一、内核网络名称空间
1、可通过ip netns进行操作
[root@localhost /]# ip netns help
Usage: ip netns list
ip netns add NAME
ip netns set NAME NETNSID
ip [-all] netns delete [NAME]
ip netns identify [PID]
ip netns pids NAME
ip [-all] netns exec [NAME] cmd ...
ip netns monitor
ip netns list-id
2、启动各种网络类型的容器
a、启动一个网络类型为bridge的容器并且在退出后自动删除(即能够对外通信的容器)。
[root@localhost ~]# docker run --name t1 -it --network bridge --rm busybox:latest
/ # ifconfig
eth0 Link encap:Ethernet HWaddr ::AC:::
inet addr:172.17.0.4 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (508.0 B) TX bytes: (0.0 B) lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (0.0 B) TX bytes: (0.0 B)
b、启动一个网络类型为none的容器并且在退出后自动删除(即封闭式容器)
[root@localhost ~]# docker run --name t1 -it --network none --rm busybox:latest
/ # ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (0.0 B) TX bytes: (0.0 B) / # exit
c、容器默认的主机名就是其id,也可以在启动的时候给上主机名
[root@localhost ~]# docker run --name t1 -it --network bridge -h wohaoshuai --rm busybox:latest
/ # hostname
wohaoshuai
d、容器默认的dns是宿主机的dns,可以在启动的时候给上其dns
[root@localhost ~]# docker run --name t1 -it --network bridge -h wohaoshuai --dns 114.114.114.114 --rm busybox:latest
/ # cat /etc/hosts
127.0.0.1 localhost
:: localhost ip6-localhost ip6-loopback
fe00:: ip6-localnet
ff00:: ip6-mcastprefix
ff02:: ip6-allnodes
ff02:: ip6-allrouters
172.17.0.4 wohaoshuai
/ # cat /etc/resolv.conf
nameserver 114.114.114.114
e、可以给主机添加主机解析记录
[root@localhost ~]# docker run --name t1 -it --network bridge -h wohaoshuai --dns 114.114.114.114 --add-host www.wohaoshuai.com:192.168.11.11 --rm busybox:latest
/ # cat /etc/hosts
127.0.0.1 localhost
:: localhost ip6-localhost ip6-loopback
fe00:: ip6-localnet
ff00:: ip6-mcastprefix
ff02:: ip6-allnodes
ff02:: ip6-allrouters
192.168.11.11 www.wohaoshuai.com
172.17.0.4 wohaoshuai
3、端口映射 -p
a、将指定的容器端口映射至主机所有地址的一个动态端口
[root@localhost ~]# docker run -it -p --rm --name webtest1 httpd
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message
[Sat Apr ::16.001251 ] [mpm_event:notice] [pid :tid ] AH00489: Apache/2.4. (Unix) configured -- resuming normal operations
[Sat Apr ::16.001475 ] [core:notice] [pid :tid ] AH00094: Command line: 'httpd -D FOREGROUND'
192.168.10.1 - - [/Apr/::: +] "GET / HTTP/1.1"
192.168.10.1 - - [/Apr/::: +] "GET /favicon.ico HTTP/1.1"
另开一个shell查看:
[root@localhost ~]# docker port webtest1
/tcp -> 0.0.0.0:
b、将容器端口映射至指定的主机端口
[root@localhost ~]# docker run -it --rm -p : --name webtest1 httpd
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message
[Sat Apr ::43.973155 ] [mpm_event:notice] [pid :tid ] AH00489: Apache/2.4. (Unix) configured -- resuming normal operations
[Sat Apr ::43.973377 ] [core:notice] [pid :tid ] AH00094: Command line: 'httpd -D FOREGROUND' 另起一个shell查看:
[root@localhost ~]# docker port webtest1
/tcp -> 0.0.0.0:
c、将指定的容器端口映射至主机指定ip的动态端口
[root@localhost ~]# docker run -it --rm -p 192.168.10.46:: --name webtest1 httpd
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message
[Sat Apr ::08.815379 ] [mpm_event:notice] [pid :tid ] AH00489: Apache/2.4. (Unix) configured -- resuming normal operations
[Sat Apr ::08.815558 ] [core:notice] [pid :tid ] AH00094: Command line: 'httpd -D FOREGROUND' 另开一个shell查看:
[root@localhost ~]# docker port webtest1
/tcp -> 192.168.10.46:
d、将指定的容器端口映射至主机指定的ip 的端口
[root@localhost ~]# docker run -it --rm -p 192.168.10.46:: --name webtest1 httpd
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message
[Sat Apr ::47.699843 ] [mpm_event:notice] [pid :tid ] AH00489: Apache/2.4. (Unix) configured -- resuming normal operations
[Sat Apr ::47.699977 ] [core:notice] [pid :tid ] AH00094: Command line: 'httpd -D FOREGROUND'
192.168.10.1 - - [/Apr/::: +] "GET / HTTP/1.1"
192.168.10.1 - - [/Apr/::: +] "GET /favicon.ico HTTP/1.1" [root@localhost ~]# docker port webtest1
/tcp -> 192.168.10.46:
4、暴露容器所有端口到宿主机 -P
5、启动联盟式容器
a、启动容器1
