Network connection of Docker container

The article was first published on the public account Programmer Guoguo

Address: mp.weixin.qq.com/s/DzF-ZwaY4…

I. Network foundation of Docker container

Docker0 (Virtual bridge for Linux)

View the docker0 network device through ifconfig, docker daemon is through Docker0 for docker container to provide a variety of network connection services.

[root@localhost ~]# ifconfig docker0docker0: Flags = 4163 < UP, BROADCAST, RUNNING, MULTICAST > mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 BROADCAST 0.0.0.0 inet6 fe80::42:2fff:fe56:7b2e prefixlen 64 scopeid 0x20<link> ether 02:42:2f:56:7b:2e txqueuelen 0 (Ethernet) RX packets 27406 Bytes 2657911 (2.5 MiB) RX errors 0 Dropped 0 Overruns 0 Frame 0 TX packets 42036 bytes 58020300 (55.3 MiB) TX errors 0  dropped 0 overruns 0 carrier 0 collisions 0Copy the code

Docker daemon is a service that provides network connection for docker container through Docker0. Docker0 is a virtual bridge for Linux.

Bridge in OSI seven-layer model:

Linux Virtual bridge features:

• You can set an IP address
• It is equivalent to having a hidden virtual network card

Docker0 address partition:

• IP:172.17.42.1 Subnet mask: 255.255.0.0
• MAC: 02:42: ac: 11:00:00 02:42: ac: 11: ff: ff
• A total of 65,534 addresses are provided

When a container is started, the Docker daemon actually creates a network connection at both ends. One end is the network device in the container, and the other end is to open an interface named VEth * on the host running the Docker daemon process, which is used to realize the network communication between the Docker bridge and the container.

Let’s look at the actual process: you need to view the bridge, you need the Linux bridge manager, and you need to install bridge-utils in Ubuntu via apt-get.

$ sudo brctl showBridge Name Bridge ID STP Enabled interfaces Docker0 8000.0242ED943D02 NoCopy the code

Run a Docker container and view its network devices in the container (apt-get install -y net-tools if you don’t have ifconfig).

root@b2a3136f5425:/# ifconfig eth0 Link encap:Ethernet HWaddr 02:42: AC :11:00:02 inet ADDR: 172.17.0.2bcast :0.0.0.0 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:145 Errors :0 Dropped :0 Overruns :0 Frame :0 TX packets:60 Errors :0 dropped:0 Overruns :0 Carrier :0 collisions:0 TXQueuelen :0 RX bytes:184985 (184.9 KB) TX bytes:4758 (4.7KB) Lo Link encap:Local Loopback inet ADDR :127.0.0.1 Mask:255.0.0.0 UP Loopback RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 Txqueuelen :0 RX bytes:0 (0.0b) TX bytes:0 (0.0b)Copy the code

Docker has automatically created the eth0 nic. Note the IP address and MAC address. Without exiting the container, run the following command to check the status of the bridge.

$sudo BRCTL show bridge name bridge ID STP enabled interfaces docker0 8000.0242ed943d02 no   veth95521e6Copy the code

We see a veth* in interface. You can also see the network interface through the ifconfig command.

Custom docker0

• Example Change the default IP address assigned to Docker0

Sudo ifconfig docker0 192.168.200.1 netmask 255.255.255.0Copy the code

Sudo service docker restart. The newly run container address becomes the new IP address.

• Add a virtual bridge

Sudo BRCTL addbr br0 sudo ifconfig br0 192.168.100.1 netmask 255.255.255.0Copy the code

Change the startup configuration of the Docker daemon:

Vim /etc/default/docker add the DOCKER_OPS value -b=br0.Copy the code

Restart the Docker service.

Ii. Interconnection of Docker containers

Docker image Dockerfile for testing:

FROM Ubuntu :14.04 RUN apt-get install -y ping RUN apt-get update RUN apt-get install -y nginx RUN apt-get install -y curl EXPOSE 80 CMD /bin/bashCopy the code

1. Allow all containers to connect to each other

Under the same host, Docker containers are connected via a virtual bridge. By default, containers running on the same host can be connected to each other. — ICC =true The default container IP address is actually an unreliable connection because it changes with container startup.

Docker run --link= Container name: aliasCopy the code

See what the effects are in the container

$ env

Looking at the environment variables, you can see a number of environment variables starting with WEBTEST* that were added by Docker when the container started. We can also look at the address mapping for webtest in the /ect/host file. The IP address corresponding to /ect/host changes when docker restarts the container. That is, for containers with the link option specified, Docker automatically changes the mapping between the IP address and the alias we specified at startup. Environment variables also change accordingly.

2. Refuse all containers interconnection

Docker daemon startup option — ICC =false

Modify vim /etc/default/docker by adding DOCKER_OPTS= at the end"--icc=false".Copy the code

Sudo service docker restart Sudo service docker restart Even the link cannot be pinged.

3. Allow connections between specific containers

Docker daemon startup option — ICC =false –iptables=true –link Add link when container startup Docker uses iptables mechanism, when ICC =false, block all Docker container access, Only run containers configured with the link option to access each other. Note: If the ping fails, there may be a problem with iptables (DROP rule before docker).

Sudo iptables -l -n Check iptables rules sudo iptables -f Clear iptables rules sudo service docker restart Restart the docker service sudo Iptables -l -n iptables -l -nCopy the code

Restart the container.

Please scan the code or search the wechat public number “Programmer Guoguo” to follow me, pay attention to surprise ~