docker容器網絡配置

Linux內核實訓名稱空間的創建

ip netns命令

可以使用 ip netns 命令來完成對 Network Namespace 的各種操作。ipnetns 命令來自于 iproute，一般系統會默認，如果沒有的話，請自行安裝安裝。

注意：ip netns命令修改網絡配置時需要sudo權限。

可以通過 ip netns 命令完成對 Network Namespace 的相關操作，可以通過 ip netns help 查看命令幫助信息：

[root@localhost ~]# ip netns help Usage: ip netns listip netns add NAMEip netns attach NAME PIDip netns set NAME NETNSIDip [-all] netns delete [NAME]ip netns identify [PID]ip netns pids NAMEip [-all] netns exec [NAME] cmd ...ip netns monitorip netns list-id [target-nsid POSITIVE-INT] [nsid POSITIVE-INT] NETNSID := auto | POSITIVE-INT

在這種情況下，Linux 系統中是沒有任何網絡命名空間的，所以 ip netns list 命令不會默認返回任何信息。

創建網絡命名空間

通過命令創建一個名為ns0的命名空間：

[root@localhost ~]# ip netns list [root@localhost ~]# ip netns add nn0 [root@localhost ~]# ip netns list nn0 nn0

新創建的網絡命名空間會出現在/var/run/netns/下。如果名字相同的命名空間已經存在，命令報Cannot create namespace file “/var/run/netns/ns0”: File exists的錯誤。

[root@localhost ~]# ls /var/run/netns nn0 [root@localhost ~]# ip netns add nn0 Cannot create namespace file "/var/run/netns/nn0": File exists

對于每個 Network Namespace 而言，它都有自己獨立的網卡、路由表、ARP 表、iptables 等和網絡相關的資源。

網絡操作網絡命名空間

ip命令提供了ip netns exec子命令可以在網絡命名空間中執行命令。

查看新創建 Network Namespace 的網卡信息

[root@localhost ~]# ip netns exec nn0 ip a 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

可以看到，創建命名空間中會默認創建一個卡，此時網卡環回網訪問網卡環網關閉狀態。此時，新嘗試會提示網絡無法訪問

[root@localhost ~]# ip netns exec nn0 ping 127.0.0.1 connect: Network is unreachable

通過下面的命令啟用lo回環網卡：

[root@localhost ~]# ip netns exec nn0 ip link set lo up [root@localhost ~]# ip netns exec nn0 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever [root@localhost ~]# ip netns exec nn0 ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.066 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.074 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.038 ms 64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.042 ms 64 bytes from 127.0.0.1: icmp_seq=5 ttl=64 time=0.037 ms 64 bytes from 127.0.0.1: icmp_seq=6 ttl=64 time=0.044 ms 64 bytes from 127.0.0.1: icmp_seq=7 ttl=64 time=0.036 ms 64 bytes from 127.0.0.1: icmp_seq=8 ttl=64 time=0.035 ms 64 bytes from 127.0.0.1: icmp_seq=9 ttl=64 time=0.039 ms ^C --- 127.0.0.1 ping statistics --- 9 packets transmitted, 9 received, 0% packet loss, time 8184ms rtt min/avg/max/mdev = 0.035/0.045/0.074/0.015 ms

轉移設備

我們可以在不同的網絡命名空間之間轉移設備（如veth）。由于一個設備只能屬于一個網絡命名空間，所以之后在這個網絡命名空間內就看不到這個設備了。

其中，veth設備屬于可轉移設備，而很多其他設備（如lo、vxlan、ppp、bridge等）是不可以轉移的。

veth 對

veth pair是Virtual Ethernet Pair，是一個成對的所有端口，所有從這對一個端口進入的數據包都指向另一端，另一端出來的另一端的數據包都直接呼叫另一個端口
。 ，利用它可以直接將兩個 Network Namespace 連接起來。

