Docker配置網絡

Docker默認使用bridge模式, 經過網橋鏈接到宿主機, 而容器內部的IP則從網橋所在的IP段取未用的IP。 這樣作不方便的地方在於容器內部的ip不是固定的, 想要鏈接容器時只能經過映射到宿主機的端口, 於是有不少項目使用overlay來爲docker提供網絡的配置, 好比Pipework、Flannel、Kubernetes、Weave、opencontrail等。docker的網絡模式中只有--net=none才能夠爲docker分配固定ip。

1. 建立br0網卡綁定eth0網卡

[root@docker ~]# cd /etc/sysconfig/network-scripts/

[root@docker network-scripts]# vim ifcfg-eth0

DEVICE=eth0
HWADDR=00:0C:29:7E:AA:ED
TYPE=Ethernet
UUID=77ea2b6a-a0fe-4300-98fc-fb62a64fed4e
ONBOOT=yes
NM_CONTROLLED=yes
#BOOTPROTO=static
#IPADDR=192.168.15.15
#NETMASK=255.255.255.0
#GATEWAY=192.168.15.2
#DNS1=114.114.114.114
BRIDGE=br0                         //綁定br0網卡

[root@docker network-scripts]# cp ifcfg-eth0 ifcfg-br0          //複製一塊br0網卡

[root@docker network-scripts]# vim ifcfg-br0 

DEVICE=br0
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=192.168.15.15
NETMASK=255.255.255.0
GATEWAY=192.168.15.2
DNS1=114.114.114.114
MTU=1500
TYPE=Bridge
USERCTL=no

[root@docker network-scripts]# /etc/init.d/network restart          //重啓網絡服務

2. 建立容器

[root@docker network-scripts]# cd /usr/local/src/

[root@docker src]# yum -y install gcc gcc-c++ flex bison

[root@docker src]# wget https://www.kernel.org/pub/linux/utils/net/iproute2/iproute2-4.0.0.tar.gz

[root@docker src]# tar -zxvf iproute2-4.0.0.tar.gz

[root@docker src]# cd iproute2-4.0.0

[root@docker iproute2-4.0.0]# sed -i '/^TARGETS/s@arpd@@g' misc/Makefile

[root@docker iproute2-4.0.0]# ./configure

[root@docker iproute2-4.0.0]# make SBINDIR=/sbin/

[root@docker iproute2-4.0.00]# make SBINDIR=/sbin install

//建立容器腳本

[root@docker iproute2-4.0.0]# cd /root/docker

[root@docker docker]# vim docker_create.sh 

#!/bin/sh
#br0網橋
brName='br0'
vmName='docker-1'

#容器IP地址和網關
fixed_ip='192.168.15.41/24'
gateway='192.168.15.2'
# start new container
cid=$(docker run -d -i -h $vmName --name=$vmName --net=none -t jdeathe/centos-ssh)
pid=$(docker inspect -f '``.`State`.`Pid`' $cid)
##容器配置網絡namespace，並設置固定ip：
# set up netns
mkdir -p /var/run/netns
ln -s /proc/$pid/ns/net /var/run/netns/$pid
# set up bridge
ip link add q$pid type veth peer name r$pid
brctl addif $brName q$pid
ip link set q$pid up
# set up docker interface
ip link set r$pid netns $pid
ip netns exec $pid ip link set dev r$pid name eth0
ip netns exec $pid ip link set eth0 up
ip netns exec $pid ip addr add $fixed_ip dev eth0
ip netns exec $pid ip route add default via 192.168.15.2
echo "container $vmName cid: $cid" >> /root/docker/container_cid.txt
echo "Enter $vmName command: nsenter --target $pid --mount --uts --ipc --net --pid" >> /root/docker/enter_container_command.txt

[root@docker sbin]# chmod +x docker_create.sh

//運行建立容器腳本

[root@docker docker]# sh docker_create.sh

[root@docker docker]# docker ps
CONTAINER ID                  IMAGE                       COMMAND                CREATED             STATUS              PORTS             NAMES
82a1dedff146        jdeathe/centos-ssh:latest   "/usr/bin/supervisor    54 seconds ago      Up 3 seconds                            docker-42

