您的当前位置:首页正文

Docker容器的网络管理和网络隔离的实现

2024-06-21 来源:爱go旅游网
Docker容器的⽹络管理和⽹络隔离的实现

⼀、Docker⽹络的管理1、Docker容器的⽅式1)Docker访问外⽹

Docker容器连接到宿主机的Docker0⽹桥访问外⽹;默认⾃动将docker0⽹桥添加到docker容器中。2)容器和容器之间通信

需要管理员创建⽹桥;将不同的容器连接到⽹桥上实现容器和容器之间相互访问。3)外部⽹络访问容器

通过端⼝映射或者同步docker宿主机⽹络配置实现通信。2、Docker容器⽹络通信的模式

1)bridge

默认容器访问外⽹通信使⽤;依赖docker0⽹桥。

2)none

需要给容器创建独⽴的⽹络命名空间;不会给创建的容器配置TCP/IP信息。

3)container

容器和容器通信使⽤;容器需要共享容器名称空间,通过共享容器名称空间实现不同容器通信。4)host

容器内部⽹络和宿主机保持同步。3、配置bridge⽹络通信模式

[root@centos01 yum.repos.d]# wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo

[root@centos01 ~]# yum -y install docker [root@centos01 ~]# systemctl start docker

[root@centos01 ~]# systemctl enable docker

[root@centos01 ~]# echo \"net.ipv4.ip_forward = 1\" >> /etc/sysctl.conf [root@centos01 ~]# sysctl -p net.ipv4.ip_forward = 1

[root@centos01 ~]# docker pull hub.c.163.com/public/centos:7.2-tools [root@centos01 ~]# docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

hub.c.163.com/public/centos 7.2-tools 4a4618db62b9 3 years ago 515 MB

[root@centos01 ~]# docker run -d --net=bridge --name centos7.201 hub.c.163.com/public/centos:7.2-tools

b308fb5c097fd455073f2f4a280d2660e6943fe1a62d6409e8ebcd3b86469438[root@centos01 ~]# docker ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

b308fb5c097f hub.c.163.com/public/centos:7.2-tools \"/usr/bin/supervisord\" 20 seconds ago Up 19 seconds 22/tcp centos7.201[root@centos01 ~]# ifconfig

docker0: flags=4163 mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0

[root@centos01 ~]# docker exec -it centos7.201 /bin/bash [root@b308fb5c097f /]# ifconfig

eth0: flags=4163 mtu 1500 inet 172.17.0.2 netmask 255.255.0.0 broadcast 0.0.0.0

[root@b308fb5c097f /]# ping www.baidu.com PING www.a.shifen.com (39.156.66.18) 56(84) bytes of data.64 bytes from 39.156.66.18: icmp_seq=1 ttl=50 time=18.4 ms64 bytes from 39.156.66.18: icmp_seq=2 ttl=50 time=18.3 ms64 bytes from 39.156.66.18: icmp_seq=3 ttl=50 time=16.9 ms

[root@b308fb5c097f /]# ping 192.168.100.10 PING 192.168.100.10 (192.168.100.10) 56(84) bytes of data.

64 bytes from 192.168.100.10: icmp_seq=1 ttl=64 time=0.043 ms64 bytes from 192.168.100.10: icmp_seq=2 ttl=64 time=0.086 ms64 bytes from 192.168.100.10: icmp_seq=3 ttl=64 time=0.150 ms

4、配置none⽹络通信模式

[root@centos01 ~]# docker run -d --net=none --name centos7.202 hub.c.163.com/public/centos:7.2-tools

e2c4837d67818e7ef4d7cedf964db21d98cabb594d12091d7f69da4e8fb3f30f[root@centos01 ~]# docker ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

e2c4837d6781 hub.c.163.com/public/centos:7.2-tools \"/usr/bin/supervisord\" 57 seconds ago Up 56 seconds centos7.202b308fb5c097f hub.c.163.com/public/centos:7.2-tools \"/usr/bin/supervisord\" 7 minutes ago Up 7 minutes 22/tcp centos7.201[root@centos01 ~]# docker exec -it centos7.202 /bin/bash [root@e2c4837d6781 /]# ifconfig lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0

[root@e2c4837d6781 /]# ping www.baidu.com ping: unknown host www.baidu.com[root@e2c4837d6781 /]#

