The network in Docker mainly solves the problem of mutual communication between containers, between containers and external networks, and between external networks and containers.
Docker communication mode
By default, Docker uses the bridge+NAT communication model.
When Docker is started, it will automatically create the bridge device Docker0 and configure the address.
When Docker starts the container, a pair of veth virtual network devices will be created. One veth network device will be attached to the bridge docker0, and the other will be added to the network command space of the container, which will be renamed eth0. In this way, containers of the same host can communicate with each other through docker0.
It is not enough to only solve the communication between containers inside the host, but also solve the communication between containers and external networks. Therefore, NAT is introduced.
- Container access to external network
In order to solve the problem that the container accesses the external network, Docker creates the following MASQUERADE
-tnat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
This rule changes the IP address of all packets sent by container 172.17.0.0/16 to host ip and sent by host.
- External network access container
The services provided by the container need to be exposed to the external network. When docker starts the container, it will create SNAT rules.
docker run -d -p 80:80 apache
The following SNAT rules will be created:
iptables -t nat-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER iptables -t nat-A Docker ! -i docker0 -tcp -m tcp --dport -j DNAT --to-destination 172.17.0.2:80
Docker network parameters
Network configuration parameters
Network configuration of Docker process
- -B / - bridge: Specifies the bridge equipment used by docker. By default, docker will create docker0 bridge equipment. This parameter can specify that docker uses the existing bridge equipment.
- --bip: specify the ip address and mask of docker0 of Wang Qiao's device, using the standard CIDR form,
- --dns configuration container dns
Network configuration of container
- --net is used to specify the network communication mode used by the container.
bridge: the default mode of docker
none: the container has no network stack, and the container cannot communicate with the outside
Container: docker will add the container to the network NameSpace of the specified container
Host: indicates that the container uses the network of host and does not have its own independent network stack.
Docker data management
Once the container in Docker is deleted, the rootfs file system corresponding to the container itself will be deleted, and all data in the container will be deleted. Sometimes we want data, logs or other data that need to be persisted, which will not be deleted with the deletion of the container. Sometimes, we want to share data between containers of the same host. To this end, Docker provides data volumes, which can persist data and can also be used to share data between containers.
Create data volume
[root@localhost ~]# docker run -it --rm -v /volume1 --name test1 ubuntu /bin/bash root@816b0ee1b911:/# df -lh Filesystem Size Used Avail Use% Mounted on overlay 37G 19G 19G 51% / tmpfs 64M 0 64M 0% /dev tmpfs 1.1G 0 1.1G 0% /sys/fs/cgroup shm 64M 0 64M 0% /dev/shm /dev/mapper/centos-root 37G 19G 19G 51% /volume1 tmpfs 1.1G 0 1.1G 0% /proc/asound tmpfs 1.1G 0 1.1G 0% /proc/acpi tmpfs 1.1G 0 1.1G 0% /proc/scsi tmpfs 1.1G 0 1.1G 0% /sys/firmware root@816b0ee1b911:/# ls v var/ volume1/ root@816b0ee1b911:/# ls volume1/ root@816b0ee1b911:/# echo "hello" > /volume1/test.txt root@816b0ee1b911:/# ls volume1/ test.txt root@816b0ee1b911:/#
For creating a data volume in this way, when the container is deleted, if no other container references the data volume, the corresponding host directory will also be deleted. Therefore, if you do not want the host directory to be deleted, you must specify the host directory.
Mount the directory of host as a data volume
In addition to creating the data volume, we can also mount the directory of the host to the container as the data volume of the container.
