 4 172.18.0.4
PING 172.18.0.4 (172.18.0.4) 56(84) bytes of data.
64 bytes from 172.18.0.4: icmp_seq=1 ttl=64 time=0.071 ms
64 bytes from 172.18.0.4: icmp_seq=2 ttl=64 time=0.074 ms
64 bytes from 172.18.0.4: icmp_seq=3 ttl=64 time=0.122 ms
64 bytes from 172.18.0.4: icmp_seq=4 ttl=64 time=0.079 ms
--- 172.18.0.4 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.071/0.086/0.122/0.022 ms
[root@0968be0ab042 /]# ping -w 4 c4-alias
PING c4-alias (172.18.0.4) 56(84) bytes of data.
64 bytes from c4.test-net (172.18.0.4): icmp_seq=1 ttl=64 time=0.040 ms
64 bytes from c4.test-net (172.18.0.4): icmp_seq=2 ttl=64 time=0.060 ms
64 bytes from c4.test-net (172.18.0.4): icmp_seq=3 ttl=64 time=0.117 ms
64 bytes from c4.test-net (172.18.0.4): icmp_seq=4 ttl=64 time=0.084 ms
--- c4-alias ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 0.040/0.075/0.117/0.029 ms
[root@0968be0ab042 /]#
说明:可以看出在c3容器中可以通过c4的IP地址或网络别名与之通信。
- 以
connect的方式来指定网络别名
docker network connect --alias c1-alias test-net c1
说明:使用docker network connect来使容器加入指定网络,通过--alias来指定该容器在指定网络中的别名。
进入c2进进行测试:
C:\Users\zsl-pc>docker exec -it c2 /bin/bash
[root@7117f84edc26 /]# ping -w 2 c1-alias
PING c1-alias (172.18.0.5) 56(84) bytes of data.
64 bytes from c1.test-net (172.18.0.5): icmp_seq=1 ttl=64 time=0.056 ms
64 bytes from c1.test-net (172.18.0.5): icmp_seq=2 ttl=64 time=0.297 ms
--- c1-alias ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 0.056/0.176/0.297/0.121 ms
[root@7117f84edc26 /]# ping -w 2 c4-alias
PING c4-alias (172.18.0.4) 56(84) bytes of data.
64 bytes from c4.test-net (172.18.0.4): icmp_seq=1 ttl=64 time=0.066 ms
64 bytes from c4.test-net (172.18.0.4): icmp_seq=2 ttl=64 time=0.060 ms
--- c4-alias ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.060/0.063/0.066/0.003 ms
网络别名在整个网络中都是有效的,即在同网络中的任意容器都可通过网络别名访问对应容器。
扫一扫
480
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
