容器bridge网络
原创大约 2 分钟
创建两个测试用的Docker容器。
> docker run -d --rm --name box1 busybox /bin/sh -c "while true; do sleep 3600; done"
> docker run -d --rm --name box2 busybox /bin/sh -c "while true; do sleep 3600; done"容器与宿主机通信
将Docker的80端口映射到虚拟机(宿主机)的8080端口。
> docker run -d -p 8080:80 nginx执行后,用浏览器访问Docker的80端口和虚拟机的8080端口都可以成功。
容器间通信
查看Docker所有的网络驱动。
> docker network ls
NETWORK ID NAME DRIVER SCOPE
44a919081dab bridge bridge local
6cd9d1f47762 host host local
9a820ca02193 none null local查看bridge网络详情。
> docker network inspect bridge
[
{
"Name": "bridge",
"Id": "44a919081dabb38a56526a18b5309dfd4426ac868bf4f513601f3a324c3b8a0e",
"Created": "2024-01-15T10:31:30.660876279+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"09de14c41ceef4ccd5b2cf626098e3e2800b0797432f5ae7e028f610bbc409bf": {
"Name": "box1",
"EndpointID": "9f8804b90e1f94885b857890fb0664662254c619ef10b8bd205d0ae34926a7bb",
"MacAddress": "02:42:ac:11:00:03",
"IPv4Address": "172.17.0.3/16",
"IPv6Address": ""
},
"67d4b34beb1b6c1a5a65fc79af3080abab1315b9ede6305cc64237d8587270ba": {
"Name": "web2",
"EndpointID": "9f3760de529e6b978cd8a35235e114d6b5e1844f379b5afd8da2fc532b990e6d",
"MacAddress": "02:42:ac:11:00:05",
"IPv4Address": "172.17.0.5/16",
"IPv6Address": ""
},
"b167402a1593ca45a2ff5b78308962795c6d36fc161c7142942af2832d04fda0": {
"Name": "web1",
"EndpointID": "eb548a199e55a27d19ea7f5192541b230a09cd9fd9b16c9b8feac9bfd971f8ae",
"MacAddress": "02:42:ac:11:00:02",
"IPv4Address": "172.17.0.2/16",
"IPv6Address": ""
},
"b72dc03736ea4556ea941ef344a2c1e5d622740e0bf1a52ab55be8c3623c3df2": {
"Name": "box2",
"EndpointID": "b7fdb0560dcc10a04402c725d67a5b2bfca8d539196a0e8b9472149a7f8387f3",
"MacAddress": "02:42:ac:11:00:04",
"IPv4Address": "172.17.0.4/16",
"IPv6Address": ""
}
},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]所有的容器名及IP都在network所显示的详情里。
执行brctl show命令。
> brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.024266e4991b no veth024a13f
veth3e0537b
vethaf0d0de
vethe8623ea
virbr0 8000.5254002435e0 yes virbr0-nic上面veth024a13f、veth3e0537b、vethaf0d0de、vethe8623ea、virbr0-nic等都是网络驱动的接口。
所有容器都能够互相ping通。
容器对外通信
Docker容器的网络拓扑图如下。
造成Docker内部无法访问外网的主要原因是:由于有的Docker是通过yum install安装的,所以有些参数可能会读取一些预定义的包环境变量中的数值,而其中比较关键的一个数值就是iptables。
它会造成另一个参数值为false,即com.docker.network.bridge.enable_ip_masquerade,这个参数表示是否开启IP伪装,false代表未开启。
因此需要将iptables修改为true。
具体做法是:找到docker.service守护进程,在Docker启动命令最后添加—iptables=true。
> systemctl status docker.service
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since 六 2022-10-17 17:02:19 CST; 6min ago
Docs: https://docs.docker.com
Main PID: 121185 (dockerd)
Tasks: 13
Memory: 40.3M
CGroup: /system.slice/docker.service
└─121185 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --iptables=true找到docker.service服务的路径为/usr/lib/systemd/system/docker.service。
> vi /usr/lib/systemd/system/docker.service
# 将这一行
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
# 修改为如下内容
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock -H fd:// --containerd=/run/containerd/containerd.sock --iptables=true保存修改后接着执行。
> systemctl daemon-reload
> systemctl restart docker此时在容器内部就能ping通外网了。
感谢支持
更多内容,请移步《超级个体》。