爲docker配置固定ip

docker默認使用bridge模式，經過網橋鏈接到宿主機，而容器內部的ip則從網橋所在的ip段取未用的ip。這樣作一個不方便的地方在於容器內部的ip不是固定的，想要鏈接容器時只能經過映射到宿主機的端口，於是有不少項目使用overlay來爲docker提供網絡的配置，好比Pipework、Flannel、Kubernetes、Weave、opencontrail等。

想要使用overlay來爲docker配置網絡，須要首先了解下docker的網絡模式：

1. --net=bridge — The default action, that connects the container to the Docker bridge as described above.

2. --net=host — Tells Docker to skip placing the container inside of a separate network stack. In essence, this choice tells Docker to not containerize the container's networking! While container processes will still be confined to their own filesystem and process list and resource limits, a quick ip addr command will show you that, network-wise, they live 「outside」 in the main Docker host and have full access to its network interfaces. Note that this doesnot let the container reconfigure the host network stack — that would require --privileged=true — but it does let container processes open low-numbered ports like any other root process. It also allows the container to access local network services like D-bus. This can lead to processes in the container being able to do unexpected things like restart your computer. You should use this option with caution.

3. --net=container:NAME_or_ID — Tells Docker to put this container's processes inside of the network stack that has already been created inside of another container. The new container's processes will be confined to their own filesystem and process list and resource limits, but will share the same IP address and port numbers as the first container, and processes on the two containers will be able to connect to each other over the loopback interface.

4. --net=none — Tells Docker to put the container inside of its own network stack but not to take any steps to configure its network, leaving you free to build any of the custom configurations explored in the last few sections of this document.

上面這幾種方式只有--net=none才能夠爲docker分配固定ip，來看看如何操做。

首先，配置一個用於建立container interface的網橋，能夠使用ovs，也能夠使用Linux bridge，以Linux bridge爲例：

br_name=docker
brctl addbr $br_name
ip addr add 192.168.33.2/24 dev $br_name ip addr del 192.168.33.2/24 dev em1 ip link set $br_name up brctl addif $br_name eth0

接着，能夠啓動容器了，注意用--net=none方式啓動：

# start new container
hostname='docker.test.com' cid=$(docker run -d -i -h $hostname --net=none -t centos) pid=$(docker inspect -f '{{.State.Pid}}' $cid)

下面，爲該容器配置網絡namespace，並設置固定ip：

# set up netns
mkdir -p /var/run/netns
ln -s /proc/$pid/ns/net /var/run/netns/$pid # set up bridge ip link add q$pid type veth peer name r$pid brctl addif $br_name q$pid ip link set q$pid up # set up docker interface fixed_ip='192.168.33.3/24' gateway='192.168.33.1' ip link set r$pid netns $pid ip netns exec $pid ip link set dev r$pid name eth0 ip netns exec $pid ip link set eth0 up ip netns exec $pid ip addr add $fixed_ip dev eth0 ip netns exec $pid ip route add default via 192.168.33.1

這樣，容器的網絡就配置好了，若是容器內部開啓了sshd服務，經過192.168.33.3就能夠直接ssh鏈接到容器，很是方便。上面的步驟比較長，能夠藉助pipework來爲容器設置固定ip（除了設置IP，還封裝了配置網關、macvlan、vlan、dhcp等功能）：

pipework docker0 be8365e3b2834 10.88.88.8/24

那麼，當容器須要刪除的時候，怎麼清理網絡呢，其實也很簡單：

# stop and delete container
docker stop $cid docker rm $cid # delete docker's net namespace (also delete veth pair) ip netns delete $pid

更多docker網絡的配置，能夠參考官方手冊