//此時容器已經啓動,鏈接容器命令以下

[root@docker docker]# PID=$(docker inspect --format "` `.`State`.`Pid `" 82a1dedff146)

[root@docker docker]# nsenter --target $PID --mount --uts --ipc --net --pid

[root@docker /]# ip a|grep eth0
12: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    inet 192.168.15.41/24 scope global eth0

[root@docker /]# ping 90root.com
PING 90root.com (112.74.113.61) 56(84) bytes of data.
64 bytes from 112.74.113.61: icmp_seq=1 ttl=128 time=45.9 ms

3. 配置容器

//爲容器eth0網卡配置靜態IP地址(防止容器內部執行/etc/init.d/network restart後不分配IP地址從而斷網)。接着上面的操做來

[root@docker /]# vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=static
ONBOOT=static
IPADDR=192.168.15.41
NETMASK=255.255.255.0
GATEWAY=192.168.15.2
DNS1=114.114.114.114

//爲容器設置root密碼

[root@docker /]# passwd

Changing password for user root.

New password:

/usr/share/cracklib/pw_dict.pwd: No such file or directory

PWOpen: No such file or directory

     解決辦法以下:

[root@docker /]# vi /etc/ssh/sshd_config

PermitRootLogin yes     //no改成yes

[root@docker /]# /etc/init.d/sshd restart

[root@docker /]# yum -y reinstall cracklib-dicts

從其它服務器登入容器服務器報錯:

[root@docker .ssh]# ssh root@192.168.15.42
The authenticity of host '192.168.15.42 (192.168.15.42)' can't be established.
RSA key fingerprint is 21:4c:52:ab:18:e2:d5:ef:56:e6:a6:e6:34:6d:b5:7d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.15.42' (RSA) to the list of known hosts.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

修改容器服務器

[root@docker ~]# vi /etc/ssh/sshd_config

 PasswordAuthentication yes          //no改成yes 

 PermitRootLogin yes                     //no改成yes

[root@docker ~]# /etc/init.d/sshd restart

4. 收尾工做

//當重啓容器或服務器後,容器網卡會被刪除, 此時須要從新創建網卡配置網絡。

[root@docker ~]# cd /root/docker/start-docker

[root@docker start-docker]# vim start_docker-41.sh 

#!/bin/sh
#橋接網卡名稱
BrName=br0

#啓動容器
#docker start f354aacd4052
docker start docker-42 

#docker ps查看cid
cid=f354aacd4052
pid=$(docker inspect -f '``.`State`.`Pid`' $cid)

##容器配置網絡namespace，並設置固定ip：
# set up netns
mkdir -p /var/run/netns
ln -s /proc/$pid/ns/net /var/run/netns/$pid
# set up bridge
ip link add q$pid type veth peer name r$pid
brctl addif $BrName q$pid
ip link set q$pid up
# set up docker interface
fixed_ip='192.168.15.42/24'
gateway='192.168.15.2'
ip link set r$pid netns $pid
ip netns exec $pid ip link set dev r$pid name eth0
ip netns exec $pid ip link set eth0 up
ip netns exec $pid ip addr add $fixed_ip dev eth0
ip netns exec $pid ip route add default via 192.168.15.2
echo "Enter $vmName command: nsenter --target $pid --mount --uts --ipc --net --pid" >> /root/docker/enter_container_command.txt

//將腳本加入到開機啓動項

[root@docker docker]# cat /etc/rc.local

 /bin/sh /root/docker/start-docker/start_docker-41.sh

重啓物理機後, 進入docker容器IP地址仍然還在。

//腳本登陸docker容器

[root@docker docker]# docker p_w_picpaths

[root@docker docker]# sh -vx enter-docker.sh docker-42

docker啓動、建立容器、登陸容器腳本見附件.