創建第 veth 對

[root@localhost ~]# ip link add type veth [root@localhost ~]# ip a 5: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000link/ether 9a:4a:a7:db:34:20 brd ff:ff:ff:ff:ff:ff 6: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000link/ether 02:30:3e:4e:30:b4 brd ff:ff:ff:ff:ff:ff

看到，此時系統中新增了兩個 veth pair，將 veth0 和 veth1 兩個虛擬機連接起來，此時 veth pair 可以對“未啟用”狀態。

Network Namespace間通信實現

下面利用第 veth 對的兩個不同的 Network Namespace 之間的通信。剛才我們已經實現了一個名為我們 ns0 的 Network Namespace，下面再創建一個信息 Network Namespace，命名為 ns1

[root@localhost ~]# ip netns add ns1 [root@localhost ~]# ip netns list ns1 nn0

然后我們將 veth0 加入到 ns0，將 veth1 加入到 ns1

[root@localhost ~]# ip link set veth0 netns nn0 [root@localhost ~]# ip link set veth1 netns ns1

然后我們分別為這對配置上的ip地址，并啟用了它們

[root@localhost ~]# ip netns exec ns0 ip link set veth0 up [root@localhost ~]# ip netns exec ns0 ip addr add 10.0.0.1/24 dev veth0 [root@localhost ~]# ip netns exec ns1 ip link set lo up [root@localhost ~]# ip netns exec ns1 ip link set veth1 up [root@localhost ~]# ip netns exec ns1 ip addr add 10.0.0.2/24 dev veth1

查看這對veth對的狀態

[root@localhost ~]# ip netns exec ns0 ip a 5: veth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000link/ether 72:bf:69:5a:d3:65 brd ff:ff:ff:ff:ff:ff link-netns ns1inet 10.0.0.1/24 scope global veth0valid_lft forever preferred_lft foreverinet6 fe80::70bf:69ff:fe5a:d365/64 scope link valid_lft forever preferred_lft forever [root@localhost ~]# ip netns exec ns1 ip a 6: veth1@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000link/ether ae:b1:b8:29:e2:96 brd ff:ff:ff:ff:ff:ff link-netns ns0inet 10.0.0.2/24 scope global veth1valid_lft forever preferred_lft foreverinet6 fe80::acb1:b8ff:fe29:e296/64 scope link valid_lft forever preferred_lft forever

從上面可以，我們已經成功啟用了這個 veth 對，并為每個 veth 設備配置了 IP 地址。我們嘗試在 ns1 中訪問 ns0 中的 ip 地址：

[root@localhost ~]# ip netns exec ns1 ping 10.0.0.1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=20.8 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=105 ms 64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.043 ms 64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.062 ms 64 bytes from 10.0.0.1: icmp_seq=5 ttl=64 time=0.053 ms ^X64 bytes from 10.0.0.1: icmp_seq=6 ttl=64 time=0.051 ms 64 bytes from 10.0.0.1: icmp_seq=7 ttl=64 time=0.053 ms 64 bytes from 10.0.0.1: icmp_seq=8 ttl=64 time=0.050 ms ^C --- 10.0.0.1 ping statistics --- 8 packets transmitted, 8 received, 0% packet loss, time 7120ms rtt min/avg/max/mdev = 0.043/15.742/104.790/34.337 ms

veth設備重命名

[root@localhost ~]# [root@localhost ~]# ip netns exec ns0 ip link set eth0 up [root@localhost ~]# ip netns exec ns0 ip link set veth0 down [root@localhost ~]# ip netns exec ns0 ip link set dev veth0 name eth0 [root@localhost ~]# ip netns exec ns0 ifconfig -a eth0: flags=4098<BROADCAST,MULTICAST> mtu 1500inet 10.0.0.1 netmask 255.255.255.0 broadcast 0.0.0.0ether 72:bf:69:5a:d3:65 txqueuelen 1000 (Ethernet)RX packets 24 bytes 1944 (1.8 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 24 bytes 1944 (1.8 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536inet 127.0.0.1 netmask 255.0.0.0inet6 ::1 prefixlen 128 scopeid 0x10<host>loop txqueuelen 1000 (Local Loopback)RX packets 22 bytes 1848 (1.8 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 22 bytes 1848 (1.8 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

