安装Docker 服务默认会创建一个 docker0 网桥(其上有一个 docker0 内部接口),它在内核层连通了其他的物理或虚拟网卡,这就将所有容器和本地主机都放到同一个物理网络。
使用 docker network ls 命令查看:
Docker 安装时会自动在 host 上创建三个网络:none,host,和bridge。
接下来我们查看一下docker0 网桥:(brctl可以通过yum install bridge-utils安装)
使用docker network inspect指令查看bridge网络:其Gateway就是网卡/接口docker0的IP地址:172.17.0.1。 【里面包含了bridge的配置信息和容器信息】
[root@192 keepmoving]# docker network inspect bridge
[
{
"Name": "bridge",
"Id": "581adbbf78d32412c411c274bb65c339f496b24e9cef5ad69f8d038bcc371c1b",
"Created": "2023-02-24T23:41:35.720677409+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"56657ecbb6763ce60e33232ba09b7f1ae68d9856b85ad61b52c581a47a896464": {
"Name": "test_db",
"EndpointID": "e66a48ecc3be4a0a1f8fce53035181d5ac3de64953c6d0bc4bc705c4b63d11f7",
"MacAddress": "02:42:ac:11:00:02",
"IPv4Address": "172.17.0.2/16",
"IPv6Address": ""
},
"73a026235a47df3d0733429181406f9b2f58faa5f674b4aefef9811f82274395": {
"Name": "web",
"EndpointID": "36d59702812b5bc3fb716fc4dccbcb141fd07e3a56706f681881cd489ec86dec",
"MacAddress": "02:42:ac:11:00:03",
"IPv4Address": "172.17.0.3/16",
"IPv6Address": ""
}
},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
为了理解容器创建时的IP分配,这里需要清理所有已经启动的环境,然后再启动容器,看前后对比。
1.2.1 首先清理掉docker中安装的所有容器:
1.2.2 查看docker中的网络配置:
[root@192 keepmoving]# docker network ls
NETWORK ID NAME DRIVER SCOPE
581adbbf78d3 bridge bridge local
869c7c8ca191 host host local
6c29ce5e0291 none null local
[root@192 keepmoving]# docker network inspect bridge
[
{
"Name": "bridge",
"Id": "581adbbf78d32412c411c274bb65c339f496b24e9cef5ad69f8d038bcc371c1b",
"Created": "2023-02-24T23:41:35.720677409+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
[root@192 keepmoving]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:83:f9:57 brd ff:ff:ff:ff:ff:ff
inet 192.168.124.49/24 brd 192.168.124.255 scope global noprefixroute dynamic ens33
valid_lft 82491sec preferred_lft 82491sec
inet6 fe80::c890:8da3:b20c:a830/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:4c:33:99:1a brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:4cff:fe33:991a/64 scope link
valid_lft forever preferred_lft forever
[root@192 keepmoving]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.02424c33991a no 1.2.3 创建容器
Docker 在创建一个容器的时候,会执行如下操作:
[root@192 keepmoving]# docker run -d --name test_db training/postgres
92fa2114c8b74f739064e2b79d669ca8484686b471a1ea237d34b32c4316b50b
[root@192 keepmoving]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.02424c33991a no veth6f6298f
[root@192 keepmoving]# ip a | grep veth6f6298f
17: veth6f6298f@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
[root@192 keepmoving]# docker network inspect bridge
[
{
"Name": "bridge",
"Id": "581adbbf78d32412c411c274bb65c339f496b24e9cef5ad69f8d038bcc371c1b",
"Created": "2023-02-24T23:41:35.720677409+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"92fa2114c8b74f739064e2b79d669ca8484686b471a1ea237d34b32c4316b50b": {
"Name": "test_db",
"EndpointID": "98395df29096ab53f63bb6d44c1c28d0b949c992e9dcc3774e1826e6282e2d57",
"MacAddress": "02:42:ac:11:00:02",
"IPv4Address": "172.17.0.2/16",
"IPv6Address": ""
}
},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
如果不指定--network,创建的容器默认都会挂到 docker0 上,使用本地主机上 docker0 接口的 IP 作为所有容器的默认网关。
当有多个容器创建后,容器网络拓扑结构如下:
接下来来探究容器中的eth0是怎么和host中的虚拟网络进行配对的。
可以看到host上17: veth6f6298f@if16对应着容器中16: eth0@if17; 即host中index=17的接口/网卡veth6f6298f的peer inferface index是16, container中index=16的网卡eth0的peer interface index是17。
注:host上17: veth6f6298f是创建容器时生成的(ip a)。
可以利用ethtool来确认这种对应关系:分别在host和container中运行指令ethtool -S <interface>:
ethtool -S veth6f6298f
docker exec -it 92fa2114c8b7 /bin/bash
ip a | grep 16
在公司内部或者使用多个物理机搭建集群时,需要将多个物理机的容器组到一个物理网络中来,这个时候需要将这个网桥桥接到指定的网卡上。
主机 A 和主机 B 的物理网卡一都连接着物理交换机的同一个 vlan 101中,这样网桥一和网桥三就相当于在同一个物理网络中了,而容器一、容器三、容器四也在同一物理网络中了,他们之间可以相互通信,而且可以跟同一 vlan 中的其他物理机器互联。
未完待续。。。
参考博文:
Docker基础 - Docker网络使用和配置 | Java 全栈知识体系