第五节、容器网络
容器使用的相关技术有cgroup(资源使用限制包括cpu内存的调用),namespace(名称空间)以及aufs(文件系统的联合挂载)
namespaces在内核上创建独立的名称空间隔离以下6项内容
- UTS:主机名和域名,系统调用参数CLONE_NEWUTS
- Mount:挂载点,文件系统,系统调用参数CLONE_NEWNS
- IPC:信号量,消息队列和共享内存,系统调用参数CLONE_NEWIPC
- PID:进程编号,系统调用参数CLONE_NEWPID
- User:用户用户组信息,系统调用参数CLONE_NEWUSER
- Network:网络设备,网络栈,端口等,系统调用参数CLONE_NEWNET
备注:namespaces需要内核版本3.10以上,centos6系统内核为2.8,因此docker至少需要centos7版本以上的系统
管理网络名称空间使用的软件包iproute
[root@localhost ~]# rpm -q iproute
iproute-3.10.0-54.el7.x86_64
[root@localhost ~]# ip
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
ip [ -force ] -batch filename
where OBJECT := { link | addr | addrlabel | route | rule | neigh | ntable |
tunnel | tuntap | maddr | mroute | mrule | monitor | xfrm |
netns | l2tp | tcp_metrics | token }
OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
-h[uman-readable] | -iec |
-f[amily] { inet | inet6 | ipx | dnet | bridge | link } |
-4 | -6 | -I | -D | -B | -0 |
-l[oops] { maximum-addr-flush-attempts } |
-o[neline] | -t[imestamp] | -b[atch] [filename] |
-rc[vbuf] [size] | -n[etns] name | -a[ll] }
[root@localhost ~]# ip netns help
Usage: ip netns list
ip netns add NAME
ip netns set NAME NETNSID
ip [-all] netns delete [NAME]
ip netns identify [PID]
ip netns pids NAME
ip [-all] netns exec [NAME] cmd ...
ip netns monitor
ip netns list-id
主要使用参数netns对网络名称空间进行相应的操作
#创建独立的网络名称空间r1
[root@localhost ~]# ip netns add r1
[root@localhost ~]# ip netns list
r1
#默认只有内部的回环地址lo
[root@localhost ~]# ip netns exec r1 ifconfig -a
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#创建一对虚拟网卡veth1.1和veth1.2
[root@localhost ~]# ip link add name veth1.1 type veth peer name veth1.2
[root@localhost ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 00:0c:29:8f:11:87 brd ff:ff:ff:ff:ff:ff
3: veth1.2@veth1.1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether fe:79:4d:1c:7b:fc brd ff:ff:ff:ff:ff:ff
4: veth1.1@veth1.2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether ba:21:2b:61:82:b9 brd ff:ff:ff:ff:ff:ff
#正常情况下创建的虚拟网卡都在宿主机上,手动把其中一块网卡移动到指定的名称空间中
[root@localhost ~]# ip link set dev veth1.2 netns r1
[root@localhost ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 00:0c:29:8f:11:87 brd ff:ff:ff:ff:ff:ff
4: veth1.1@if6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether ba:21:2b:61:82:b9 brd ff:ff:ff:ff:ff:ff link-netnsid 1
#原先排在第3的veth1.2已经不可见了,被移动到名称空间r1中,验证下
[root@localhost ~]# ip netns exec r1 ifconfig -a
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth1.2: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether fe:79:4d:1c:7b:fc txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#手动将veth1.2改名为eth0
[root@localhost ~]# ip netns exec r1 ip link set dev veth1.2 name eth0
[root@localhost ~]# ip netns exec r1 ifconfig -a
eth0: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether fe:79:4d:1c:7b:fc txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#分别激活宿主机上的veth1.1以及r1空间中的eth0实现通信
#激活veth1.1
[root@localhost ~]# ifconfig veth1.1 10.1.0.1/24 up
[root@localhost ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.15.135 netmask 255.255.255.0 broadcast 192.168.15.255
inet6 fe80::20c:29ff:fe8f:1187 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:8f:11:87 txqueuelen 1000 (Ethernet)
RX packets 30723 bytes 7800725 (7.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5369 bytes 529758 (517.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth1.1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 10.1.0.1 netmask 255.255.255.0 broadcast 10.1.0.255
ether ba:21:2b:61:82:b9 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#激活r1空间中的eth0即原来的veth1.2
[root@localhost ~]# ip netns exec r1 ifconfig eth0 10.1.0.2/24 up
[root@localhost ~]# ip netns exec r1 ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.0.2 netmask 255.255.255.0 broadcast 10.1.0.255
inet6 fe80::fc79:4dff:fe1c:7bfc prefixlen 64 scopeid 0x20<link>
ether fe:79:4d:1c:7b:fc txqueuelen 1000 (Ethernet)
RX packets 8 bytes 648 (648.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 648 (648.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#宿主机上ping测试
[root@localhost ~]# ping 10.1.0.2
PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data.