[root@e2c4837d6781 /]# ping 192.168.100.10 connect: Network is unreachable

5、配置host⽹络通信模式

[root@centos01 ~]# docker run -d --net=host --name centos7.203 -v /data1 hub.c.163.com/public/centos:7.2-tools

2911358be486720c4ee93c8de22cd77301236f48c5baf22ea63bb3c54450032e[root@centos01 ~]# ls /var/lib/docker/volumes/

dc755f3b6036f167471435629918d06264e1c2c6a8b175426fa80da36143a87e metadata.db[root@centos01 ~]# docker ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

2911358be486 hub.c.163.com/public/centos:7.2-tools \"/usr/bin/supervisord\" About a minute ago Up About a minute centos7.203e2c4837d6781 hub.c.163.com/public/centos:7.2-tools \"/usr/bin/supervisord\" 15 minutes ago Up 15 minutes centos7.202b308fb5c097f hub.c.163.com/public/centos:7.2-tools \"/usr/bin/supervisord\" 21 minutes ago Up 21 minutes 22/tcp centos7.201[root@centos01 ~]# docker exec -it centos7.203 /bin/bash [root@centos01 /]# ifconfig

docker0: flags=4163 mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0

ens32: flags=4163 mtu 1500 inet 192.168.100.10 netmask 255.255.255.0 broadcast 192.168.100.255ens34: flags=4163 mtu 1500 inet 192.168.0.126 netmask 255.255.255.0 broadcast 192.168.0.255lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0

vethc39178a: flags=4163 mtu 1500 inet6 fe80::7c4b:a6ff:fe1c:a37f prefixlen 64 scopeid 0x20

virbr0: flags=4099 mtu 1500

inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255

[root@centos01 ~]# docker exec -it centos7.203 /bin/bash [root@centos01 /]# ping www.baidu.com PING www.a.shifen.com (39.156.66.14) 56(84) bytes of data.64 bytes from 39.156.66.14: icmp_seq=1 ttl=51 time=20.0 ms64 bytes from 39.156.66.14: icmp_seq=2 ttl=51 time=19.1 ms64 bytes from 39.156.66.14: icmp_seq=3 ttl=51 time=15.9 ms

[root@centos01 /]# ping 192.168.100.10 PING 192.168.100.10 (192.168.100.10) 56(84) bytes of data.

64 bytes from 192.168.100.10: icmp_seq=1 ttl=64 time=0.020 ms64 bytes from 192.168.100.10: icmp_seq=2 ttl=64 time=0.060 ms64 bytes from 192.168.100.10: icmp_seq=3 ttl=64 time=0.030 ms

[root@centos01 ~]# cp /mnt/nginx-1.6.0.tar.gz ./ [root@centos01 ~]# ls

anaconda-ks.cfg initial-setup-ks.cfg nginx-1.6.0.tar.gz

[root@centos01 ~]# cp nginx-1.6.0.tar.gz /var/lib/docker/volumes/dc755f3b6036f167471435629918d06264e1c2c6a8b175426fa80da36143a87e/_data/

[root@centos01 ~]# docker exec -it centos7.203 /bin/bash [root@centos01 /]# ls

anaconda-post.log bin data1 dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var[root@centos01 /]# cd data1/ [root@centos01 data1]# ls nginx-1.6.0.tar.gz

[root@centos01 /]# yum -y install pcre-devel zlib-devel [root@centos01 /]# useradd -M -s /sbin/nologin nginx

[root@centos01 /]# tar zxvf /data1/nginx-1.6.0.tar.gz -C /usr/src/ [root@centos01 /]#yum -y install gcc pcre-devel zlib-devel make [root@centos01 /]# cd /usr/src/nginx-1.6.0/

[root@centos01 nginx-1.6.0]# ./configure --prefix=/usr/local/nginx --user=nginx --with-http_stub_status_module && make && make install

[root@centos01 nginx-1.6.0]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/ [root@centos01 nginx-1.6.0]# echo \"www.docker.nginx.com\" > /usr/local/nginx/html/index.html

[root@centos01 nginx-1.6.0]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/

[root@centos01 nginx-1.6.0]# netstat -anptu | grep nginx tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6268/nginx: master