[root@localhost ~]# docker run -it --name b1 --rm busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr ::AC:::
inet addr:172.17.0.4 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (578.0 B) TX bytes: (0.0 B) lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (0.0 B) TX bytes: (0.0 B)
b、启动容器2共享容器1的网络名称空间(但是文件系统不是共享的)
[root@localhost ~]# docker run -it --name b2 --network container:b1 --rm busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr ::AC:::
inet addr:172.17.0.4 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (648.0 B) TX bytes: (0.0 B) lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (0.0 B) TX bytes: (0.0 B)
c、在容器1上启动一个httpd服务
/ # mkdir /tmp/httptest
/ # echo "http test" >> /tmp/httptest/index.html
/ # httpd -h /tmp/httptest/
/ # netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 :::80 :::* LISTEN 9/httpd
tcp 0 0 ::ffff:127.0.0.1:80 ::ffff:127.0.0.1:33282 TIME_WAIT -
d、在容器2上查看
/ # wget -O - -q 127.0.0.1
http test
/ # netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp ::: :::* LISTEN -
6、共享主机网络空间
a、启动容器2,共享主机网络空间
[root@localhost ~]# docker run -it --name b2 --network host --rm busybox
/ # ifconfig
docker0 Link encap:Ethernet HWaddr :::6B::
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
inet6 addr: fe80:::7ff:fe6b:/ Scope:Link
UP BROADCAST RUNNING MULTICAST MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (2.9 KiB) TX bytes: (4.1 KiB) ens33 Link encap:Ethernet HWaddr :0C::A7:CE:
inet addr:192.168.10.46 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::2b2a:bd85:8d15:14c/ Scope:Link
UP BROADCAST RUNNING MULTICAST MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (51.6 MiB) TX bytes: (1.1 MiB) lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::/ Scope:Host
UP LOOPBACK RUNNING MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (5.1 KiB) TX bytes: (5.1 KiB) veth24abfad Link encap:Ethernet HWaddr ::2D:BA:ED:
inet6 addr: fe80:::2dff:feba:ed63/ Scope:Link
UP BROADCAST RUNNING MULTICAST MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (0.0 B) TX bytes: (1.5 KiB) veth34dd4fe Link encap:Ethernet HWaddr EA:F1:6D:7E:EB:
inet6 addr: fe80::e8f1:6dff:fe7e:eb23/ Scope:Link
UP BROADCAST RUNNING MULTICAST MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (0.0 B) TX bytes: (648.0 B) vetha7c5640 Link encap:Ethernet HWaddr CE:::9D:AE:0E
inet6 addr: fe80::cc76:19ff:fe9d:ae0e/ Scope:Link
UP BROADCAST RUNNING MULTICAST MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (0.0 B) TX bytes: (1.7 KiB)
b、在容器中启动http服务,在宿主机中也可访问
/ # echo "hello wohaoshuai" > /tmp/index.html
/ # httpd -h /tmp/
/ #
/ #
/ #
/ # netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0.0.0.0: 0.0.0.0:* LISTEN -
tcp 0.0.0.0: 0.0.0.0:* LISTEN -
tcp 127.0.0.1: 0.0.0.0:* LISTEN -
tcp 192.168.10.46: 192.168.10.1: ESTABLISHED -
tcp 192.168.10.46: 192.168.10.1: ESTABLISHED -
tcp ::: :::* LISTEN -
tcp ::: :::* LISTEN /httpd
tcp ::: :::* LISTEN -
tcp ::: :::* LISTEN -
二、修改docker 默认项
1、自定义docker网络属性
[root@localhost ~]# more /etc/docker/daemon.json
{
"registry-mirrors": ["https://guxaj7v7.mirror.aliyuncs.com","https://registry.docker-cn.com"],
"bip": "10.0.0.1/16"
}
[root@localhost ~]# ip addr
: lo: <LOOPBACK,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN group default qlen
link/loopback ::::: brd :::::
inet 127.0.0.1/ scope host lo
valid_lft forever preferred_lft forever
inet6 ::/ scope host
valid_lft forever preferred_lft forever
: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu qdisc pfifo_fast state UP group default qlen
link/ether :0c::a7:ce: brd ff:ff:ff:ff:ff:ff
inet 192.168.10.46/ brd 192.168.10.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::2b2a:bd85:8d15:14c/ scope link noprefixroute
valid_lft forever preferred_lft forever
: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu qdisc noqueue state DOWN group default
