1, Introduction to Docker network

Docker uses Linux bridging. A docker container bridge (docker0) is virtualized on the host. When docker starts a container, an IP address, called container IP, will be assigned to the container according to the network segment of the docker bridge. At the same time, the docker bridge is the default gateway of each container. Because the containers in the same host are connected to the same bridge, the containers can communicate directly through the container IP of the container.

Docker bridge is virtualized by the host, not a real network device. The external network cannot be addressed, which also means that the external network cannot access the container directly through container IP. If the container wants external access, it can be accessed by mapping the container port to the host host host (port mapping), that is, when docker run creates the container, it can be enabled through the - P or - P parameter, and when accessing the container, it can access the container through [host IP]: [container port].

2, Four types of network

Docker network mode	to configure	explain
host mode	–net=host	The container and the host share a Network namespace.
container mode	–net=container:NAME_or_ID	The container shares the Network namespace with another container. pod in kubernetes is a Network namespace shared by multiple containers.
none mode	–net=none	The container has an independent Network namespace, but it does not have any network settings, such as assigning Veth pairs and bridge connections, configuring IP, etc.
bridge mode	–net=bridge	(default to this mode)

1. host mode

If the host mode is used when starting the container, the container will not obtain an independent Network Namespace, but share a Network Namespace with the host. The container will not virtualize its own network card, configure its own IP, etc., but use the IP and port of the host. However, other aspects of the container, such as file system, process list, etc., are still isolated from the host.

The container using the host mode can directly use the IP address of the host to communicate with the outside world. The service port inside the container can also use the port of the host without NAT. The biggest advantage of the host is that the network performance is relatively good, but the ports already used on the docker host can no longer be used, and the network isolation is not good.

2. container mode

This pattern specifies that the newly created container shares a Network Namespace with an existing container, rather than with the host. The newly created container will not create its own network card and configure its own IP, but share IP and port range with a specified container. Similarly, in addition to the network, the two containers are isolated from each other, such as file system and process list. The processes of the two containers can communicate through lo network card devices.

3. none mode

Using the none mode, the Docker container has its own Network Namespace, but no network configuration is performed for the Docker container. In other words, the Docker container has no network card, IP, routing and other information. We need to add network card and configure IP for Docker container.

In this network mode, the container has only lo loopback network and no other network card. The none mode can be specified by – network=none when the container is created. This type of network has no way to network, and the closed network can well ensure the security of the container.

4. bridge mode

When the Docker process starts, a virtual bridge named docker0 will be created on the host, and the Docker container started on the host will be connected to this virtual bridge. The virtual bridge works similar to the physical switch, so that all containers on the host are connected to a layer-2 network through the switch.

Assign an IP to the container from the docker0 subnet, and set the IP address of docker0 as the default gateway of the container. Create a pair of virtual network card veth pair devices on the host. Docker places one end of the veth pair device in the newly created container and names it eth0 (container network card), and the other end in the host with a similar name like vethxxx, and adds this network device to the docker0 bridge. You can view it through the brctl show command.

Bridge mode is the default network mode of docker. If the – net parameter is not written, it is the bridge mode. When using docker run -p, docker actually makes DNAT rules in iptables to realize port forwarding function. You can use iptables -t nat -vnL to view.

3, Operating instructions of Docker network

You can't experiment ifconfig in the container to directly view the IP address. First install the net tools tool Yum install - y net tools, and then view the container IP.

# docker run -itd --name test1 -P nginx							
#Random port mapping using capital p
# docker run -itd --name test2 -p 43210:80 nginx					
#Use lowercase p Plus port for the specified port mapping

# docker ps -a
CONTAINER ID   IMAGE     COMMAND                  CREATED          STATUS          PORTS                                     NAMES
155ddb0c29b3   nginx     "/docker-entrypoint...."   4 seconds ago    Up 3 seconds    0.0.0.0:43210->80/tcp, :::43210->80/tcp   test2
0d1f97c0ae26   nginx     "/docker-entrypoint...."   10 minutes ago   Up 10 minutes   0.0.0.0:49156->80/tcp, :::49153->80/tcp   test1

Browser access: http://192.168.80.10:49156/,http://192.168.80.10:43210/

Browser test port

Complete ip conversion through iptables DNAT

### The host computer can see the transformation implemented by iptables
iptables -nL -t nat

4, Detailed explanation of Docker network mode

1. When Docker is installed, it will automatically create three networks: bridge (the container is connected to this network by default), none and host.

