docker容器的网络连接
2016-01-31 00:00
721 查看
docker容器的网络基础 root@yys-docker:~# ifconfig docker0 Link encap:Ethernet HWaddr 02:42:a8:be:57:5c inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::42:a8ff:febe:575c/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:13451 errors:0 dropped:0 overruns:0 frame:0 TX packets:17113 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1038500 (1.0 MB) TX bytes:38444159 (38.4 MB) docker0就是linux的虚拟网桥 可以设置ip地址 相当于一个隐藏的虚拟网卡 自定义docker0 修改docker0 root@yys-docker:~# ifconfig docker0 10.10.3.1 netmask 255.255.255.0 自定义虚拟网桥 root@yys-docker:~# brctl addbr br0 root@yys-docker:~# ifconfig docker0 192.168.100.1 netmask 255.255.255.0 更改docker守护进程的启动配置 /etc/default/docker中添加DOCKER_OPS值 -b=br0 重启docker守护进程 ps aux|grep docker root 25262 0.4 0.8 534344 35776 ? Ssl 01:37 0:00 /usr/bin/docker daemon -b=br0 root@yys-docker:~# docker run -it --name nwt4 ubuntu1204-base /bin/bash root@078adcb9d30a:/# ifconfig eth0 Link encap:Ethernet HWaddr 02:42:c0:a8:c8:02 inet addr:192.168.200.2 Bcast:0.0.0.0 Mask:255.255.255.0 inet6 addr: fe80::42:c0ff:fea8:c802/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5 errors:0 dropped:0 overruns:0 frame:0 TX packets:6 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:418 (418.0 B) TX bytes:508 (508.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 环境准备 root@yys-docker:~/dockerfile# vim Dockerfile FROM centos66-bash RUN yum ins 3ff8 tall -y httpd RUN yum install -y curl EXPOSE 80 CMD /bin/bash root@yys-docker:~/dockerfile# docker build -t eddy/cct . Sending build context to Docker daemon 2.048 kB Step 1 : FROM centos66-bash ---> 1e5e32e3c2d7 Step 2 : RUN yum install -y httpd ---> 1aea53d33104 Removing intermediate container 28b0565672a2 Step 3 : RUN yum install -y curl ---> 5c04d5101003 Removing intermediate container b0384d2ea73b Step 4 : EXPOSE 80 ---> Running in 359232590d22 ---> 3336283cf423 Removing intermediate container 359232590d22 Step 5 : CMD /bin/bash ---> Running in 2c576393dfed ---> 61199613c3c1 Removing intermediate container 2c576393dfed Successfully built 61199613c3c1 测试镜像构建完毕 允许所有容器互联 icc=true 运行一个容器 root@yys-docker:~/dockerfile# docker run -it --name cct1 eddy/cct bash-4.1# /etc/init.d/httpd start Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.200.2 for ServerName [ OK ] bash-4.1# ifconfig eth0 Link encap:Ethernet HWaddr 02:42:C0:A8:C8:02 inet addr:192.168.200.2 Bcast:0.0.0.0 Mask:255.255.255.0 再启动一个cct2容器 bash-4.1# root@yys-docker:~/dockerfile# docker run -it --name cct2 eddy/cct bash-4.1# curl 192.168.200.2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <head> <title>Apache HTTP Server Test Page powered by CentOS</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } 默认两个容器互联是允许的 由于docker容器重启之后ip地址变化可以给容器使用link参数 docker run --link=[container_name]:[alias] [image] [command] root@yys-docker:~# docker run -it --name cct3 --link=cct1:webtest eddy/cct bash-4.1# ping webtest PING webtest (192.168.200.2) 56(84) bytes of data. 64 bytes from webtest (192.168.200.2): icmp_seq=1 ttl=64 time=0.189 ms 64 bytes from webtest (192.168.200.2): icmp_seq=2 ttl=64 time=0.132 ms 这样就避免了容器重启之后容器之间ip变换而产生的互联问题 bash-4.1# env HOSTNAME=49a07569ff5e TERM=xterm WEBTEST_NAME=/cct3/webtest WEBTEST_PORT_80_TCP_ADDR=192.168.200.2 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/ WEBTEST_PORT_80_TCP=tcp://192.168.200.2:80 WEBTEST_PORT=tcp://192.168.200.2:80 WEBTEST_PORT_80_TCP_PROTO=tcp HOME=/root SHLVL=2 WEBTEST_PORT_80_TCP_PORT=80 _=/usr/bin/env bash-4.1# cat /etc/hosts 192.168.200.4 49a07569ff5e 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 192.168.200.2 webtest 43809fcd0317 cct1 重启docker服务 bash-4.1# root@yys-docker:~# service docker restart 重启容器 root@yys-docker:~# docker restart cct1 cct2 cct3 cct1 cct2 cct3 进入cct3容器 root@yys-docker:~# docker attach cct3 bash-4.1# ping webtest PING webtest (192.168.200.2) 56(84) bytes of data. 64 bytes from webtest (192.168.200.2): icmp_seq=1 ttl=64 time=0.173 ms 64 bytes from webtest (192.168.200.2): icmp_seq=2 ttl=64 time=0.122 ms 依然能够ping通webtest 拒绝容器间的互联 docker守护进程的选项 -icc=false DOCKER_OPTS="-icc=false" service docker restart docker restart cct1 cct2 cct3 docker attach cct3 bash-4.1# ping webtest PING webtest (10.10.3.2) 56(84) bytes of data. ^C --- webtest ping statistics --- 14 packets transmitted, 0 received, 100% packet loss, time 13432ms 改回允许访问 DOCKER_OPTS="-icc=ture" root@yys-docker:~# service docker restart stop: Unknown instance: docker start/running, process 28535 root@yys-docker:~# !ps ps aux|grep docker root 28535 8.3 0.7 172796 31608 ? Ssl 02:18 0:00 /usr/bin/docker daemon -icc=true root 28579 0.0 0.0 10468 2104 pts/4 S+ 02:18 0:00 grep --color=auto docker root@yys-docker:~# docker restart cct1 cct2 cct3 cct1 cct2 cct3 root@yys-docker:~# docker attach cct3 bash-4.1# ping webtest PING webtest (10.10.3.2) 56(84) bytes of data. 64 bytes from webtest (10.10.3.2): icmp_seq=1 ttl=64 time=0.175 ms 64 bytes from webtest (10.10.3.2): icmp_seq=2 ttl=64 time=0.110 ms 可以看到改变ip和修改完允许访问之后依然可以进行容器之间的访问 允许特定容器互联 --icc=false --iptables=true --link root@yys-docker:~# iptables -F root@yys-docker:~# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (0 references) target prot opt source destination root@yys-docker:~# !ps ps aux|grep docker root 29346 9.3 0.7 311896 31876 ? Ssl 02:30 0:00 /usr/bin/docker daemon -icc=false -iptables=true root@yys-docker:~# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (1 references) target prot opt source destination root@yys-docker:~# docker restart cct1 cct2 cct3 cct4 cct1 cct2 cct3 cct4 root@yys-docker:~# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (1 references) target prot opt source destination ACCEPT tcp -- 10.10.3.2 10.10.3.2 tcp dpt:80 ACCEPT tcp -- 10.10.3.2 10.10.3.2 tcp spt:80 ACCEPT tcp -- 10.10.3.2 10.10.3.2 tcp dpt:80 ACCEPT tcp -- 10.10.3.2 10.10.3.2 tcp spt:80 ACCEPT tcp -- 10.10.3.4 10.10.3.2 tcp dpt:80 ACCEPT tcp -- 10.10.3.2 10.10.3.4 tcp spt:80 ACCEPT tcp -- 10.10.3.5 10.10.3.2 tcp dpt:80 ACCEPT tcp -- 10.10.3.2 10.10.3.5 tcp spt:80 bash-4.1# ping webtest PING webtest (10.10.3.2) 56(84) bytes of data 不行 bash-4.1# curl webtest <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <head> <title>Apache HTTP Server Test Page powered by CentOS</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> body { curl ok root@yys-docker:~# docker attach cct2 bash-4.1# curl 10.10.3.2 ^C bash-4.1# ping 10.10.3.2 PING 10.10.3.2 (10.10.3.2) 56(84) bytes of data. ^C --- 10.10.3.2 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1576ms 都不通 因为cct2启动的时候没有添加link参数 添加一条规则 root@yys-docker:~/dockerfile# iptables -A DOCKER -p icmp -j ACCEPT bash-4.1# ping 