catalogue
View container information (including configuration, environment, gateway, mount, cmd, etc.)
Specifies the IP address of the assignment container
Execute in container commands in the host environment
Docker four network modes
HOST mode
Share network namespace / network protocol stack, IP share and port range with the host. The host container will not virtualize its own network card and configure its own IP, but use the IP and port of the host
If the host mode is used when starting the container, the container will not obtain an independent Network Namespace, but share a Network Namespace with the host. The container will not virtualize its own network card, configure its own IP, etc., but use the IP and port of the host. However, other aspects of the container, such as file system, process list, etc., are still isolated from the host.
The container using host mode can directly use the IP address of the host to communicate with the outside world. The service port inside the container can also use the port of the host without NAT. The biggest advantage of host is that the network performance is relatively good, but the port already used on dockerhost can no longer be used. Poor isolation of network terminal
container mode
The created container will not create its own network card or set IP, but share IP and port range with a specified container
This mode specifies that the newly created container shares a network namespace with an existing container instead of sharing with the host. The newly created container will not create its own network card and configure its own IlP, but share IP, port range, etc. with a specified container. Similarly, the two containers are isolated except for the network, such as file system and process list. (the processes of the two containers can communicate through the loo network card device)
None
This mode turns off the network function of the container
In this network mode, the container has only lo loopback network port and no other network card. The none mode can be specified by the - network=none parameter when the container is created
This type of network can not be networked, but the closed network can well ensure the security of the container
Bridge:
This mode will assign and set IP for each container, and connect the container to a docker virtual bridge through dockero bridge and iptables Configure the nat table to communicate with the host
When the Docker process starts, a virtual bridge named dockero will be created on the host, and the Docker container started on the host will be connected to the virtual bridge. The virtual bridge works similar to the physical switch, so that all containers on the host are connected to a layer-2 network through the switch.
Assign an IP to the container from the dockerO subnet, and set the address of docker0 as the default gateway of the container. Create a pair of virtual network card veth pair devices on the host. Docker places one end of the veth pair device in the newly created container and names it eth0 (container network card), and the other end in the host with a similar name like vethxxx, and adds this network device to the docker0 bridge. You can view it through the brctl show command.
The bridge mode is the default network mode of docker. If the - net parameter is not written, it is the bridge mode. When using docker run -p, docker actually makes DNAT rules in iptables to realize port forwarding function. You can use iptables -t nat -vnL to view.
docker custom network
View a list of network modes
[root@localhost ~]# docker network ls NETWORK ID NAME DRIVER SCOPE ae257e2de599 bridge bridge local 7139a3eda38f host host local 2df381358ab3 none null local
View container information (including configuration, environment, gateway, mount, cmd, etc.)
docker inspect container ID
[root@localhost ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8cf6de64a6b3 php:v1 "./sbin/php-fpm -c /..." 43 hours ago Up 43 hours 0.0.0.0:49153->9000/tcp, :::49153->9000/tcp funny_rosalind
[root@localhost ~]# docker inspect 8cf6de64a6b3
[
{
"Id": "8cf6de64a6b3dc5f1fd017d122da81fef48d445cc25f67a7a3534f243c1a6624",
"Created": "2022-01-14T12:23:14.846582753Z",
"Path": "./sbin/php-fpm",
"Args": [
"-c",
"/usr/local/php/etc/php-fpm.conf"
],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 32820,
"ExitCode": 0,
"Error": "",
"StartedAt": "2022-01-14T12:23:15.17019772Z",
"FinishedAt": "0001-01-01T00:00:00Z"
},
"Image": "sha256:7fa269790e889e2f1d0ae636b99a2f8840952eec09e329825b5033268ef7da3e",
"ResolvConfPath": "/var/lib/docker/containers/8cf6de64a6b3dc5f1fd017d122da81fef48d445cc25f67a7a3534f243c1a6624/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/8cf6de64a6b3dc5f1fd017d122da81fef48d445cc25f67a7a3534f243c1a6624/hostname",