[root@localhost /]# docker run -it --rm -v /data/vulume1:/volueme1 ubuntu /bin/bash root@0f9510ac0f90:/# df -lh Filesystem Size Used Avail Use% Mounted on overlay 37G 19G 19G 51% / tmpfs 64M 0 64M 0% /dev tmpfs 1.1G 0 1.1G 0% /sys/fs/cgroup shm 64M 0 64M 0% /dev/shm /dev/mapper/centos-root 37G 19G 19G 51% /volueme1 tmpfs 1.1G 0 1.1G 0% /proc/asound tmpfs 1.1G 0 1.1G 0% /proc/acpi tmpfs 1.1G 0 1.1G 0% /proc/scsi tmpfs 1.1G 0 1.1G 0% /sys/firmware root@0f9510ac0f90:/# echo "hello" > /v var/ volueme1/ root@0f9510ac0f90:/# echo "hello" > /volueme1/hello.txt root@0f9510ac0f90:/# root@0f9510ac0f90:/# exit exit [root@localhost /]# ls /data/vulume1/ hello.txt [root@localhost /]# cat /data/vulume1/hello.txt hello [root@localhost /]#
We mount / data/volume1 on the host to volume1 in the container In this way, we exchange data between host and container I frame hi. For example, applications in the container can write logs and important data to / volume1. In this way, even if the container is deleted, the data will remain on the host.
The host directory must be an absolute path. If the directory does not exist, docker will automatically create the directory.
By default, the container has read and write access to the mounted data. We can also mount read-only
Mount the host file as a data volume
[root@localhost /]# docker run -it --rm -v /etc/hosts:/etc/hosts ubuntu /bin/bash root@2f2dd6a7a834:/# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 root@2f2dd6a7a834:/#
Data volume container
Create and mount data volume containers
Data can be shared between containers, and a data volume container can be created and then mounted by other containers.
[root@localhost /]# docker run -d -v /dbdata --name dbdata training/postgres echo Data-only container for postgres Unable to find image 'training/postgres:latest' locally latest: Pulling from training/postgres Image docker.io/training/postgres:latest uses outdated schema1 manifest format. Please upgrade to a schema2 image for better future compatibility. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/ a3ed95caeb02: Pull complete 6e71c809542e: Pull complete 2978d9af87ba: Pull complete e1bca35b062f: Pull complete 500b6decf741: Pull complete 74b14ef2151f: Pull complete 7afd5ed3826e: Pull complete 3c69bb244f5e: Pull complete d86f9ec5aedf: Pull complete 010fabf20157: Pull complete Digest: sha256:a945dc6dcfbc8d009c3d972931608344b76c2870ce796da00a827bd50791907e Status: Downloaded newer image for training/postgres:latest f91c945472b8a6af306df362bf373c577ae58392f76c2edd08263867e20b444b [root@localhost /]#
You can mount / dbdata data volumes in other containers via – volumes from
[root@localhost /]# docker run -d --volumes-from dbdata --name db1 training/postgres 1a97206a0b9cf2081a0a6ab0317923b974bf8aaf91696e062eedadc4c9aea89e [root@localhost /]# docker run -d --volumes-from dbdata --name db2 training/postgres e9ab2d1faab5be87988f060540a46b2f548bbe6621eb3fc829f975d0f68c5cbd [root@localhost /]#
In this way, db1 and db2 can also see all data volumes of dbdata.
You can also use multiple – volumes from parameters to mount multiple data volumes from multiple containers. You can also mount data volumes from other containers that have already mounted container volumes
[root@localhost /]# docker run -d --name db3 --volumes-from db1 training/postgres c4ed9125ead1160a60309f6f1758962708fb02029ff29316447f6568b50cfaed [root@localhost /]#
Application of data volume container
Many applications usually log through the syslog of the system. We can install the application and rsylog into the image at the same time, and then run the application and rsylog in the same container.
- Building an rsylog image
- Run rsylog container
- Write log to log container in other container
Backup, restore, and migrate data volumes
Backup data volume
[root@localhost /]# docker run --volumes-from dbdata -v $(pwd):/backup ubuntu tar cvf /backup/backup.tar /dbdata tar: Removing leading `/' from member names /dbdata/ [root@localhost /]# ls backup.tar bin boot data dev etc home lib lib64 media mnt opt proc root run sbin some srv sys tmp usr var www [root@localhost /]#
Recover data volume
[root@localhost /]# docker run -v /dbdata --name dbdata2 ubuntu /bin/bash
[root@localhost /]# docker run --volumes-from dbdata2 -v $(pwd):/backup busybox tar xvf /backup/backup.tar dbdata/ [root@localhost /]#