Hello, everyone, I am small dish ~
This article mainly introduces docker network
Wechat public number has been opened, xiao CAI Liang, did not pay attention to the students remember to pay attention to oh!
Just finished a demand of small vegetable farmers just want to open the public number “vegetable farmers Yue” to see the blog paddling, ding Ding rang again!
“Small vegetable farmer, the server connection information for this test environment, you go up and down through docker deployment under the branch test you just submitted ha!”
Tutor Cheng Li sent a message to xiao CAI agriculture
“What the hell is docker? Nohup Java-jar… nohup java-jar… nohup java-jar… & a one-two punch down?”
Small vegetable farmer immediately from closed, since came to the workplace is really everywhere wall! Think in the school or three good student is really sigh unceasingly!
“Wait! I remember I wrote an article about Docker on the public account “Vegetable Farmer’s Day”. Please check it out.
Docker, I think I’m good again!
After a long time, the small vegetable farmer came to his mind from the article and said, “I can’t make decisions now!” . He opened the server and typed in docker PS to try the command
“Interesting! He started deploying his application project by following the tutorial in the article. First wrote their own application dockerfile, and then through docker build to build their own image, and finally execute docker run to run their own image, a set of down in one go, smooth! Then in the browser to test their own functional content, after the test passed. Docker is a container, which can be embedded with an operating system. Each container is isolated from each other. Then why can I access the contents of the container from the outside? How do containers communicate with each other? How to create a custom network?
The small vegetable farmer head that a few problems think is big! Giving up is impossible to give up, maybe this can become their own promotion and pay rise, one of the stepping stones to the peak of life! From here you can see that the small vegetable farmers are still very motivated ~
The docker container will automatically create three networks on the host when it is installed, so how to check these three networks? He quickly typed in docker –help at the terminal
“Oh oh, sure enough! Network is what I want!” . The quick-witted vegetable farmer started following the story and then tapped into the Docker Network — Help
“Ls can check the docker network, so I will try”
On the terminal, as the farmer had expected, there was what he wanted to see. “Bridge, host, None? Small vegetable farmers still have some Internet roots. The names of the first two are familiar, but what is None? The Internet with nothing? . After a search, the farmer could not help admiring the developer. It was just as the name implies. After a search, it was found that the container hanging under the network did not have any network card except LO
We start the container with a docker run. We can append an argument to this directive. We can specify that the container uses the Network of None ~ by passing –network = None
“So what’s the use of such a closed network? You can’t get on the Internet,” muttered the farmer
That’s right, you can’t get access to the Internet, and there are special applications where the network needs to be closed, which means that the security requirements are so high that it needs to be isolated. In this case, you can put none on a network to prevent intrusion.
“Since it’s only for special situations, I don’t think I have access to special situations yet, pass pass! Let me kangkang host is what network”
Knowing that you can specify the network type with –network, the farmer tried launching an Nginx with the network type host to check
The small vegetable farmer looked at this network configuration and wondered, how could it ever be similar? He rolled the terminal command line up a few pages and realized why it looked familiar!
When he was up there, he typed IP L to check the host’s network, and you can see that the two configurations are exactly the same! The container connected to the host network shares the Docker host network stack. The container’s network configuration is exactly the same as that of the host. The biggest benefit of using the Docker Host network in this case is performance. What are the drawbacks of using the host network when the container has high requirements for network transport efficiency? That is, the ports will conflict, and the container will not be able to use the network that is already in use on the host!
Another use of the host network is to allow the container to configure the host network directly. For example, some network solutions that require cross-hosts themselves also run as containers. These scenarios require network configuration, such as scenarios for managing iptables.
“It’s really mother-in-law watching lang, the more I watch it, the more I love it.” Small vegetable farmers have become a bit obsessed with Docker, and the deeper they go, the more interesting they find it. “Bridge network type left, let me kangkang!”
A bridge is a network in bridging mode, where one end is here and the other end is there. The vegetable farmer ventured to guess that it must be one end on the container and one end on the host machine! Next came verification
The small vegetable farmer remembered the command BRCTL, which can be used to set up, maintain, and check Ethernet bridge configurations in the Linux kernel.