[root@centos01 ~]# curl http://192.168.100.10 www.docker.nginx.com

[root@centos01 nginx-1.6.0]# cat /usr/local/nginx/logs/access.log

192.168.100.10 - - [12/May/2020:21:42:47 +0800] \"GET / HTTP/1.1\" 200 21 \"-\" \"curl/7.29.0\"

6、配置docker0⽹卡参数

[root@centos01 ~]# ifconfig

docker0: flags=4163 mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0

[root@centos01 ~]# systemctl stop docker

[root@centos01 ~]# ip link set dev docker0 down [root@centos01 ~]# brctl delbr docker0 [root@centos01 ~]# brctl addbr docker0

[root@centos01 ~]# ip addr add 192.168.20.1/24 dev dokcer0 [root@centos01 ~]# ip link set dev docker0 up [root@centos01 ~]# vim /etc/docker/daemon.json

{\"registry-mirrors\":[\"https://6kx4zyno.mirror.aliyuncs.com\"]}{\"bip\":\"192.168.20.1/24\加此⾏-->

[root@centos01 ~]# systemctl start docker [root@centos01 ~]# ifconfig

docker0: flags=4163 mtu 1500 inet 192.168.20.1 netmask 255.255.255.0 broadcast 0.0.0.0

[root@centos01 ~]# docker run -it -d --name centos7.2v1 hub.c.163.com/public/centos:7.2-tools d0b5392e60cef37f3c44d79a9fb73916720cfc44faa7b73862bee05fb2d6ce7b

[root@centos01 ~]# docker exec -it centos7.2v1 /bin/bash [root@d0b5392e60ce /]# ifconfig

eth0: flags=4163 mtu 1500 inet 192.168.20.2 netmask 255.255.255.0 broadcast 0.0.0.0

⼆、Docker⽹络隔离1、Docker⽹络隔离原理

需要管理创建⽹络空间名称;将不同的容器加载到不同的⽹络空间名称中实现隔离;默认不配置⽹络隔离默认给容器分配的docker0⽹络空间名称。

2、Docker容器⾃带的⽹络空间名称类型

bridge:容器桥接到docker0⽹桥上;

host:容器同步docker宿主机的⽹络配置信息;

none:不创建⽹络,docker容器不需要配置TCP/IP信息;3、配置Docker⽹络名称空间隔离

[root@centos01 ~]# docker network ls NETWORK ID NAME DRIVER SCOPE8bb953004416 bridge bridge local2c18234cad82 host host local67860e823c36 none null local

[root@centos01 ~]# docker network create -d bridge liyanxin 0c69de4672ec173dc4c60b19e0bf93b361f45a804859f7bc2105d85ca83b1169

[root@centos01 ~]# docker network create -d bridge gongsunli 35687468c9034262173a96e9c23e045cbb8b7ffa6648fc84e015504740815001[root@centos01 ~]# ifconfig

br-0c69de4672ec: flags=4099 mtu 1500 inet 172.18.0.1 netmask 255.255.0.0 broadcast 0.0.0.0

br-35687468c903: flags=4099 mtu 1500 inet 172.19.0.1 netmask 255.255.0.0 broadcast 0.0.0.0

[root@centos01 ~]# docker run -it -d --name centos6.701 --network=liyanxin hub.c.163.com/public/centos:6.7-tools

b85a2d8419a98756369ddc3b78247d3d42c178e8e563a936fe973f2f6611f951

[root@centos01 ~]# docker exec -it centos6.701 /bin/bash [root@b85a2d8419a9 /]# ifconfig

eth0 Link encap:Ethernet HWaddr 02:42:AC:12:00:02 inet addr:172.18.0.2 Bcast:0.0.0.0 Mask:255.255.0.0

[root@centos01 ~]# docker run -it -d --name centos6.702 --network=gongsunli hub.c.163.com/public/centos:6.7-tools

9af0fb7b85af3270f3c7c44b62438f436b22289ac0a7604d6ed522604b7b185f

[root@centos01 ~]# docker exec -it centos6.702 /bin/bash [root@9af0fb7b85af /]# ifconfig

eth0 Link encap:Ethernet HWaddr 02:42:AC:13:00:02 inet addr:172.19.0.2 Bcast:0.0.0.0 Mask:255.255.0.0

