docker container network

docker container network

Docker automatically provides three kinds of networks after installation, which can be viewed by using the docker network ls command

[root@RedHat ~]# docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
40793e9a84bd   bridge    bridge    local
8758384ef097   host      host      local
4a0a06be1be3   none      null      local

 

Docker uses Linux bridging. A docker container bridge (docker0) is virtualized in the host. When docker starts a container, it will assign an IP address to the container according to the network segment of docker bridge, which is called container IP. At the same time, docker bridge is the default gateway of each container. Because the containers in the same host are connected to the same bridge, the containers can communicate directly through the container IP of the container.

Four network modes of docker

 

 

Network modeto configureexplain
host --network host Container and host share Network namespace
container --network container:NAME_OR_ID The container shares the Network namespace with another container
none --network none The container has a separate Network namespace,
But there is no network setting for it,
Such as assigning veth pair and bridge connection, configuring IP, etc
bridge --network bridge Default mode
[root@RedHat ~]# docker network ls    //none pattern
NETWORK ID     NAME      DRIVER    SCOPE
40793e9a84bd   bridge    bridge    local
8758384ef097   host      host      local
4a0a06be1be3   none      null      local
[root@RedHat ~]# docker run -it --rm --network none busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever

/ # exit
[root@RedHat ~]# docker run -it --rm --network host busybox    //host pattern
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq qlen 1000
    link/ether 00:0c:29:e6:5a:58 brd ff:ff:ff:ff:ff:ff
    inet 192.168.157.10/24 brd 192.168.157.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fee6:5a58/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 02:42:1d:10:0a:41 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
/ # exit

[root@RedHat ~]# docker ps     //container pattern
CONTAINER ID   IMAGE     COMMAND              CREATED      STATUS         PORTS     NAMES
4e63f0369e08   httpd     "httpd-foreground"   3 days ago   Up 3 seconds   80/tcp    stoic_darwin
[root@RedHat ~]# docker run -it --rm --network container:4e63f0369e08 httpd
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

 

 


 

 

bridge mode

When the Docker process starts, a virtual bridge named docker0 will be created on the host, and the Docker container started on the host will be connected to this virtual bridge. The working mode of virtual bridge is similar to that of physical switch, so that all containers on the host are connected to a layer-2 network through the switch.

Assign an IP to the container from the docker0 subnet, and set the IP address of docker0 as the default gateway of the container. Create a pair of virtual network card veth pair devices on the host. Docker puts one end of the veth pair device in the newly created container and names it eth0 (network card of the container), and the other end in the host with a similar name like vethxxx, and adds this network device to the docker0 bridge. You can view it through the brctl show command.

 

[root@RedHat ~]# nmcli dev  //see
DEVICE       TYPE      STATE   CONNECTION 
ens160       ethernet  Connected  ens160     
docker0      bridge    Connected  docker0    
vethfb1a631  ethernet  Unmanaged  --         
lo           loopback  Unmanaged  --         

 

Bridge mode is the default network mode of docker. If the -- network parameter is not written, it is the bridge mode. When using docker run -p, docker actually makes DNAT rules in iptables to realize port forwarding function. You can use iptables -t nat -vnL to view.

The bridge mode is shown in the figure below:

 

Suppose an apache is running in docker2 in the figure above, let's think about a few questions:

  • Can the two containers communicate directly with the host? For example, can I directly access the nginx site of docker2 on docker1?

  • Can I directly access the nginx site of docker2 on the host computer?

  • How can I access another host of ngin1 on this site? DNAT release?

Docker bridge is virtualized by the host computer, not a real network device. The external network cannot be addressed, which also means that the external network cannot access the container directly through container IP. If the container wants external access, it can be accessed by mapping the container port to the host host host (port mapping), that is, when docker run creates the container, it can be enabled through the - P or - P parameter, and when accessing the container, it can access the container through [host IP]: [container port].

 

[root@RedHat ~]# docker run -it --rm httpd    //Start a httpd container
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[Mon Mar 01 16:32:09.660256 2021] [mpm_event:notice] [pid 1:tid 140103006585984] AH00489: Apache/2.4.46 (Unix) configured -- resuming normal operations
[Mon Mar 01 16:32:09.660746 2021] [core:notice] [pid 1:tid 140103006585984] AH00094: Command line: 'httpd -D FOREGROUND'
172.17.0.3 - - [01/Mar/2021:16:32:54 +0000] "GET / HTTP/1.1" 200 45
172.17.0.1 - - [01/Mar/2021:16:33:15 +0000] "GET / HTTP/1.1" 200 45

[root@RedHat ~]# docker ps    //Start another terminal view
CONTAINER ID   IMAGE     COMMAND              CREATED         STATUS         PORTS     NAMES
c38efece8ccb   httpd     "httpd-foreground"   4 seconds ago   Up 4 seconds   80/tcp    gifted_shirley
[root@RedHat ~]# docker run -it --rm busybox    //Start the second container
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
24: eth0@if25: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # wget -O - 172.17.0.2    //Access test
Connecting to 172.17.0.2 (172.17.0.2:80)
writing to stdout
<html><body><h1>It works!</h1></body></html>
-                    100% |*************************************************************************************|    45  0:00:00 ETA
written to stdout
/ # 

[root@RedHat ~]# curl 172.17.0.2    //Use real machine access
<html><body><h1>It works!</h1></body></html>

 

container mode

This pattern specifies that the newly created container shares a Network Namespace with an existing container, rather than with the host. The newly created container will not create its own network card and configure its own IP, but share IP and port range with a specified container. Similarly, in addition to the network, the two containers are isolated from each other, such as file system and process list. The processes of the two containers can communicate through the lo network card device.

The container mode is shown in the following figure:

 

 

host mode

If the host mode is used when starting the container, the container will not get a separate Network Namespace, but share a Network Namespace with the host. The container will not virtualize its own network card and configure its own IP, but use the IP and port of the host. However, other aspects of the container, such as file system, process list, etc., are still isolated from the host.

The container using the host mode can directly use the IP address of the host to communicate with the outside world. The service port inside the container can also use the port of the host without NAT. The biggest advantage of the host is that the network performance is relatively good, but the ports already used on the docker host can no longer be used, and the network isolation is not good.

The Host mode is shown in the following figure:

 

 

none mode

Using the none mode, the Docker container has its own Network Namespace, but no network configuration is made for the Docker container. In other words, the Docker container has no network card, IP, routing and other information. We need to add network card and configure IP for Docker container.

In this network mode, the container has only lo loopback network and no other network card. The none mode can be specified through -- network none when the container is created. This type of network has no way to network, and the closed network can well ensure the security of the container.

Application scenario:

  • Start a container to process data, such as converting data format

  • Some background computing and processing tasks

The none mode is shown in the following figure:

Posted by Niruth on Thu, 14 Apr 2022 06:26:53 +0930