Children’s shoes that cannot use the BRCTL command can be installed using the following command
yum install -y bridge-utils
BRCTL show > BRCTL show > BRCTL show > BRCTL show > BRCTL show > BRCTL show > BRCTL show > BRCTL show > BRCTL show > BRCTL show > BRCTL show > BRCTL show > BRCTL show > BRCTL show > BRCTL show > BRCTL show > BRCTL show > BRCTL show > BRCTL show >
The small vegetable farmer found that the contents of interface had changed! There is a new network interface, veth9B75794, attached to Docker 0, and veth9B75794 is the network card of the newly created container. The farmer then checks the network configuration of the newly created container
There is an eth0@if67 network card in the container, small vegetable farmers smile
“Hey hey, be discovered by me, if it weren’t for I can dot network, return true be fooled by this live. The network interface you just checked above is veth9B75794, and here is eth0@if67. If you change it to the children’s shoes just connected to the rough network, you must be confused. How are the two different? In fact, eth0@if67 and veth9B75794 are a pair of Veth pairs. A Veth pair is a special network configuration that comes in pairs. As I guessed above, a bridge can be thought of as a pair of network cards connected by a virtual network cable. One end of the nic (eth0@if67) is in the container, and the other end (veth9b75794) is attached to the bridge docker0. The effect is that eth0@if67 is also attached to docker0.”
The 172.17.0.2/16 IP address is also configured by the host computer. The small vegetable farmer checked the Bridge configuration of docker
Subnet 172.17.0.0/16 with gateway 172.17.0.1. Then this gateway is Docker 0! The small vegetable farmer enters ifconfig’ on the host machine to verify
At this time, the small vegetable farmer’s mind emerged a picture
By now, small vegetable farmers have been familiar with the three network types of Docker and began to think about how to customize the network. There must be many scenarios where users need to create customized networks according to their business to meet their needs. When the small vegetable farmer wanted to query the network configuration of docker, he input the command docker network –help. When the output result, the small vegetable farmer had a little impression that there was a command create in it, so he quickly input it again to confirm:
Sure enough, Docker already allows users to create custom networks. Soon! The farmer then typed in the command to create the network:
The eagle-eyed farmer noticed something was wrong at a glance. He did not specify the DRIVER when creating the network. The default network driver created at this time is Bridge. Can other network driven networks be created? The smallholder tried again, but this time the result confirmed that the smallholder had hit a wall
“Can you only create bridge-driven networks?” “Muttered the little vegetable farmer. Still do not give up went up some search engine search results. After searching, it was found that Docker provided three types of user-defined network drivers, namely Bridge, overlay and MACVLAN. Overlay and MACVLAN are used to create networks across hosts!
“Across hosts? That’s a cluster! There is only one server assigned to me by my tutor at present. It seems that I can’t verify it anymore. I can only verify it when I have bigger permissions later. Since we can’t verify the other two, let’s find out the bridge first.
BRCTL show > bridge driver > bridge driver > bridge driver > bridge driver > bridge driver > bridge driver > bridge driver > bridge driver > bridge driver
Br-76c202387b0c: if br-76c202387b0c: if br-76c202387b0c: if br-76c202387b0c:
And this should be the gateway of the new network ~ small vegetable farmers are really more and more skilled, it seems that learning can really make people confident!
172.18.0.1 is the IP segment Docker automatically assigns
“But if there are more customized networks, the assigned network segments will also increase, and the network segments assigned by Docker will be random, which is not easy to remember. Can you specify your own IP network segment?”
See this result, small vegetable farmer couldn’t help laughing, really have me! The subnet and gateway are what I want! ~
That’s it! The host also has a new network, network segment 172.10.0.0/16, gateway 172.10.0.1
Now that they have created their own network, small vegetable farmers suddenly feel full of sense of achievement, so they have to start a container to try their own network!
The IP address assigned to the container is 172.10.0.2/16. Docker automatically assigns IP addresses from subnets. Can I specify a static IP address? Small vegetable farmers put forward a question, so can only offer the old routine –help to solve! Small farmers quick knock down the docker run — help | grep ‘IP’ view the results
Small vegetable farmers smile gradually abnormal, did not expect to master the help artifact! You can specify the IP address you want by — IP XXX.
So far, small vegetable farmers have started three containers
The topological relationship between the network also suddenly out, small vegetable farmers quickly began to draw up, so as not to forget!
Nginx-custom: nginx-ip: nginx-ip: nginx-ip: nginx-ip: nginx-ip
Does nginx-default work with the other two containers? Verify to know!
It can be seen that containers and gateways in the same network are interconnected, but containers belonging to different Bridges cannot communicate with each other. Is this the end of it? Is it true that containers between two different networks cannot communicate? The farmer was unwilling to give up, staring at the screen in a daze, “There! Add a route, then the two networks should be able to communicate!” If there is only one route for each network on a host and IP forwarding is enabled on the operating system, then the host forms a router and networks connected to different Bridges can communicate!
