docker容器网络

docker容器网络示意图

iShot2020-10-15 14.40.32

一、docker网络相关信息

1.1docker网卡、网关信息

//宿主机查看docker默认网卡信息,安装完docker并启动后,会有docker0网卡,默认IP地址172.17.0.1
[root@docker1 ~]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::42:61ff:fef9:e707  prefixlen 64  scopeid 0x20<link>
        ether 02:42:61:f9:e7:07  txqueuelen 0  (Ethernet)
        RX packets 50722  bytes 2466382 (2.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 82049  bytes 119024354 (113.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

//查看容器网关,网关默认为172.17.0.1
[root@ddc401b2bba8 /]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.17.0.1      0.0.0.0         UG    0      0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0

1.2启动一个busybox容器

1.宿主机docker1运行busybox容器
[root@docker1 ~]# docker run -it busybox
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
8e674ad76dce: Pull complete 
Digest: sha256:c94cf1b87ccb80f2e6414ef913c748b105060debda482058d2b8d0fce39f11b9
Status: Downloaded newer image for busybox:latest

#查看网卡
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
32: eth0@if33: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue 
    link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

#查看网关       
/ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.17.0.1      0.0.0.0         UG    0      0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0
/ # 

2.busybox容器ping宿主机docker2
/ # ping 10.0.0.61


3.宿主机docker2抓包查看
可以看到,涞源的IP是宿主机docker1的eth0网卡,说明宿主机进行了nat地址转换,将dockerIP 172.17.0.2转换为宿主机eth0IP
[root@docker2 ~]# tcpdump -i eth0 icmp -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:04:03.121544 IP 10.0.0.60 > 10.0.0.61: ICMP echo request, id 2816, seq 52, length 64
23:04:03.121576 IP 10.0.0.61 > 10.0.0.60: ICMP echo reply, id 2816, seq 52, length 64

1.3docker容器用到的内核转发和iptables规则

1.内核转发
#宿主机docker1查看内核转发,内核转发是docker开启的
[root@docker1 ~]# sysctl -a|grep -w net.ipv4.ip_forward
net.ipv4.ip_forward = 1

2.iptables规则
#宿主机docker1查看iptables规则
[root@docker1 ~]# iptables -t nat -L -n
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0

二、docker端口映射(允许外网访问容器)

docker指定端口映射,docker会自动添加一条iptables规则来实现端口映射

  • -p 宿主机端口:容器端口

  • -p 宿主机IP:宿主机端口:容器端口

  • -p 宿主机IP::容器端口(随机端口)

  • -p 宿主机端口:容器端口:udp

  • -p 81:80 -p 443:443 可以指定多个-p

2.1方式一 -p 宿主机端口:容器端口

1.启动一个nginx容器并作端口映射

1.启动一个nginx容器,并将宿主机8080端口映射到容器80端口
[root@docker1 ~]# docker run -d -p 8080:80 nginx:latest 
ccef9a059f90886370577063f68bc4cab495f6497d394d16941f936b9fb8468a

2.宿主机查看iptables规则,可以看到iptables将宿主机8080端口映射到了容器的80端口
[root@docker1 ~]# iptables -t nat -L -n
Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
DNAT      tcp  -- 0.0.0.0/0           0.0.0.0/0      tcp dpt:8080 to:172.17.0.4:80

2.宿主机80端口访问

iShot2020-10-15 14.40.59

3.宿主机8080端口访问

iShot2020-10-15 14.41.25

2.2方式二 -p 宿主机IP:宿主机端口:容器端口

1.宿主机eth0网卡添加一个辅助IP

1.添加一个辅助IP
[root@docker1 ~]# ifconfig eth0:1 10.0.0.66/24 up

2.查看网卡eth0
[root@docker1 ~]# ifconfig |grep -A 2 eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.60  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::20c:29ff:fe65:ee41  prefixlen 64  scopeid 0x20<link>
--
eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.66  netmask 255.255.255.0  broadcast 10.0.0.255
        ether 00:0c:29:65:ee:41  txqueuelen 1000  (Ethernet)

2.启动容器

//添加辅助IP后,宿主机的80端口就可以再次使用
[root@docker1 ~]# docker run -d -p 10.0.0.60:80:80 nginx:latest 
80257a4c036183df9106d38992bf2762007bc5bc1550bed408cf4232eb1ae160

[root@docker1 ~]# docker run -d -p 10.0.0.66:80:80 nginx:latest 
ccabd14eea387c05ce7af46c002c8f9621aa1907642551aff79f7ca7e4bd25aa

3.查看端口监听

[root@docker1 ~]# netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 10.0.0.66:80            0.0.0.0:*               LISTEN      18647/docker-proxy  
tcp        0      0 10.0.0.60:80            0.0.0.0:*               LISTEN      2942/docker-proxy

4.查看iptables转发规则

//访问宿主机80端口,将请求转发至第一个容器80端口;访问宿主机辅助IP80端口,将请求转发至第二个容器80端口
[root@docker1 ~]# iptables -t nat -L -n
Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
DNAT       tcp  --  0.0.0.0/0            10.0.0.60            tcp dpt:80 to:172.17.0.4:80
DNAT       tcp  --  0.0.0.0/0            10.0.0.66            tcp dpt:80 to:172.17.0.5:80

2.3方式三 -p 宿主机IP::容器端口(宿主机端口随机) 宿主机端口不写,默认随机启动一个端口

1.启动一个容器

1.启动一个容器
[root@docker1 ~]# docker run -d -p 10.0.0.60::80 nginx:latest 
fbf5d8973f9094bf18c0e0b9ad63fa3b350e1bd2afc94083824e081c20fdb0c8

2.查看启动的容器信息,可以看到,随机启动了一个32768端口
[root@docker1 ~]# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                     NAMES
fbf5d8973f90        nginx:latest        "nginx -g 'daemon of…"   11 seconds ago      Up 10 seconds       10.0.0.60:32768->80/tcp   elastic_ritchie

2.浏览器访问32768端口

iShot2020-10-15 14.41.49

2.4方式四 -p 宿主机端口:容器端口:udp

映射默认采用tcp方式,此方式为指定udp方式

例如,容器中运行了dns服务,需要指定为udp方式

2.5方式五 -p 81:80 -p 443:443 可以指定多个-p

容器中运行了多个服务,此时需要映射多个端口

三、docker端口随机映射

-P 与-p 宿主机IP::容器端口(宿主机端口随机)方式相同

1.启动一个容器

1.启动一个容器
[root@docker1 ~]# docker run -d -P nginx:latest 
c1ffac8baf576208bbf107a24fd83e832b4811ad270bf8006d636e92b6438c39

2.查看容器信息,可以看到将宿主机32769映射到docker80端口
[root@docker1 ~]# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                     NAMES
c1ffac8baf57        nginx:latest        "nginx -g 'daemon of…"   33 seconds ago      Up 32 seconds       0.0.0.0:32769->80/tcp     clever_lichterman

docker端口映射核心

通过iptables实现端口映射!!!

泡泡吐肥皂o © gitbook.pptfz.top 2021 all right reserved,powered by Gitbook文件修订时间: 秃笔南波湾!!!

results matching ""

    No results matching ""