在同一台宿主机器上,docker彼此之间默认可以直接通过IP地址通信(假如启动docker dameon时候icc=true),但是每个容器的ip地址并不固定,如果单纯依赖IP地址通信局限性会很大,在传统的docker网络下可以考虑使用link特性来让各个容器之间进行业务通信。
link容器的做法是在启动一个容器时候,使用--link参数来连接一个需要被访问的容器,无论是否启用icc=true,使用link后都可以通信:
|
1 |
[root@docker1 ~]# docker run -it --link mynginx:myningx1 busybox |
执行后,docker实际上做了:
- 在被启动的容器的/etc/hosts文件里加入被link容器的地址解析记录
- 将被连接容器的环境变量(dockerfile里配置的,或通过run命令中增加的环境变量)导入到启动的容器
/ # more /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.3 myningx1 170cf34abb53 mynginx
172.17.0.5 42256d1f3171
/ # env
MYNINGX1_PORT_80_TCP_PORT=80
MYNINGX1_PORT_80_TCP_PROTO=tcp
HOSTNAME=42256d1f3171
SHLVL=1
HOME=/root
MYNINGX1_PORT_80_TCP=tcp://172.17.0.3:80
MYNINGX1_ENV_NGINX_VERSION=1.13.0-1~stretch
MYNINGX1_ENV_NJS_VERSION=1.13.0.0.1.10-1~stretch
TERM=xterm
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
MYNINGX1_PORT=tcp://172.17.0.3:80 ----->这条是dockerfile里expose的端口或者run -p指定的expose端口(如果-p存在,比dockerfile expose的优先)
PWD=/
MYNINGX1_NAME=/admiring_mahavira/myningx1
MYNINGX1_PORT_80_TCP_ADDR=172.17.0.3
环境变量导入是一次性的,被连接的容器如果环境变量发生变化是不会重新导入过来的,重启被连接的容器也不影响这些已导入的环境变量。但是被连接容器IP地址变化是可以自动更新过来的。
跨主机之间是无法直接link的,但是有这样一个link 代理项目,叫ambassador,可参考 http://www.tuicool.com/articles/RfQRny 但感觉意义也不是很大。
默认的这个 docker0的 bridge 网络是不支持内嵌的DNS服务发现的,使用user-defined网络可以利用内嵌的dns服务(dns服务在127.0.0.11上),但使用user-defined网络时候,在将一个container connect到user-defined网络时是不存在环境变量注入的。内嵌的dns支持设置search domain ,option等(通过在启动一个container时候增加相关参数flag),并可以支持当内嵌dns无法提供解析时候自动将解析转发到指定的外部dns上(同样通过docker run命令里的参数来传递给内嵌dns,如果不指定,则使用host上的dns做备份)详细见https://docs.docker.com/engine/userguide/networking/configure-dns/
|
1 2 3 4 5 6 7 8 |
[root@docker1 ~]# docker network create -d bridge --subnet 172.19.0.0/16 --ip-range 172.19.19.0/24 --gateway 172.19.0.1 mybridgenetwork 2aeddaf04b596e071fcb38f6b7b974a42548ada427e4eebf6387e895614f1356 [root@docker1 ~]# docker network ls NETWORK ID NAME DRIVER SCOPE 734c4df7548e bridge bridge local e7f32fd414b9 host host local 2aeddaf04b59 mybridgenetwork bridge local 206ea33a6608 none null local |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
[root@docker1 ~]# docker network inspect 2aeddaf04b59 [ { "Name": "mybridgenetwork", "Id": "2aeddaf04b596e071fcb38f6b7b974a42548ada427e4eebf6387e895614f1356", "Created": "2017-05-11T16:21:19.46774305+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "172.19.0.0/16", "IPRange": "172.19.19.0/24", "Gateway": "172.19.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "Containers": {}, "Options": {}, "Labels": {} } ] |
|
1 2 |
[root@docker1 ~]# docker network connect mybridgenetwork busybox-1 [root@docker1 ~]# docker network connect --ip 172.19.100.100 mybridgenetwork busybox-2 |
上述,将busybox-1连接到自定义网络里,且不指定ip(将由docker自动分配),busybox-2 则指定iP,结果如下,注意诡异的docker将网络号分给了busybox-1这个容器
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
[root@docker1 ~]# docker inspect mybridgenetwork [ { "Name": "mybridgenetwork", "Id": "2aeddaf04b596e071fcb38f6b7b974a42548ada427e4eebf6387e895614f1356", "Created": "2017-05-11T16:21:19.46774305+08:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "172.19.0.0/16", "IPRange": "172.19.19.0/24", "Gateway": "172.19.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "Containers": { "b6d52eeea39291187603380dcc92f1265841c553ac8bbf6a1a78f93f4a84fc47": { "Name": "busybox-1", "EndpointID": "cf3ff6eb4afa147438ca8fe2bb6c2f2f58918e3b68be4d390903df9c5aa6ae9d", "MacAddress": "02:42:ac:13:13:00", "IPv4Address": "172.19.19.0/16", "IPv6Address": "" }, "e7264ac0da1f303c769bfba470565660c946bc6e4f322a0e3ac95b3e02bf9348": { "Name": "busybox-2", "EndpointID": "a59c1a2d767cca3659e70fce92f5227ade3743dc523b922196c93d311bdb62a0", "MacAddress": "02:42:ac:13:64:64", "IPv4Address": "172.19.100.100/16", "IPv6Address": "" } }, "Options": {}, "Labels": {} } ] |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
/ # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02 inet addr:172.17.0.2 Bcast:0.0.0.0 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:171 errors:0 dropped:0 overruns:0 frame:0 TX packets:144 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:13108 (12.8 KiB) TX bytes:10449 (10.2 KiB) eth1 Link encap:Ethernet HWaddr 02:42:AC:13:13:00 inet addr:172.19.19.0 Bcast:0.0.0.0 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:16 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1296 (1.2 KiB) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
/ # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:04 inet addr:172.17.0.4 Bcast:0.0.0.0 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:36 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2396 (2.3 KiB) TX bytes:689 (689.0 B) eth1 Link encap:Ethernet HWaddr 02:42:AC:13:64:64 inet addr:172.19.100.100 Bcast:0.0.0.0 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:648 (648.0 B) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) |
在busybox-1里ping busybox-2这个名称:
|
1 2 3 4 5 6 7 8 |
/ # ping -c 2 busybox-2 PING busybox-2 (172.19.100.100): 56 data bytes 64 bytes from 172.19.100.100: seq=0 ttl=64 time=2.263 ms 64 bytes from 172.19.100.100: seq=1 ttl=64 time=0.160 ms --- busybox-2 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.160/1.211/2.263 ms |
容器里的resolve文件:
|
1 2 3 4 |
/ # more /etc/resolv.conf search lan f5lab.com nameserver 127.0.0.11 options ndots:0 |
同时docker0和后创建的网络彼此之间是隔离的:
|
1 2 3 4 |
Chain DOCKER-ISOLATION (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- docker0 br-2aeddaf04b59 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- br-2aeddaf04b59 docker0 0.0.0.0/0 0.0.0.0/0 |
https://docs.docker.com/engine/userguide/networking/work-with-networks/
https://docs.docker.com/engine/userguide/networking/
host类型网络可以让容器直接看到所有主机的网络,直接共享主机的网络设置(意味着就真的像一个主机里的普通进程一样了共享主机网络端口),注意此时要想让该容器可以通过主机的地址直接访问业务,要注意开放相关iptables条目