四種網絡模式配置

橋接模式配置

[root@localhost ~]# docker run -it --name t1 --rm busybox Unable to find image 'busybox:latest' locally latest: Pulling from library/busybox 5cc84ad355aa: Pull complete Digest: sha256:5acba83a746c7608ed544dc1533b87c737a0b0fb730301639a0179f9344b1678 Status: Downloaded newer image for busybox:latest / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02 inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:15 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:1242 (1.2 KiB) TX bytes:0 (0.0 B)lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0UP LOOPBACK RUNNING MTU:65536 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)/ # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft forever 7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ffinet 172.17.0.2/16 brd 172.17.255.255 scope global eth0valid_lft forever preferred_lft forever

無模式配置

[root@localhost ~]# docker run -it --name t1 --network none --rm busybox / # ifconfig -a lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0UP LOOPBACK RUNNING MTU:65536 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

啟動第一個容器

[root@localhost ~]# docker run -it --name b1 --rm busybox / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02 inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:10 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:836 (836.0 B) TX bytes:0 (0.0 B)lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0UP LOOPBACK RUNNING MTU:65536 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

啟動第二個容器

[root@localhost ~]# docker run -it --name b2 --rm busybox / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02 inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:11 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:906 (906.0 B) TX bytes:0 (0.0 B)lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0UP LOOPBACK RUNNING MTU:65536 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

可以看到名為10.0.0的容器的IP地址是10.0.0.b2，第一個容器的IP地址不是一樣的b2，如果我們沒有與容器共享網絡，此時將第二個容器的啟動方式改變，容器就可以使名為b2的IP與B1的IP容器一致，也即共享IP，但不共享文件系統。

[root@localhost ~]# docker run -it --name b2 --rm --network container:b1 busybox / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:0A:00:00:02 inet addr:10.0.0.2 Bcast:10.0.255.255 Mask:255.255.0.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:8 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:648 (648.0 B) TX bytes:0 (0.0 B)

此時在b1容器上創建一個我們的目錄

/ # mkdir /tmp/data / # ls /tmp data

到b2容納上會并并，因為文件系統是沒有這個目錄/保存目錄顯示的，發現共識了。

在 b2 容器上部署一個站點

/ # echo 'hello world' > /tmp/index.html / # ls /tmp index.html / # httpd -h /tmp / # netstat -antl Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 :::80 :::* LISTEN

在 b1 容器上用本地地址訪問此站點

/ # wget -O - -q 127.0.0.1:80 hello world

可見，包含相同模式下的包含間關系就同一主機上的兩個不同進程

主機模式配置

啟動容器時直接指定模式為主機

[root@localhost ~]# docker run -it --name b2 --rm --network host busybox / # ifconfig docker0 Link encap:Ethernet HWaddr 02:42:06:25:98:91 inet addr:10.0.0.1 Bcast:10.0.255.255 Mask:255.255.0.0inet6 addr: fe80::42:6ff:fe25:9891/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:55 errors:0 dropped:0 overruns:0 frame:0TX packets:82 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:8339 (8.1 KiB) TX bytes:7577 (7.3 KiB)ens33 Link encap:Ethernet HWaddr 00:0C:29:01:78:90 inet addr:192.168.10.144 Bcast:192.168.10.255 Mask:255.255.255.0inet6 addr: fe80::20c:29ff:fe01:7890/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:55301 errors:0 dropped:0 overruns:0 frame:0TX packets:26269 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000 RX bytes:63769938 (60.8 MiB) TX bytes:2672449 (2.5 MiB)lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0inet6 addr: ::1/128 Scope:HostUP LOOPBACK RUNNING MTU:65536 Metric:1RX packets:42 errors:0 dropped:0 overruns:0 frame:0TX packets:42 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000 RX bytes:4249 (4.1 KiB) TX bytes:4249 (4.1 KiB)vethffa4d46 Link encap:Ethernet HWaddr 06:4F:68:16:6E:B0 inet6 addr: fe80::44f:68ff:fe16:6eb0/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:8 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:648 (648.0 B)