10.10.3.2 PING 10.10.3.2 (10.10.3.2) 56(84) bytes of data. 64 bytes from 10.10.3.2: icmp_seq=1 ttl=64 time=0.137 ms 64 bytes from 10.10.3.2: icmp_seq=2 ttl=64 time=0.107 ms bash-4.1# curl 10.10.3.2 ^C 依然不通 添加一条规则 root@yys-docker:~/dockerfile# iptables -A DOCKER -p tcp --src 10.10.3.3 --dst 10.10.3.2 --dport 80 -j ACCEPT root@yys-docker:~/dockerfile# iptables -L -n Chain INPUT (policy&n 3ff0 bsp;ACCEPT) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (1 references) target prot opt source destination ACCEPT tcp -- 10.10.3.2 10.10.3.2 tcp dpt:80 ACCEPT tcp -- 10.10.3.2 10.10.3.2 tcp spt:80 ACCEPT tcp -- 10.10.3.2 10.10.3.2 tcp dpt:80 ACCEPT tcp -- 10.10.3.2 10.10.3.2 tcp spt:80 ACCEPT tcp -- 10.10.3.4 10.10.3.2 tcp dpt:80 ACCEPT tcp -- 10.10.3.2 10.10.3.4 tcp spt:80 ACCEPT tcp -- 10.10.3.5 10.10.3.2 tcp dpt:80 ACCEPT tcp -- 10.10.3.2 10.10.3.5 tcp spt:80 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 10.10.3.3 10.10.3.2 tcp dpt:80 bash-4.1# curl 10.10.3.2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <head> <title>Apache HTTP Server Test Page powered by CentOS</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> body { background-color: #fff; color: #000; font-size: 0.9em; font-family: sans-serif,helvetica; margin: 0; padding: 0; } 访问成功 在不增加系统防火墙规则的情况,docker打开icc=true,iptables=true的时候只有使用link参数的可以访问,因为在启动容器时候规则会自动添加到iptables中 docker容器与外部网络的连接 ip_forward root@yys-docker:~/dockerfile# sysctl net.ipv4.conf.all.forwarding net.ipv4.conf.all.forwarding = 1 iptables root@yys-docker:~# docker run -it -p 80 --name cct5 eddy/cct bash-4.1# /etc/init.d/nginx start /etc/init.d/nginx: line 17: /etc/sysconfig/network: No such file or directory bash-4.1# nginx bash-4.1# root@yys-docker:~# docker port cct5 80/tcp -> 0.0.0.0:32768 root@yys-docker:~# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (1 references) target prot opt source destination ACCEPT tcp -- 10.10.3.2 10.10.3.2 tcp dpt:80 ACCEPT tcp -- 10.10.3.2 10.10.3.2 tcp spt:80 ACCEPT tcp -- 10.10.3.2 10.10.3.2 tcp dpt:80 ACCEPT tcp -- 10.10.3.2 10.10.3.2 tcp spt:80 ACCEPT tcp -- 10.10.3.4 10.10.3.2 tcp dpt:80 ACCEPT tcp -- 10.10.3.2 10.10.3.4 tcp spt:80 ACCEPT tcp -- 10.10.3.5 10.10.3.2 tcp dpt:80 ACCEPT tcp -- 10.10.3.2 10.10.3.5 tcp spt:80 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 10.10.3.3 10.10.3.2 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 10.10.3.6 tcp dpt:80 root@yys-docker:~# curl 192.168.6.154:32768 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Test Page for the Nginx HTTP Server on EPEL</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css"> /*<![CDATA[*/ body { iptables中添加了规则 iptables -I DOCKER -s x.x.x.x -d x.x.x.x -p TCP --dport 80 -J DROP 不允许原地址x.x.x.x访问目的地址x.x.x.x的80端口 docker就是利用iptables对docker进行网络访问设置
相关文章推荐
- docker容器的数据管理
- docker(一):安装
- docker学习(5) 在mac中创建mysql docker容器
- docker-compose
- Docker RestApi 的配置及使用
- 孵化 Docker 的 PaaS 平台 DotCloud 即将关闭
- Dockerfile创建自定义Docker镜像以及CMD与ENTRYPOINT指令的比较
- dockerfile的一些经验吧
- docker: 解决centos7下cgroup.procs: no such device的错误
- S-Docker_02_基本概念_02_容器
- S-Docker_02_基本概念_01_镜像
- docker容器秒死的解决办法
- Docker学习笔记(4) — 开启Docker远程访问
- Docker学习笔记(3) — docker仓库的镜像怎么删除
- docker下gitlab运行
- docker 源码分析 六(基于1.8.2版本),Docker run启动过程
- 在容器中使用quagga
- Docker镜像和容器系列(二)- 操作详解
- Docker命令详解系列(一)- Docker最常用命令速记
- docker registry私服搭建