"HostsPath": "/var/lib/docker/containers/8cf6de64a6b3dc5f1fd017d122da81fef48d445cc25f67a7a3534f243c1a6624/hosts",
"LogPath": "/var/lib/docker/containers/8cf6de64a6b3dc5f1fd017d122da81fef48d445cc25f67a7a3534f243c1a6624/8cf6de64a6b3dc5f1fd017d122da81fef48d445cc25f67a7a3534f243c1a6624-json.log",
"Name": "/funny_rosalind",
"RestartCount": 0,
"Driver": "overlay2",
"Platform": "linux",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": null,
"ContainerIDFile": "",
"LogConfig": {
"Type": "json-file",
"Config": {}
},
"NetworkMode": "default",
"PortBindings": {},
"RestartPolicy": {
"Name": "no",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"CapAdd": null,
"CapDrop": null,
"CgroupnsMode": "host",
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "private",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": true,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "runc",
"ConsoleSize": [
0,
0
],
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": [],
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DeviceCgroupRules": null,
"DeviceRequests": null,
"KernelMemory": 0,
"KernelMemoryTCP": 0,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": null,
"OomKillDisable": false,
"PidsLimit": null,
"Ulimits": null,
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"MaskedPaths": [
"/proc/asound",
"/proc/acpi",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/proc/scsi",
"/sys/firmware"
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
},
"GraphDriver": {
"Data": {
"LowerDir": "/var/lib/docker/overlay2/ab2ca8054c8b0d6561f7a9025bedf1b511be4e4e0bf681e98fb76fb2fb4e6e75-init/diff:/var/lib/docker/overlay2/97bc9178426c019232698efa14f23a6922b989af17b5957b064084ac14a6080a/diff:/var/lib/docker/overlay2/8a45ccd13ce9b7c1d1ff6306b7cd57116b9ebd7650adb111205c7b1dcba602f6/diff:/var/lib/docker/overlay2/56a412a6cb9dc1d51ed1fefe713414dbbcbf3812456db60ae42e3990c969f777/diff:/var/lib/docker/overlay2/0346a1489ea29c73cc823d868ca2ecf3d2eecba37e526d3be487962a31799d8b/diff:/var/lib/docker/overlay2/e5570432f6efca48c9349b39348e9d7270c0039825bc765661ebe3d642d0d881/diff",
"MergedDir": "/var/lib/docker/overlay2/ab2ca8054c8b0d6561f7a9025bedf1b511be4e4e0bf681e98fb76fb2fb4e6e75/merged",
"UpperDir": "/var/lib/docker/overlay2/ab2ca8054c8b0d6561f7a9025bedf1b511be4e4e0bf681e98fb76fb2fb4e6e75/diff",
"WorkDir": "/var/lib/docker/overlay2/ab2ca8054c8b0d6561f7a9025bedf1b511be4e4e0bf681e98fb76fb2fb4e6e75/work"
},
"Name": "overlay2"
},
"Mounts": [],
"Config": {
"Hostname": "8cf6de64a6b3",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"9000/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"./sbin/php-fpm",
"-c",
"/usr/local/php/etc/php-fpm.conf"
],
"Image": "php:v1",
"Volumes": null,
"WorkingDir": "/usr/local/php",
"Entrypoint": null,
"OnBuild": null,
"Labels": {
"org.label-schema.build-date": "20201113",
"org.label-schema.license": "GPLv2",
"org.label-schema.name": "CentOS Base Image",
"org.label-schema.schema-version": "1.0",
"org.label-schema.vendor": "CentOS",
"org.opencontainers.image.created": "2020-11-13 00:00:00+00:00",
"org.opencontainers.image.licenses": "GPL-2.0-only",
"org.opencontainers.image.title": "CentOS Base Image",
"org.opencontainers.image.vendor": "CentOS"
}
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "8489906f3513ae2b56f596af061a01e863a511854f4018dc53f6d78fe77bccce",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"9000/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "49153"
},
{
"HostIp": "::",
"HostPort": "49153"
}
]
},
"SandboxKey": "/var/run/docker/netns/8489906f3513",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "21b59d7d982195c35a042e573ad32e97c4a816747cc3028517c69c54ed57b60a",
"Gateway": "172.17.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "02:42:ac:11:00:02",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "ae257e2de59963aa1a52fbe90feef0ab8ce7523c36afe95f5c4bdd1dea6dee74",
"EndpointID": "21b59d7d982195c35a042e573ad32e97c4a816747cc3028517c69c54ed57b60a",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:02",
"DriverOpts": null
}
}
}
}
]
Specifies the IP address of the assignment container
Docker run - ITD -- name test1 -- network bridge -- IP 172.17.0.10 CentOS: latest / bin / Bash
Because the IP address specified by the user only supports user-defined networks.
[root@localhost ~]# docker run -itd --name test1 --network bridge --ip 172.17.0.10 centos:latest /bin/bash Unable to find image 'centos:latest' locally latest: Pulling from library/centos a1d0c7532777: Pull complete Digest: sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177 Status: Downloaded newer image for centos:latest e7ac622660ffdd8c0da45e1c147abc5d5360546dc7438a952cf8d2bda6c8e81d docker: Error response from daemon: user specified IP address is supported on user defined networks only.