這時如果我們啟動一個http站點，我們就可以直接在這個容器中的容器中訪問我們的IP地址。

容器的常用操作

查看容器的主機名

[root@localhost ~]# docker run -it --name t1 --network bridge --rm busybox / # hostname 306cba8fac72

在容器啟動時注入主機名

/ # cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.17.0.2 306cba8fac72 / # cat /etc/resolv.conf # Generated by NetworkManager search localdomain nameserver 192.168.207.2 nameserver 172.16.0.1 / # ping www.baidu.com PING www.baidu.com (36.152.44.95): 56 data bytes 64 bytes from 36.152.44.95: seq=0 ttl=127 time=25.140 ms 64 bytes from 36.152.44.95: seq=1 ttl=127 time=28.121 ms 64 bytes from 36.152.44.95: seq=2 ttl=127 time=25.812 ms 64 bytes from 36.152.44.95: seq=3 ttl=127 time=27.584 ms 64 bytes from 36.152.44.95: seq=4 ttl=127 time=31.692 ms 64 bytes from 36.152.44.95: seq=5 ttl=127 time=39.867 ms 64 bytes from 36.152.44.95: seq=6 ttl=127 time=41.282 ms

手動指定容器要使用的DNS

/ # docker run -it --name t1 --network bridge --hostname ljl --dns sh: docker: not found / # cat /etc/resolv.conf # Generated by NetworkManager search localdomain nameserver 192.168.207.2 nameserver 172.16.0.1 / # nslookup -type=a www.baidu.com Server: 192.168.207.2 Address: 192.168.207.2:53Non-authoritative answer: Name: www.baidu.com Address: 36.152.44.95

手動往/etc/hosts文件中注入主機名到IP地址的映射

[root@localhost ~]# docker run -it --name t1 --network bridge --hostname ljl --add-host www.a.com:1.1.1.1 --rm busybox / # cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 1.1.1.1 www.a.com 172.17.0.3 ljl

開放容器端口

執行docker run的時候有個-p選項，可以將容器中的應用端口映射到宿主機中，從而實現讓外部主機可以通過訪問宿主機的某端口來訪問容器內應用的目的。

-p選項能夠使用多次，其所能夠暴露的端口必須是容器確實在監聽的端口。

-p選項的使用格式：

• -p containerPort
• 將指定的容器端口映射至主機所有地址的一個動態端口
• -p hostPort : containerPort
• 將容器端口 containerPort 映射至指定的主機端口 hostPort
• -p ip :: containerPort
• 將指定的容器端口 containerPort 映射至主機指定 ip 的動態端口
• -p ip : hostPort : containerPort
• 將指定的容器端口 containerPort 映射至主機指定 ip 的端口 hostPort

動態端口指的是隨機端口，具體的映射結果可使用docker port命令查看。

[root@localhost ~]# docker run -dit --name web1 -p 192.168.203.138::80 httpd e97bc1774e40132659990090f0e98a308a7f83986610ca89037713e9af8a6b9f [root@localhost ~]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e97bc1774e40 httpd "httpd-foreground" 6 seconds ago Up 5 seconds 192.168.203.138:49153->80/tcp web1 af5ba32f990e busybox "sh" 48 minutes ago Up 48 minutes b3 [root@localhost ~]# ss -antl State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 192.168.203.138:49153 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 [::]:22 [::]:*

