From Docker to Kubernetes (二) - Docker Network

This is the fifth day of my participation in the First Challenge 2022

Section 01 – Vagrant

Vagrant is a tool for building and managing virtual machine environments in a single workflow. With an easy-to-use workflow and focus on automation, Vagrant lowers development environment setup time, increases production parity, and makes the “works on my machine” excuse a relic of the past.

Vagrant is a tool for building and managing virtual machines. It is very easy to build, start, shut down, or copy multiple identical virtual machine environments

With Vagrant + VirtualBox, you can build two or more virtual machine clusters very quickly

See Vagrant Getting Started

Vagrant often commands

vagrant up # Start the vm set in Vagrantfile in the current directory
vagrant halt # Shut down the VM
vagrant reload # Restart the VM
vagrant ssh # Connect to the VM
vagrant status # Check the VM startup status
vagrant suspend # Suspend the VM
vagrang destroy Destroy the current VM

vagrant reload --provision Restart the VIRTUAL machine according to the Vagrantfile configuration
vagrant up --provision Start the VM based on other configurations

vagrant init # initialization
vagrant box list Check the list of local boxes
vagrant box add # Add to box list
vagrant box remove # Remove from boxe list
Copy the code

Docker-node1 docker-node2
vagrant up
vagrant status
vagrant ssh docker-node1
# change the Linux host name
sudo hostnamectl set-hostname docker-node1
exit
vagrant ssh docker-node1
docker version
exit
vagrant ssh docker-node2
docker veresion
sudo hostnamectl set-hostname docker-node2
exit
vagrant ssh docker-node2
Ping each other to check whether the ping succeeds
Copy the code

Section 02 – Docker Networking

Related Network concepts

Public IP: unique IDENTIFIER of the Internet
Private IP address: cannot be used on the Internet and can be accessed only from internal networks

Related Network commands

Ping: used to verify IP reachability
Telnet: verifies service availability

Linux network namespace

docker run -d --name test1 busybox /bin/sh -c "while true; do sleep 3600; done"
Fb is short for Container ID
docker exec -it fb /bin/sh
Get the network namespace
ip a
# Exit container
exit
Create a second container
docker run -d --name test2 busybox /bin/sh -c "while true; do sleep 3600; done"
25EA is short for the Container ID
docker exec -it 25ea ip a
Copy the code

When creating a container, a Namespace is created that is isolated from the host’s Namespace

This is the Namespace of the first network

The network namespace of the second container

Docker Network Namespace Practice Creating and managing namespaces on the Linux network and interconnecting two network namespaces

vagrant up docker-node1
vagratn up docker-node2
vagrant status
vagrant ssh docker-node1
Netns is short for network namespace
sudo ip netns list
# Delete a network namespace
sudo ip netns delete test1
# Add a network namespace
sudo ip netns add test1
sudo ip netns add test2
Check the IP address of the network namespace
sudo ip netns exec test1 ip a
Make port LO up
sudo ip netns exec test1 ip link set dev lo up
sudo ip link add veth-test1 type veth peer name veth-test2
ip link
Add veth-test1 to test1
sudo ip link set veth-test1 netns test1
sudo ip netns exec test1 ip link
Add veth-test2 to test2
sudo ip link set veth-test2 netns test2
sudo ip netns exec test2 ip link
Allocate IP addresses
sudo ip netns execTest1 IP addr add 192.168.1.1/24 dev veth-test1 sudo IP netnsexecTest2 IP addr add 192.168.1.2/24 dev veth-test2Check whether there is an IP address
sudo ip netns exec test1 ip link
sudo ip netns exec test2 ip link
# start veth
sudo ip netns exec test1 ip link set dev veth-test1 up
sudo ip netns exec test2 ip link set dev veth-test2 up
Check whether there is an IP address
sudo ip netns exec test1 ip a
sudo ip netns exec test2 ip a
Run the ping command to check whether data is transmitted
sudo ip netns execTest1 ping 192.168.1.2 sudo IP netnsexecTest2 ping 192.168.1.1Copy the code

sudo ip netns exec test1 ip a
Copy the code

Linux Container uses something called VEth, a new appliance built specifically for Containers. Veth, which stands for Virtual ETHernet, simply forwards packets from one network namespace to another. Veth devices come in pairs, one inside the container and one outside the container, which is visible on a real machine.

