Docker的網絡類型和固定IP設置

時間 2019-12-01

原文原文鏈接

Docker的網絡機制

Docker的網絡有三種類型(driver): bridge, host 和 null.linux

birdge: 就如同橋接的switch/hub, 使用bridge網絡的container會分配一個當前bridge配置的子網IP, 在經過run建立container時經過 --ip 指定.
host: 須要使用 --network=host 參數指定. 使用主機網絡, 此時 container 的網絡會附屬在主機上, 二者是互通的. 例如在container中的服務監聽8080端口, 則主機的8080端口就會自動映射到這個端口.
none: 須要使用 --network=none 參數指定. 不分配局域網的IP

能夠經過命令 docker network ls 和 docker network inspect [name] 查看redis

$ docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
771ed6aaa9f8        bridge              bridge              local
243e4b881761        host                host                local
1c2c6b04e22c        none                null                local

$ docker network inspect bridge
[
    {
        "Name": "bridge",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
            ]
        },
      ...
    }
]

在宿主機上, 經過ifconfig能看到bridge的網關IP, 而container IP是不能直接看到的.docker

建立自定義Network

啓動Docker容器的時候，使用默認的網絡是不支持指派固定IP的ubuntu

docker run -itd --net bridge --ip 172.17.0.10 centos:latest /bin/bash
6eb1f228cf308d1c60db30093c126acbfd0cb21d76cb448c678bab0f1a7c0df6
docker: Error response from daemon: User specified IP address is supported on user defined networks only.

須要使用自定義的network, 建立完後, 在宿主機上能看到新的bridge 的網關IPcentos

$ docker network create --subnet=192.168.250.1/24 mybridge
760fb4aec8aef1eacece34d3a28aee1eabde7c47ce8ef9ec646c7c320a4da195

$ docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
771ed6aaa9f8        bridge              bridge              local
243e4b881761        host                host                local
760fb4aec8ae        mybridge            bridge              local
1c2c6b04e22c        none                null                local

使用固定IP建立Container

$ docker run --name eureka -itd --net mybridge --ip 192.168.250.3 scot-eureka:latest /bin/bash
ba7f9fcb4178c5181d3ea85eca5d03a132b8f32727c1ca0ee13bfd1ec15e4cc8

$ ping 192.168.250.3
PING 192.168.250.3 (192.168.250.3) 56(84) bytes of data.
64 bytes from 192.168.250.3: icmp_seq=1 ttl=64 time=0.102 ms
64 bytes from 192.168.250.3: icmp_seq=2 ttl=64 time=0.102 ms

使用固定IP啓動官方4.0.11版本的redis (啓動latest=5.0.0版本的redis, 沒法連接6379端口, 還沒有檢查具體緣由, 4.0.11是沒問題的)安全

$ docker run   -d --name redis2 --net mybridge --ip 192.168.250.2 redis:4.0.11

Docker的 Macvlan 網絡

建立macvlan網絡, 可使docker的虛擬網卡直接綁定宿主機的物理網卡, 直接與宿主機所在網絡進行通信. 此時, 除了宿主機和docker容器之間沒法通訊之外, docker容器與容器之間, 容器與宿主機網段其餘機器之間均可以互訪.bash

參考的說明 https://docs.docker.com/v17.09/engine/userguide/networking/get-started-macvlan/ 其中特別提到的, 這是由於安全隔離所形成的, 若是須要宿主機和容器之間通訊, 須要增長子網卡.網絡

Communication with the Docker host over macvlanide

When using macvlan, you cannot ping or communicate with the default namespace IP address. For example, if you create a container and try to ping the Docker host’s eth0, it will not work. That traffic is explicitly filtered by the kernel modules themselves to offer additional provider isolation and security.ui

A macvlan subinterface can be added to the Docker host, to allow traffic between the Docker host and containers. The IP address needs to be set on this subinterface and removed from the parent address.

建立macvlan的命令

# 斷開鏈接
$ docker network disconnect bridge-local redis
# 刪除網絡
$ docker network rm bridge-local
# 建立網絡
$ docker network create -d macvlan --subnet=192.168.252.0/24 --gateway=192.168.252.1 --aux-address="parent_host=192.168.252.151" -o parent=enp2s0f0 bridge-local
# 將運行中的docker鏈接至bridge-local
$ docker network connect bridge-local redis --ip 192.168.252.10

參考 http://networkstatic.net/configuring-macvlan-ipvlan-linux-networking/

以及如何在Ubuntu18.04下配置subinterface https://askubuntu.com/questions/971126/17-10-netplan-config-with-bridge