64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=0.111 ms
64 bytes from 10.1.0.2: icmp_seq=2 ttl=64 time=0.045 ms
64 bytes from 10.1.0.2: icmp_seq=3 ttl=64 time=0.045 ms
结合上述情况可以在宿主机上创建一对虚拟网卡,然后分别指定给两个不同的名称空间r1,r2,接着分别激活两个网卡,就能实现两个不同名称空间之间的通信,即两个容器之间的通信
Docker容器的四种网络通信模式
1、封闭式容器:容器内只有本地回还lo接口,无法与外部通信
2、桥接式容器:创建一对虚拟网卡,一半在容器内,一半桥接在宿主机的docker0网桥上
3、联盟式容器:两个容器A和B共享一个网络名称空间,这样容器A和B之间的进程可以通过本地回还lo进行通信
4、共享宿主机名称空间的容器:是3模式的延伸
在虚拟机上实现4中通信模式,利用busybox镜像启动容器
#默认为第2中桥接模式有eth0以及本地回还lo
[root@localhost ~]# docker container run --name b1 -it --rm busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03
inet addr:172.17.0.3 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:508 (508.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ # exit
#启动容器时候指定网络模式为none,就是第一种封闭式容器,指定模式为bridge就是第2中桥接式容器,指定模式为host就是第4种共享主机名称空间的容器
创建封闭式容器同时在创建时注入主机名
[root@localhost ~]# docker container run --name b1 -h hx.edu.com -it --network none --rm busybox
/ # ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ # hostname
hx.edu.com
/ # cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
创建bridge桥接式容器
[root@localhost ~]# docker container run --name b1 -h hx.edu.com -it --network bridge --rm busybo
/ # cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 114.114.114.114
# No nameservers found; try putting DNS servers into your
# ifcfg files in /etc/sysconfig/network-scripts like so:
#
# DNS1=xxx.xxx.xxx.xxx
# DNS2=xxx.xxx.xxx.xxx
# DOMAIN=lab.foo.com bar.foo.com
/ # nslookup -type=A www.baidu.com
Server: 114.114.114.114
Address: 114.114.114.114:53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com
Name: www.a.shifen.com
Address: 180.97.33.108
Name: www.a.shifen.com
Address: 180.97.33.107
#容器直接挂载宿主机的/etc/resolv.conf 文件,连接DNS服务器做域名解析
创建联盟式容器,两个容器共享一个网络名称空间
#利用busybox镜像创建容器b1
[root@localhost ~]# docker container run --name b1 -h hx.edu.com -it --rm busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03
inet addr:172.17.0.3 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:508 (508.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
#创建容器b2指定使用容器b1的网络名称空间
[root@localhost ~]# docker container run --name b2 --network container:b1 -it --rm busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03
inet addr:172.17.0.3 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:648 (648.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ # hostname
hx.edu.com
可以看到联盟式的容器b1和b2的eth0的网卡地址是一致的,而且由于创建b1的时候已经通过参数h注入了主机名,b2就不能再注入主机名,否则创建容器时报错信息如下:
[root@localhost ~]# docker container run --name b2 --network container:b1 -h hx.edu.com -it --rm busybox
docker: Error response from daemon: conflicting options: hostname and the network mode.
See 'docker run --help'.
联盟式容器共享的仅仅是网络名称空间,其他所有的都是相互隔离的
同理创建容器时候指定参数--network host就可以共享宿主机的网络名称空间
修改docker默认的docker0网桥需要修改对应的配置文件/etc/docker/daemon.json
,这也是安装docker服务时定义国内镜像加速的文件,添加如下的key-value键值对
[root@localhost ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": [ "https://4mii0w1b.mirror.aliyuncs.com","https://hub-mirror.c.163.com","https://registry.docker-cn.com" ],
"bip":"10.0.0.1/16",
"dns":["114.114.114.114","221.228.255.1"]
}
#bip定义了docker桥的网段,dns定义了域名服务器最多3个,加速器定义了国内多个加速网址
[root@localhost ~]# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 255.255.0.0 broadcast 10.0.255.255
inet6 fe80::42:10ff:feb2:4ed2 prefixlen 64 scopeid 0x20<link>
ether 02:42:10:b2:4e:d2 txqueuelen 0 (Ethernet)
RX packets 10 bytes 516 (516.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18 bytes 1565 (1.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Docker服务的远程控制
一般docker服务通过连接本地的/var/run/docker.sock文件实现和容器的通信,当需要使用其他服务器访问本地的容器需改/etc/docker/daemon.json 文件添加如下字段
"hosts" : ["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"]
这样可以监听远程服务器的端口
在其他主机上显示docker相关的命令
docker container -H 172.168.1.11:2375 ps -a
创建自定义网桥
[root@localhost ~]# docker network create -d bridge --subnet "172.16.0.0/16" --gateway "172.16.0.1" mybr0
21f8eb3af218fabb9e10b3e1cef6cb3f81e7e60cd08c0f8501652f36e16c832f
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
ee23b9572a17 bridge bridge local
604ecd04c910 host host local
21f8eb3af218 mybr0 bridge local
4ae3bb4d9a74 none null local
[root@localhost ~]# ifconfig
br-21f8eb3af218: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.16.0.1 netmask 255.255.0.0 broadcast 172.16.255.255
ether 02:42:38:51:e6:7f txqueuelen 0 (Ethernet)
RX packets 13 bytes 1026 (1.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13 bytes 1026 (1.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
安装工具包查看容器的网络桥接情况
[root@localhost ~]# yum install bridge-utils -y
[root@localhost ~]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:10ff:feb2:4ed2 prefixlen 64 scopeid 0x20<link>
ether 02:42:10:b2:4e:d2 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 648 (648.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.15.135 netmask 255.255.255.0 broadcast 192.168.15.255
inet6 fe80::20c:29ff:fe8f:1187 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:8f:11:87 txqueuelen 1000 (Ethernet)
RX packets 23415 bytes 7302710 (6.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4507 bytes 438926 (428.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethb4339ef: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::8491:9cff:fea7:2f27 prefixlen 64 scopeid 0x20<link>
ether 86:91:9c:a7:2f:27 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16 bytes 1296 (1.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.024210b24ed2 no vethb4339ef