The small vegetable farmer views the routing table on the host through IP R
The 172.17.0.0/16 and 172.10.0.0/16 routes have been defined. The next step is to check whether IP forwarding is enabled. The seller quickly typed sysctl net.ipv4.ip_forward
You can see that IP Forwarding is also enabled. The nginx-default container can communicate with the nginx-default container by adding a C-Custom nic. Everything is ready except the east wind
Small vegetable farmers still follow the familiar recipe to see how to add a network card
Once you know it, you start doing it
Stare big eyes, the first time so have a sense of achievement, did not think really by their toss out! The farmer was so excited that he almost stood up and couldn’t wait to laugh out loud, but he knew that this was just the first step in his growth and that he had successfully crossed out! Calm down the excited heart, came to a conclusion of their own experiments
To be able to communicate, two containers must have network cards belonging to the same network. When this condition is met, containers can interact with each other through IP
The conclusion is not easy to come by, the small vegetable farmer hurriedly records down on his small book! The farmer continued to search the Internet to see if there was another way to communicate between containers. After all, IP communication was relatively basic. Soon, the farmer found the answer: Yes! Containers can communicate with each other in that way
- IP
- Docker DNS Server
- joined
IP communication has already been experimented with, so it’s time to try two other approaches. Docker DNS Server? The explanation is through the container name, the container created in the above, small vegetable farmers have specified the container name, next as long as the experiment on the line
Sure enough, it can! It can be accessed by the container name, which means it doesn’t have to remember a long list of IP addresses!
The first two ways have been tested. The joined vegetable farmers are confused again. Join? The farmer went on to explain
Joined Containers are another way to communicate between containers
The Joined container is special. It allows two or more containers to share a network stack, network cards and configuration information. The Joined container can communicate directly with each other through 127.0.0.1
“It’s amazing, Docker is full of surprises!” Small vegetable farmers then tried
It is important to note that both containers share the same network stack, so the ports cannot conflict, so the ports need to be separated at startup
Here, the small vegetable farmers could not help but satisfied, just want to quit the server to continue to work, but was attracted by their own web page, the web page is open is the small vegetable farmers just started the Docker project. “Gee, how does the outside world connect to the container?” The small vegetable farmer again asks, how does the container access the outside world? And how can the outside world access the container? It seems that we still have to continue learning (paddling)!
The small vegetable farmer switches to the server page again and tries to access the outside world from inside the container
In fact, do not try, small vegetable farmers also know that the container must be able to access the outside world, otherwise how to call the external interface ~ but why access? The farmer looked at the host’s iptables rules
You can see that there are two rules, one is docker 0, the other is a small vegetable farmer has just customized, so what does it mean? Small vegetable farmer again made confused, saw the shaw next to the boss, this is not ready-made big guy can ask! Xiao boss some curious, small vegetable farmers this is received what demand, how can ask this question, but also did not think much, the new always want to take good care of not! Then he began to explain, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah, blah. . “Ah? Oh! Almost know this meaning, hey hey, thank xiao old “, “you’re welcome, the next encounter will not remember to find me ha”, xiao old slightly rough voice, let small vegetable farmers feel warm! Summed up the shaw boss’s explanation: If docker 0 receives an outbound packet from 172.17.0.0/16, it sends it to MASQUERADE. MASQUERADE does this by replacing the packet’s source address with the host address. That is, a NETWORK address translation NAT is performed.
In this case, the packet capture should be able to see the process of network address translation. The small farmer intends to use tcpdump to do a simple packet capture to check the result. First, he starts two terminals. A packet captures network information through tcpdump -i docker0 -n ICMP
172.17.0.2 is the IP address of the nginx-default container, which is used to send data packets to 180.101.49.11. Accept Run the tcpdump -i eth0 -n ICMP command to check the outgoing network information of the host
“Aha! The IP address of the ping packet is 172.26.19.234.”
Once you’ve figured out how the inside of the container accesses the outside, the next step is to figure out how the outside world accesses the container
Remember that you just started the container and there was a display port in PORTS. Try it in your browser and you can access it. The small vegetable farmer set up another container for the experiment
Once the container is started, it can be accessed using port number 32771, which is automatically assigned by the host. The farmer tries to specify his own port to access the container
After the port is specified, it can also be accessed through the port specified by itself, and the reason for this is also found by small vegetable farmers through query through docker-proxy
For each mapped port, host starts a Docker-proxy process to handle traffic to the container.
So far, small vegetable farmers understand the use of the network in Docker, but small vegetable farmers frown, today’s play is single machine, then how to access the network in the cluster?
Don’t talk, don’t be lazy, and xiao CAI do a blowing bull X do architecture of the program ape ~ point a concern to do a companion, let xiao CAI no longer lonely. See you later!
Today you work harder, tomorrow you will be able to say less words!
I am xiao CAI, a man who grows stronger with you. 💋
Wechat public number has been opened, xiao CAI Liang, did not pay attention to the students remember to pay attention to oh!