link/ether :::6b:: brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/ brd 10.0.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80:::7ff:fe6b:/ scope link
valid_lft forever preferred_lft forever
2、修改docker 监听方式
a、方式1
b、方式2:不同版本docker修改方式不一样,另一种修改方式如下:
vim /usr/lib/systemd/system/docker.service
在[service]下加如下参数
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
重启docker 服务
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0.0.0.0: 0.0.0.0:* LISTEN /rpcbind
tcp 0.0.0.0: 0.0.0.0:* LISTEN /sshd
tcp 127.0.0.1: 0.0.0.0:* LISTEN /master
tcp 192.168.10.46: 192.168.10.1: ESTABLISHED /sshd: root@pts
tcp 192.168.10.46: 192.168.10.1: ESTABLISHED /sshd: root@pts
tcp6 ::: :::* LISTEN /dockerd
tcp6 ::: :::* LISTEN /rpcbind
tcp6 ::: :::* LISTEN /sshd
tcp6 ::: :::* LISTEN /master
[root@localhost ~]# ls /var/run/
abrt cron.reboot docker.sock lock mod_fcgid rpcbind.lock syslogd.pid utmp
atd.pid dbus ebtables.lock log mount rpcbind.sock systemd vmware
auditd.pid dmeventd-client faillock lsm netreport sepermit tmpfiles.d xtables.lock
console dmeventd-server firewalld lvm NetworkManager setrans tuned
containerd docker httpd lvmetad.pid plymouth sshd.pid udev
crond.pid docker.pid initramfs mdadm rpcbind sudo user
c、访问
[root@localhost ~]# docker -H 192.168.10.46 ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
[root@localhost ~]# docker -H 192.168.10.46 images
REPOSITORY TAG IMAGE ID CREATED SIZE
httpd latest d4a07e6ce470 days ago 132MB
busybox latest af2f74c517aa days ago .2MB
centos latest 9f38484d220f weeks ago 202MB
三、不同网络之间容器互相访问
1、创建网络
[root@localhost ~]# docker network create -d bridge --subnet "172.16.0.0/16" --gateway "172.16.0.1" mybr0
fceba8db97014f8f762b48cced3399ecb539b4510f68181df992997d67ae1307
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
0479ba9d5a7c bridge bridge local
1f98da302a92 host host local
fceba8db9701 mybr0 bridge local
bdb9eff6069c none null local
[root@localhost ~]# ip addr
: lo: <LOOPBACK,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN group default qlen
link/loopback ::::: brd :::::
inet 127.0.0.1/ scope host lo
valid_lft forever preferred_lft forever
inet6 ::/ scope host
valid_lft forever preferred_lft forever
: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu qdisc pfifo_fast state UP group default qlen
link/ether :0c::a7:ce: brd ff:ff:ff:ff:ff:ff
inet 192.168.10.46/ brd 192.168.10.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::2b2a:bd85:8d15:14c/ scope link noprefixroute
valid_lft forever preferred_lft forever
: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu qdisc noqueue state DOWN group default
link/ether :::6b:: brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/ brd 10.0.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80:::7ff:fe6b:/ scope link
valid_lft forever preferred_lft forever
: br-fceba8db9701: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu qdisc noqueue state DOWN group default
link/ether ::7d::e3:a0 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.1/ brd 172.16.255.255 scope global br-fceba8db9701
valid_lft forever preferred_lft forever
2、创建容器1并加入到刚刚创建的网络中
[root@localhost ~]# docker run --name t1 -it --network mybr0 busybox:latest
/ # ifconfig
eth0 Link encap:Ethernet HWaddr ::AC:::
inet addr:172.16.0.2 Bcast:172.16.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (1.2 KiB) TX bytes: (0.0 B) lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (0.0 B) TX bytes: (0.0 B)
3、创建容器2并加入bridge网络
[root@localhost ~]# docker run --name t2 -it --network bridge busybox:latest
/ # ifconfig
eth0 Link encap:Ethernet HWaddr ::0A:::
inet addr:10.0.0.2 Bcast:10.0.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (508.0 B) TX bytes: (0.0 B) lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (0.0 B) TX bytes: (0.0 B)
4、要想容器1能够访问到容器2则需要在宿主机上开启nat转发
a、查看是否开启转发
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_forward
b、在iptables上将相应规则打开即可,因为iptables默认是阻止两个不同网络容器之间进行通信的。