以上命令執行后會一直占用著前端，我們新開一個終端連接來看一下容器的80端口被映射到了宿主機的什么端口上

[root@localhost ~]# docker port web1 80/tcp -> 192.168.203.138:49153

由此可見，容器的80端口被暴露到了宿主機的49153端口上，此時我們在宿主機上訪問一下這個端口看是否能訪問到容器內的站點

[root@localhost ~]# curl http://192.168.203.138:49153 <html><body><h1>It works!</h1></body></html>

iptables防火墻規則將隨容器的創建自動生成，隨容器的刪除自動刪除規則。

[root@localhost ~]# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 3 164 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCALChain INPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 4 261 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 0 0 MASQUERADE tcp -- * * 172.17.0.3 172.17.0.3 tcp dpt:80Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 2 120 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCALChain DOCKER (2 references)pkts bytes target prot opt in out source destination 1 60 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0 1 60 DNAT tcp -- !docker0 * 0.0.0.0/0 192.168.203.138 tcp dpt:49153 to:172.17.0.3:80

將容器端口映射到指定IP的隨機端口

[root@localhost ~]# docker run -dit --name web1 -p 192.168.203.138::80 httpd

在另一個終端上查看端口映射情況

[root@localhost ~]# docker port web1 80/tcp -> 192.168.203.138:49153

自定義docker0橋的網絡屬性信息

自定義docker0橋的網絡屬性信息需要修改/etc/docker/daemon.json配置文件

[root@localhost ~]# cd /etc/docker/ [root@localhost docker]# vim daemon.json [root@localhost docker]# systemctl daemon-reload [root@localhost docker]# systemctl restart docker{"registry-mirrors": ["https://4hygggbu.mirror.aliyuncs.com/"],"bip": "192.168.1.5/24" } EOF [root@localhost ~]# vim /lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock [root@localhost ~]# systemctl daemon-reload [root@localhost ~]# systemctl restart docker

在客戶端上向dockerd直接傳遞“-H|–host”選項指定要控制哪臺主機上的docker容器

[root@localhost ~]# docker -H 192.168.203.138:2375 ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e97bc1774e40 httpd "httpd-foreground" 30 minutes ago Up 11 seconds 192.168.203.138:49153->80/tcp web1 af5ba32f990e busybox "sh" About an hour ago Up 14 seconds b3

創建新網絡

[root@localhost ~]# docker network create ljl -d bridge 883eda50812bb214c04986ca110dbbcb7600eba8b033f2084cd4d750b0436e12 [root@localhost ~]# docker network ls NETWORK ID NAME DRIVER SCOPE 0c5f4f114c27 bridge bridge local 8c2d14f1fb82 host host local 883eda50812b ljl bridge local 85ed12d38815 none null local

創建一個額外的自定義橋，區別于docker0

[root@localhost ~]# docker network create -d bridge --subnet "192.168.2.0/24" --gateway "192.168.2.1" br0 af9ba80deb619de3167939ec5b6d6136a45dce90907695a5bc5ed4608d188b99 [root@localhost ~]# docker network ls NETWORK ID NAME DRIVER SCOPE af9ba80deb61 br0 bridge local 0c5f4f114c27 bridge bridge local 8c2d14f1fb82 host host local 883eda50812b ljl bridge local 85ed12d38815 none null local

使用新創建的自定義橋來創建容器：

[root@localhost ~]# docker run -it --name b1 --network br0 busybox / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:C0:A8:02:02 inet addr:192.168.2.2 Bcast:192.168.2.255 Mask:255.255.255.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:11 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:962 (962.0 B) TX bytes:0 (0.0 B)

再創建一個容器，使用默認的bridge橋：

[root@localhost ~]# docker run --name b2 -it busybox / # ls bin dev etc home proc root sys tmp usr var / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:C0:A8:01:03 inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:6 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:516 (516.0 B) TX bytes:0 (0.0 B) RX bytes:962 (962.0 B) TX bytes:0 (0.0 B) 再創建一個容器，使用默認的bridge橋：```ruby [root@localhost ~]# docker run --name b2 -it busybox / # ls bin dev etc home proc root sys tmp usr var / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:C0:A8:01:03 inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:6 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:516 (516.0 B) TX bytes:0 (0.0 B)

總結

以上是生活随笔為你收集整理的2022.08.09-docker容器网络配置-左冕的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。