VETH devices always come in pairs, and data sent to one end of the request is always sent from the other end as a request received. Once created and configured correctly, input data to one end, VETH redirects the data and sends it to the kernel network subsystem to complete the data injection, while the other end reads the data. (Namespace: Data sent from RX to either end of the VETH device is sent in TX mode to the other end.) VeTH works at the L2 data link layer, and the VETH-pair does not change the packet contents in the process of forwarding packets.

The two namespaces communicate with each other

Docker Bridge

docker start test1
docker start test2
docker exec -it test1 ip a
docker exec -it test2 ip a
# enter test1
docker exec -it test1 /bin/sh
Ping the IP address of another containerPing 172.17.0.2Copy the code

In Docker, bridge0 is used to link two containers instead of veth

docker stop test2
docker rm test2
Test1 is running now
docker network ls
# View network details
docker network inspect 28af3c328fe0
ip a
Check the network of the test1 container
docker exec -it test1 ip a


Verify that veth is connected to Docker0
brctl show


Create a container test2
docker run -d --name test2 busybox /bin/sh -c "while true; do sleep 3600; done"


docker network ls
docker network inspect bridge
# Create an extra veth for test2
brctl show
# docker0 connects two interfacesBridge Name Bridge ID STP Enabled interfaces Docker0 8000.0242f0fecf55 no vethb22CA59 vethd2ffFA8Copy the code

The following figure shows the test1 container connected to birdge

The IP a command is displayed

vethd2fffa8@if7 and eth0@if8 are a pair

The Container can connect to the host network and docker0 through these ports

Verify that veth is connected to Docker0

Docker Network Inspect Bridge has two containers connected to the Bridge network

The connection between two containers

Containers communicate with extranets

Link between containers

After the link is established, the container can be accessed directly by its name

Delete test2 first
docker stop test2
doker rm test2
Create test2 again by adding --link, --link test1
docker run -d --name test2 --link test1 busybox /bin/sh -c "while true; do sleep 3600; done"
# Enter the container
docker exec -it test2 /bin/sh
You can use the container name instead of the IP
ping test1
Copy the code

The network of the new container uses the user-defined network instead of the Bridge

# -d bridge indicates the name of the network created using bridge as the driver and my-bridge as the driver
docker network create -d bridge my-bridge
docker network ls
brctl show
Create a new container and specify to use the newly created network
docker run -d --name test3 --network my-bridge busybox /bin/sh -c "while true; do sleep 3600; done"
Look at the container network
docker inpect test3
brctl show
The running container is connected to a specific network
docker network connect my-bridge test2
docker inpect my-bridge
Copy the code

Port mapping between containers

If two containers are connected to the same network (custom network, system default network is not allowed), they can be pinged through the container name. In addition to command line access to docker deployed applications, there are other ways to provide services to the outside world (not only on the Docker host) through exposed ports. Map the port to the host’s port.

Practice, take Nginx as an example

docker run -d --name web nginx
docker exec -it web /bin/bash
The container is connected to the bridge by default
docker network inspect bridge
Check whether port 80 of the container is accessibleTelnet 172.17.0.4 80 curl http://172.17.0.4P 80:80, the first 80 is the port of the container, and the second is the port of the host
docker run -d --name web -p 80:80 nginx
# access port 80 of this machine to display nginx informationThe curl 127.0.0.1:80Copy the code

Host and None for the container network

There is no independent network namespace. If a network namespace is shared with a host, port conflicts may occur

docker run -d --name test2 --network host busybox /bin/sh -c "while true; do sleep 3600; done"
docker network inspect host
docker exec -it test2 /bin/bash
ip a
Copy the code

The None network is an isolated network that can only access containers through Docker exec-it and is used to store sensitive information such as passwords

Create a container using the None network
docker run -d --name test1 --network none busybox /bin/sh -c "while true; do sleep 3600; done"
docker network inspect none
docker exec -it test1 /bin/bash
ip a
Copy the code

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

From Docker to Kubernetes (二) – Docker Network

Section 01 – Vagrant

Section 02 – Docker Networking

Related Network concepts

Related Network commands

Linux network namespace

Docker Bridge

Link between containers

Port mapping between containers

Host and None for the container network

From Docker to Kubernetes (二) – Docker Network

Section 01 – Vagrant

Section 02 – Docker Networking

Related Network concepts

Related Network commands

Linux network namespace

Docker Bridge

Link between containers

Port mapping between containers

Host and None for the container network

Related Posts

Are you sure you can’t use ThreadLocal?

Springboot2.x series 76–Java Testing details

G1 garbage collector for Java Virtual Machines