三、配置⽹桥实现⽹络隔离1、配置⽹桥实现⽹络隔离的⽬的

实现Docker宿主机的容器跨Docker宿主机的容器通信使⽤。

2、配置⽹桥实现⽹络隔离原理

将物理⽹卡桥接到创建的⽹桥⽹卡上;给⽹桥⽹卡配置IP地址;创建容器加载⽹桥⽹卡实现;docker宿主机容器跨docker宿主机容器通信;管理员管理docker宿主机通过⽹桥⽹卡进⾏远程管理3、配置docker⽹桥实现⽹络隔离

[root@centos01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32 TYPE=Ethernet

PROXY_METHOD=noneBROWSER_ONLY=noBOOTPROTO=staticDEFROUTE=yesNAME=ens32DEVICE=ens32ONBOOT=yes

BRIDGE=br0

[root@centos01 ~]# cp /etc/sysconfig/network-scripts/ifcfg-ens32 /etc/sysconfig/network-scripts/ifcfg-br0

[root@centos01 ~]# vim /etc/sysconfig/network-scripts/ifcfg-br0 TYPE=Bridge PROXY_METHOD=noneBROWSER_ONLY=noBOOTPROTO=staticDEFROUTE=yes

NAME=br0 DEVICE=br0 ONBOOT=yes

IPADDR=192.168.100.10 NETMASK=255.255.255.0

[root@centos01 ~]# systemctl restart network [root@centos01 ~]# ifconfig

br0: flags=4163 mtu 1500 inet 192.168.100.10 netmask 255.255.255.0 broadcast 192.168.100.255

br-0c69de4672ec: flags=4163 mtu 1500 inet 172.18.0.1 netmask 255.255.0.0 broadcast 0.0.0.0

br-35687468c903: flags=4163 mtu 1500 inet 172.19.0.1 netmask 255.255.0.0 broadcast 0.0.0.0docker0: flags=4099 mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0

ens32: flags=4163 mtu 1500 ether 00:0c:29:18:d3:26 txqueuelen 1000 (Ethernet)

ens34: flags=4163 mtu 1500 inet6 fe80::4ad2:dd37:4341:5d8e prefixlen 64 scopeid 0x20lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0

veth7b0bb5f: flags=4163 mtu 1500 inet6 fe80::ccd3:86ff:fee6:5725 prefixlen 64 scopeid 0x20

veth7e0f471: flags=4163 mtu 1500 inet6 fe80::684c:fdff:fe13:b436 prefixlen 64 scopeid 0x20

virbr0: flags=4099 mtu 1500

inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255[root@centos01 ~]# yum -y install git [root@centos01 ~]# git clone https://github.com/jpetazzo/pipework

[root@centos01 ~]# cp pipework/pipework /usr/local/bin/ [root@centos01 ~]# chmod +x /usr/local/bin/pipework

[root@centos01 ~]# docker run -d --name centos6.703 --network=none hub.c.163.com/public/centos:6.7-tools

adea0ad48bdde947ec595382d96cba06eb6522ec046e9b3c7bfcb1edb5c84545[root@centos01 ~]# pipework br0 centos6.703 192.168.100.101/24

[root@centos01 ~]# docker exec -it centos6.703 /bin/bash [root@adea0ad48bdd /]# ifconfig

eth1 Link encap:Ethernet HWaddr FA:3A:9D:ED:C0:FF

inet addr:192.168.100.101 Bcast:192.168.100.255 Mask:255.255.255.0[root@adea0ad48bdd /]# ping 192.168.100.10

PING 192.168.100.10 (192.168.100.10) 56(84) bytes of data.

64 bytes from 192.168.100.10: icmp_seq=1 ttl=64 time=0.100 ms64 bytes from 192.168.100.10: icmp_seq=2 ttl=64 time=0.097 ms64 bytes from 192.168.100.10: icmp_seq=3 ttl=64 time=0.039 ms

4、配置docker宿主机容器和docker宿主机容器通信

[root@centos02 ~]# ping www.baidu.com PING www.a.shifen.com (39.156.66.18) 56(84) bytes of data.