docker network ls	or	docker network list				#View docker network list

NETWORK ID     NAME      DRIVER    SCOPE
3cce31b7db4e   bridge    bridge    local
6f7e4930aab4   host      host      local
2ded2fffb055   none      null      local

1. When using docker run to create a Docker container, you can specify the network mode of the container with the – net or – network options

   • Host mode: specified using – net=host.
   • None mode: specified using – net=none.
   • Container mode: use – net=container:NAME_ or ID is specified.
   • Bridge mode: specified with – net=bridge; default setting; can be omitted.

container mode: under the function of this mode, two containers will share a Network namespace, so the net number will be the same.

Create container mode container

### Create container mode container
# docker run -itd --name test3 --net=container: source container ID centos bash

docker inspect -f '{{.State.Pid}}' 155ddb0c29b3							#View container process PID
22364
ls -l /proc/22364/ns
-----------------------------------------------------------------
Total consumption 0
lrwxrwxrwx. 1 root root 0 7 June 26-17:47 ipc -> ipc:[4026532688]
lrwxrwxrwx. 1 root root 0 7 June 26-17:47 mnt -> mnt:[4026532683]
lrwxrwxrwx. 1 root root 0 7 June 26-16:35 net -> net:[4026532691]		#View this item Network Namespace
lrwxrwxrwx. 1 root root 0 7 June 26-17:47 pid -> pid:[4026532689]
lrwxrwxrwx. 1 root root 0 7 June 26-17:47 user -> user:[4026531837]
lrwxrwxrwx. 1 root root 0 7 June 26-17:47 uts -> uts:[4026532687]
-----------------------------------------------------------------
docker run -itd --name test3 --net=container:155ddb0c29b3 centos bash
docker inspect -f '{{.State.Pid}}' 3a47d5cb641b
23428
ls -l /proc/23428/ns
-----------------------------------------------------------------
Total consumption 0
lrwxrwxrwx. 1 root root 0 7 June 26-17:56 ipc -> ipc:[4026532783]
lrwxrwxrwx. 1 root root 0 7 June 26-17:56 mnt -> mnt:[4026532781]
lrwxrwxrwx. 1 root root 0 7 June 26-17:56 net -> net:[4026532691]		#The Network Namespace of the container mode is consistent with the above
lrwxrwxrwx. 1 root root 0 7 June 26-17:56 pid -> pid:[4026532784]
lrwxrwxrwx. 1 root root 0 7 June 26-17:56 user -> user:[4026531837]
lrwxrwxrwx. 1 root root 0 7 June 26-17:56 uts -> uts:[4026532782]
-----------------------------------------------------------------

5, Custom network

##Using the bridge mode directly cannot support the specified IP to run docker. For example, if you execute the following command, an error will be reported
docker run -itd --name test3 --network bridge --ip 172.17 .0.10 centos:7 /bin/bash

To create a custom network mode:

1. You can customize the network first, and then run docker with the specified IP

docker network create --subnet=172.18.0.0/16 --opt "com.docker.network.bridge.name"="docker1" mynetwork

#docker1 is the name of the network card displayed when ifconfig -a is executed. If this name is not specified with the – opt parameter, you will see a name like br-110eb56a0b22 when using ifconfig -a to view network information, which is obviously not easy to remember.

#mynetwork is the name of the bridge network mode displayed when the docker network list command is executed.

1. Run docker with the specified IP

docker run -itd --name test4 --net mynetwork --ip 172.18.0.10 centos /bin/bash

#docker1 is the name of the network card displayed when ifconfig -a is executed. If this name is not specified with the – opt parameter, you will see a name like br-110eb56a0b22 when using ifconfig -a to view network information, which is obviously not easy to remember.

#mynetwork is the name of the bridge network mode displayed when the docker network list command is executed.

Actual operation process

### Custom network creation
# docker network create --subnet=172.18.0.0/16 --opt "com.docker.network.bridge.name"="docker1" Mnetwork
### Create a container by specifying an IP address
# docker run -itd --name test --net Mnetwork --ip 172.18.0.10 centos /bin/bash
### By viewing container messages
# docker ps -a
### Enter the container to view the IP address as the corresponding created IP address
# docker exec -it container ID bash
## Install service first
# yum install -y net-tools
## View container IP
# ifconfig