1, docker network
1. docker network principle
Docker uses linux bridging. A docker container bridge is virtualized in the host machine. The default is docker0 network. When docker starts a container, it will assign an IP address to the container according to the network segment of the docker bridge. The offset method is called container IP. At the same time, the docker bridge is the default gateway of each container. Because all containers in the same host are connected to the same bridge by default. The docking between containers also communicates through the veth pair of the bridge.
The bridge can be created again and can be specified
The docker bridge is a virtual device of the host computer, not a real network device. The external network cannot be addressed, which means that the external network cannot access the container through the container IP. If the container needs to be accessed by the external network, you can map the port of the container to the host, that is, when creating the container, enter - P or - P to select the exposed port number, so that the external network can access the mapped port through the host and enter the container
2, docker network mode
1. Four modes commonly used in docker network
docker network mode | Model introduction |
---|---|
host | The container and the host share the kernel, that is, they use the same network |
bridge | Bridge mode is the default network mode used in docker, which is the bridge mode described above |
none | Sealed network, without any network configuration, containers are separated from each other |
container | The network of a container is shared by multiple containers, that is, multiple containers use the network of one container |
2. Detailed explanation of four common networks
2.1. host mode
In this mode, the container will not virtualize its own network card, IP and other information, but use the IP and port information of the host. If the host mode is used when starting the container, the container name will not obtain an independent networknamespace, but share a networknamespace with the host.
In this mode, only the kernel space of the container is shared, but the file system, this morning, etc. are still isolated from the host
The container using host mode can directly use the IP address of the host to communicate with the external network. The service port number inside the container can also use the port of the host without configuring NAT itself
The biggest problem of the host mode is that the network performance is good, but the port number already used on dockerhost cannot be used again, and the network isolation is not good
Advantages of host mode: it solves the problem that the IP address is not fixed
2.2 bridge mode
Bridge mode is the bridge mode mentioned above. This mode is used by default when creating containers. By default, a virtual bridge of docker0 will be created in docker, and the association with the host will be configured through the virtual bridge and IPtables net table
When the docker process starts, a virtual bridge named docker0 will be created on the host, and the docker container started on this host will be connected to this virtual bridge by default.
In short, the bridge mode is to provide a platform to connect multiple containers together without replacing the platform, and realize the interaction with the external network and between containers through this platform. Moreover, if there are other bridges, cross bridge interaction can also be realized by means of the conversion of host network cards.
Advantages of bridge: with the help of iptables net table rules, it can automatically allocate IP address and network connection to the container
2.3. none mode
There is nothing to say about this mode. It is a sealed container mode. After creation, the container is in a completely sealed state. Although it has its own network namespace, it does not have any network configuration, unless it is accessed forcibly through the host computer. That is, the container in this mode has no network card, IP, routing and other information. Therefore, it cannot interact with other networks. We need to manually create a network to communicate with other networks
Advantages of none: in some emergency situations, containers in this mode can be used as independent small warehouses to store some resources. When necessary, open the container and interact with the container through a small interface. It is generally used as a local storage method.
2.4,container
This mode is similar to host, but does not share information such as IP address with the host. Instead, in a container group, only one container provides IP information. Other containers in the container group share the provider's IP information and use the container's IP information to realize communication and interaction with the external network. And this way, like the host mode, only shares network information. For example, the file system and other information are normally isolated.
The processes of the two containers can communicate through the network card device
3, Custom network build container
1. View network list
docker network ls NETWORK ID NAME DRIVER SCOPE 19863407e148 bridge bridge local 1aed4a7df0d1 host host local 9999064ae519 lnmp bridge local You can see my current network mode information above. The first two are created by default, and the third is a network created by myself, which is also a bridge mode
2. Customize a network IP
docker network create test #Create a network named test. The default mode is bridge mode e1b000d5288db1b86c7c5b4c0c5d5dd590895e463cf14a385413be38d6b263ff #This is the ID of the network mode after successful creation docker network ls e1b000d5288d test bridge local
3. Create container
docker run -itd --name test --net test nginx:1.12 /bin/bash #955c2466a3ef06321b2b8a4c420dba6d928e679b0d355758b2deb9481baf9d87 #View creation docker ps -a #The following information is displayed 955c2466a3ef nginx:1.12 "/bin/bash" 28 seconds ago Up 27 seconds 80/tcp test
4. View the network information of the created container
docker inspect test | grep IPAddress #The following information is displayed "SecondaryIPAddresses": null, "IPAddress": "", "IPAddress": "172.20.0.2",
Bridge mode: 172.17.0.0 network segment is created by default. It will be pushed back every time I create it. This is the third network bridge I created, and so on. I have created 172.18.0.0 and 172.19.0.0, and this time it is postponed to 172.2.0.0. If you don't want to use the web address of this extended bridge, you can specify the bridge segment yourself
5. Custom bridge segment
docker network create --subnet=177.16.0.0/16 test1 #--subnet = * * * *, you can specify the desired network segment information
After the creation, create a container to view the information
docker run -itd --name test1 --net test1 --ip 177.16.123.21 -p 8808:80 nginx:1.12 /bin/bash #The specified IP address is 177.16.123.21 and the exposed port is 8808
docker inspect test1 | grep IPAddress #The contents are as follows "SecondaryIPAddresses": null, "IPAddress": "", "IPAddress": "177.16.123.21", #You can see that the website is the information we configured before
6. Exposed port
The method of exposing ports has been shown when customizing bridge segments above. Here are the two options used
-p: You can specify the port information you want to expose. Format: - p 8808:80
The 8808 port information is exposed and the real port 80 is hidden
-P: It is a random port information, which cannot be configured by itself. It is only random. In fact, polling starts from 49153, not really random. Let's just show the results
docker run -itd --name test1 --net test1 --ip 177.16.123.21 -p 8808:80 nginx:1.12 /bin/bash docker run -itd --name test2 --net test1 --ip 177.16.123.22 -P nginx:1.12 /bin/bash There are two creation methods. The results are as follows: a47427ad180c nginx:1.12 "/bin/bash" 3 seconds ago Up 1 second 0.0.0.0:49153->80/tcp, :::49153->80/tcp test2 #This is - P random. As I said above, it starts from 49153. It should be noted that if the container of 49153 port information is deleted and created again in - P mode, the port information of 49153 will not be used again before polling to 65535 (unless specified in - P mode) 500090d20e61 nginx:1.12 "/bin/bash" 6 minutes ago Up 6 minutes 0.0.0.0:8808->80/tcp, :::8808->80/tcp test1 #This is - p to specify a port information
docker rm -f test2 #Delete the container of port 49153 created by - P, and then create it in the same way docker run -itd --name test2 --net test1 --ip 177.16.123.22 -P nginx:1.12 /bin/bash #As you can see, the character created this time is no worse than that created last time docker ps -a d6826a9d3c95 nginx:1.12 "/bin/bash" 6 seconds ago Up 4 seconds 0.0.0.0:49154->80/tcp, :::49154->80/tcp test2 #But the result is 49154, which confirms the above statement
These are some basic knowledge about docker network. I need to update the following knowledge points slowly and sort them out a little bit first