Custom network fixed IP
docker network create [--network bridge] --subnet=172.18.0.0/16 mynetwork
docker run -itd --name test2 --net mynetwork --ip 172.18.0.100 centos:latest /bin/bash
[root@localhost ~]# docker network create --subnet=172.18.0.0/16 mynetwork 73927b376e17d92af084b5d009434595bc85ccc10fd968a767a1cbd21fb7e114 [root@localhost ~]# docker run -itd --name test2 --net mynetwork --ip 172.18.0.100 centos:latest /bin/bash 14e3fe4f8984173f2f7ac8d8e7d2b651271cab092db4c95b87662a253a5a2e34
Check the docker container and no error will be reported at this time
Port mapping
If you do not specify the corresponding port when starting the container, you will not be able to access the services in the container through the network outside the container. Docker provides a port mapping mechanism to provide the services in the container to the external network access. In essence, it maps the port of the host to the container, so that the external network can access the services in the container by accessing the port of the host.
To implement port mapping, you need to run the docker run command and specify the port to be mapped with the - p (lowercase) option
Use the - P (uppercase) option to realize random mapping. Docker will randomly map a port with a port range of 49000-49900 to the closed network port in the container.
-p user defined port (host port: port in container)
-P random port (- P 49153 from 49153 to 65535)
docker run -itd -p 333:80 nginx /bin/bash (docker 0)
docker run -itd -P nginx / bin/ bash
Execute in container commands in the host environment
docker exec -it container ID /bin/bash -c ls
docker exec command executed by container ID / container name
[root@localhost ~]# docker exec -it 57d0cb8e7608 /bin/bash -c ls bin docker-entrypoint.d home media proc sbin tmp boot docker-entrypoint.sh lib mnt root srv usr dev etc lib64 opt run sys var
Docker data management
In Docker, in order to easily view the data generated in the container or share the data in multiple containers, the data management operation of the container is involved
There are two main ways to manage data in Docker containers: Data Volumes and Data Volumes containers.
Data volume
Data volume is a special directory used by the container. It is located in the container. The directory of the host can be mounted on the data volume. The modification of the data volume is immediately visible, and the update of data will not affect the image, so as to realize the migration of data between the host and the container. The use of data volumes is similar to the mount operation on directories under Linux.
Create data volume
Use the - v option in the docker run command to create a data volume within the container. Use the - v option multiple times to create multiple data volumes. Use the -- name option to create a friendly custom name for the container.
/ data1 in the host directory / var/ www mount container
[root@localhost /data]# docker run -itd -v /var/www:/data1/ --name web1 centos /bin/bash 7ef37e79816ae729b22b7e5aa5920a10643346efa2518955b42e1fbdedbafccc
Enter web1 container
[root@localhost /data]# docker exec -it web1 /bin/bash [root@7ef37e79816a /]# ls bin data1 dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var [root@7ef37e79816a /]# cd /var/ [root@7ef37e79816a var]# ls adm cache crash db empty ftp games gopher kerberos lib local lock log mail nis opt preserve run spool tmp yp [root@7ef37e79816a var]# cd /data1/ [root@7ef37e79816a data1]# ls [root@7ef37e79816a data1]# touch test111 [root@7ef37e79816a data1]# touch index.html [root@7ef37e79816a data1]# ls index.html test111 [root@7ef37e79816a data1]# exit exit
When you go back to the host, you can see that the created file exists on the host.
[root@localhost /data]# cd /var/ [root@localhost /var]# ls account adm cache crash db empty games gopher kerberos lib local lock log mail nis opt preserve run spool target tmp www yp [root@localhost /var]# cd www/ [root@localhost /var/www]# ls index.html test111
Data volume container
If you need to share some data between containers, the easiest way is to use data volume containers. It is actually a simple container that provides data volumes for other containers to mount and use. The usage method is to first create a container as a data volume container, and then mount the data volume with -- volume from when other containers are created. The data volume in the container is used.
First create two data volumes
[root@localhost /var/www]# docker run --name web100 -v /data3 -v /data4 -itd centos /bin/bash ebe7ac343ee9b6f0af47f25922d317ee22cf968254163a06edb697b2339d6339
Data volume container
[root@localhost /var/www]# docker run -itd --volumes-from web100 --name db1 centos /bin/bash a27c0c385031e37147f4a5db913042ce1ebe56db8ef246985365e869734015ba
Create a file in the db1 container and view it in the web100 container
[root@localhost /var/www]# docker exec -it db1 /bin/bash [root@a27c0c385031 /]# cd /data1 bash: cd: /data1: No such file or directory [root@a27c0c385031 /]# cd /data3/ [root@a27c0c385031 data3]# ls [root@a27c0c385031 data3]# touch file [root@a27c0c385031 data3]# ls file [root@a27c0c385031 data3]# exit exit [root@localhost /var/www]# docker exec -it web100 /bin/bash [root@ebe7ac343ee9 /]# ls bin data3 data4 dev etc home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var [root@ebe7ac343ee9 /]# cd data3/ [root@ebe7ac343ee9 data3]# ls file
Principle: let two containers share data
summary
1. Four network modes of Docker and how it works
2. There are two ways to manage data in a container: data volume and data volume container.
3. Docker can use the mapping container port to the host to achieve network access