docker container network
Docker automatically provides three kinds of networks after installation, which can be viewed by using the docker network ls command
[root@RedHat ~]# docker network ls NETWORK ID NAME DRIVER SCOPE 40793e9a84bd bridge bridge local 8758384ef097 host host local 4a0a06be1be3 none null local
Docker uses Linux bridging. A docker container bridge (docker0) is virtualized in the host. When docker starts a container, it will assign an IP address to the container according to the network segment of docker bridge, which is called container IP. At the same time, docker bridge is the default gateway of each container. Because the containers in the same host are connected to the same bridge, the containers can communicate directly through the container IP of the container.
Four network modes of docker
Network mode | to configure | explain |
---|---|---|
host | --network host | Container and host share Network namespace |
container | --network container:NAME_OR_ID | The container shares the Network namespace with another container |
none | --network none | The container has a separate Network namespace, But there is no network setting for it, Such as assigning veth pair and bridge connection, configuring IP, etc |
bridge | --network bridge | Default mode |
[root@RedHat ~]# docker network ls //none pattern NETWORK ID NAME DRIVER SCOPE 40793e9a84bd bridge bridge local 8758384ef097 host host local 4a0a06be1be3 none null local [root@RedHat ~]# docker run -it --rm --network none busybox / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever / # exit [root@RedHat ~]# docker run -it --rm --network host busybox //host pattern / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq qlen 1000 link/ether 00:0c:29:e6:5a:58 brd ff:ff:ff:ff:ff:ff inet 192.168.157.10/24 brd 192.168.157.255 scope global ens160 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fee6:5a58/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue link/ether 02:42:1d:10:0a:41 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever / # exit [root@RedHat ~]# docker ps //container pattern CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4e63f0369e08 httpd "httpd-foreground" 3 days ago Up 3 seconds 80/tcp stoic_darwin [root@RedHat ~]# docker run -it --rm --network container:4e63f0369e08 httpd AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message (98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down AH00015: Unable to open logs
bridge mode
When the Docker process starts, a virtual bridge named docker0 will be created on the host, and the Docker container started on the host will be connected to this virtual bridge. The working mode of virtual bridge is similar to that of physical switch, so that all containers on the host are connected to a layer-2 network through the switch.
Assign an IP to the container from the docker0 subnet, and set the IP address of docker0 as the default gateway of the container. Create a pair of virtual network card veth pair devices on the host. Docker puts one end of the veth pair device in the newly created container and names it eth0 (network card of the container), and the other end in the host with a similar name like vethxxx, and adds this network device to the docker0 bridge. You can view it through the brctl show command.
[root@RedHat ~]# nmcli dev //see DEVICE TYPE STATE CONNECTION ens160 ethernet Connected ens160 docker0 bridge Connected docker0 vethfb1a631 ethernet Unmanaged -- lo loopback Unmanaged --
Bridge mode is the default network mode of docker. If the -- network parameter is not written, it is the bridge mode. When using docker run -p, docker actually makes DNAT rules in iptables to realize port forwarding function. You can use iptables -t nat -vnL to view.
The bridge mode is shown in the figure below:
Suppose an apache is running in docker2 in the figure above, let's think about a few questions:
-
Can the two containers communicate directly with the host? For example, can I directly access the nginx site of docker2 on docker1?
-
Can I directly access the nginx site of docker2 on the host computer?
-
How can I access another host of ngin1 on this site? DNAT release?
Docker bridge is virtualized by the host computer, not a real network device. The external network cannot be addressed, which also means that the external network cannot access the container directly through container IP. If the container wants external access, it can be accessed by mapping the container port to the host host host (port mapping), that is, when docker run creates the container, it can be enabled through the - P or - P parameter, and when accessing the container, it can access the container through [host IP]: [container port].
[root@RedHat ~]# docker run -it --rm httpd //Start a httpd container AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message [Mon Mar 01 16:32:09.660256 2021] [mpm_event:notice] [pid 1:tid 140103006585984] AH00489: Apache/2.4.46 (Unix) configured -- resuming normal operations [Mon Mar 01 16:32:09.660746 2021] [core:notice] [pid 1:tid 140103006585984] AH00094: Command line: 'httpd -D FOREGROUND' 172.17.0.3 - - [01/Mar/2021:16:32:54 +0000] "GET / HTTP/1.1" 200 45 172.17.0.1 - - [01/Mar/2021:16:33:15 +0000] "GET / HTTP/1.1" 200 45 [root@RedHat ~]# docker ps //Start another terminal view CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c38efece8ccb httpd "httpd-foreground" 4 seconds ago Up 4 seconds 80/tcp gifted_shirley [root@RedHat ~]# docker run -it --rm busybox //Start the second container / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 24: eth0@if25: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever / # wget -O - 172.17.0.2 //Access test Connecting to 172.17.0.2 (172.17.0.2:80) writing to stdout <html><body><h1>It works!</h1></body></html> - 100% |*************************************************************************************| 45 0:00:00 ETA written to stdout / # [root@RedHat ~]# curl 172.17.0.2 //Use real machine access <html><body><h1>It works!</h1></body></html>
container mode
This pattern specifies that the newly created container shares a Network Namespace with an existing container, rather than with the host. The newly created container will not create its own network card and configure its own IP, but share IP and port range with a specified container. Similarly, in addition to the network, the two containers are isolated from each other, such as file system and process list. The processes of the two containers can communicate through the lo network card device.
The container mode is shown in the following figure:
host mode
If the host mode is used when starting the container, the container will not get a separate Network Namespace, but share a Network Namespace with the host. The container will not virtualize its own network card and configure its own IP, but use the IP and port of the host. However, other aspects of the container, such as file system, process list, etc., are still isolated from the host.
The container using the host mode can directly use the IP address of the host to communicate with the outside world. The service port inside the container can also use the port of the host without NAT. The biggest advantage of the host is that the network performance is relatively good, but the ports already used on the docker host can no longer be used, and the network isolation is not good.
The Host mode is shown in the following figure:
none mode
Using the none mode, the Docker container has its own Network Namespace, but no network configuration is made for the Docker container. In other words, the Docker container has no network card, IP, routing and other information. We need to add network card and configure IP for Docker container.
In this network mode, the container has only lo loopback network and no other network card. The none mode can be specified through -- network none when the container is created. This type of network has no way to network, and the closed network can well ensure the security of the container.
Application scenario:
-
Start a container to process data, such as converting data format
-
Some background computing and processing tasks