64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=1 ttl=51 time=19.5 ms64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=2 ttl=51 time=17.3 ms64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=3 ttl=51 time=18.1 ms[root@centos02 ~]# cd /etc/yum.repos.d/[root@centos02 yum.repos.d]# lslocal.repo

[root@centos02 yum.repos.d]# wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo

[root@centos02 ~]# yum install docker -y [root@centos02 ~]# systemctl start docker

[root@centos02 ~]# systemctl enable docker

[root@centos02 ~]# docker pull hub.c.163.com/public/centos:6.7-tools [root@centos02 ~]# docker images

REPOSITORY TAG IMAGE ID CREATED SIZE

hub.c.163.com/public/centos 6.7-tools b2ab0ed558bb 3 years ago 602 MB[root@centos02 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32 TYPE=Ethernet

PROXY_METHOD=noneBROWSER_ONLY=noBOOTPROTO=staticDEFROUTE=yesNAME=ens32DEVICE=ens32ONBOOT=yes

BRIDGE=br0

[root@centos02 ~]# cp /etc/sysconfig/network-scripts/ifcfg-ens32 /etc/sysconfig/network-scripts/ifcfg-br0 [root@centos02 ~]# vim /etc/sysconfig/network-scripts/ifcfg-br0 TYPE=Bridge PROXY_METHOD=noneBROWSER_ONLY=noBOOTPROTO=staticDEFROUTE=yes

NAME=br0 DEVICE=br0 ONBOOT=yes

IPADDR=192.168.100.20 NETMASK=255.255.255.0

[root@centos02 ~]# systemctl restart network [root@centos02 ~]# ifconfig

br0: flags=4163 mtu 1500 inet 192.168.100.20 netmask 255.255.255.0 broadcast 192.168.100.255docker0: flags=4099 mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0

ens32: flags=4163 mtu 1500 ether 00:0c:29:97:5c:9f txqueuelen 1000 (Ethernet)

ens34: flags=4163 mtu 1500 inet 192.168.0.104 netmask 255.255.255.0 broadcast 192.168.0.255lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0

virbr0: flags=4099 mtu 1500

inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255[root@centos02 ~]# yum -y install git

[root@centos02 ~]# git clone https://github.com/jpetazzo/pipework

[root@centos02 ~]# cp pipework/pipework /usr/local/bin/ [root@centos02 ~]# chmod +x /usr/local/bin/pipework

[root@centos02 ~]# docker run -d --name centos6.7 --network=none hub.c.163.com/public/centos:6.7-tools abec0a6bd3822a2fd702dc44d1cf3043648aadd1a661e577c23701e30ee9df7a[root@centos02 ~]# pipework br0 centos6.7 192.168.100.102/24

[root@centos02 ~]# docker exec -it centos6.7 /bin/bash [root@abec0a6bd382 /]# ifconfig

eth1 Link encap:Ethernet HWaddr EE:01:B7:99:90:1C

inet addr:192.168.100.102 Bcast:192.168.100.255 Mask:255.255.255.0[root@abec0a6bd382 /]# ping 192.168.100.101

PING 192.168.100.101 (192.168.100.101) 56(84) bytes of data.64 bytes from 192.168.100.101: icmp_seq=1 ttl=64 time=0.660 ms64 bytes from 192.168.100.101: icmp_seq=2 ttl=64 time=0.865 ms64 bytes from 192.168.100.101: icmp_seq=3 ttl=64 time=0.382 ms[root@abec0a6bd382 /]# ping 192.168.100.10

PING 192.168.100.10 (192.168.100.10) 56(84) bytes of data.

64 bytes from 192.168.100.10: icmp_seq=1 ttl=64 time=0.632 ms64 bytes from 192.168.100.10: icmp_seq=2 ttl=64 time=0.732 ms64 bytes from 192.168.100.10: icmp_seq=3 ttl=64 time=0.796 ms[root@abec0a6bd382 /]# ping 192.168.100.20

PING 192.168.100.20 (192.168.100.20) 56(84) bytes of data.

64 bytes from 192.168.100.20: icmp_seq=1 ttl=64 time=0.144 ms64 bytes from 192.168.100.20: icmp_seq=2 ttl=64 time=0.094 ms64 bytes from 192.168.100.20: icmp_seq=3 ttl=64 time=0.043 ms

到此这篇关于Docker容器的⽹络管理和⽹络隔离的实现的⽂章就介绍到这了,更多相关Docker ⽹络管理和⽹络隔离内容请搜索以前的⽂章或继续浏览下⾯的相关⽂章希望⼤家以后多多⽀持!

因篇幅问题不能全部显示,请点此查看更多更全内容