容器中网络使用

在默认网络上启动一个容器

Docker通过使用网络驱动程序支持网络容器。默认情况下，Docker为您提供了两个网络驱动程序，bridge和overlay.查看默认：

[root@aniu-k8s ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
83b13d1a6851        bridge              bridge              local
bb75b5a2446b        host                host                local
350704680a43        none                null                local

名为bridge的网络是一个特殊的网络。除非另有说明，否则Docker将始终在此网络中启动您的容器。现在试试这个：

[root@aniu-k8s ~]# docker run -itd --name=networktest ubuntu
dfe98e91cc6e3a1766819a94e7c16ed186668fc92e2cfe5988094b8c3f327647

笔者的em1为：192.168.10.10

检查网络是查找容器的IP地址的简单方法

[root@aniu-k8s ~]# docker network inspect bridge
[
{
"Name": "bridge",
"Id": "83b13d1a6851e0a564b82363ef95c0122608f37d6f70a9191440be9802893e01",
"Created": "2017-11-29T14:12:09.651104078+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"dfe98e91cc6e3a1766819a94e7c16ed186668fc92e2cfe5988094b8c3f327647": {
"Name": "networktest",
"EndpointID": "2fb0b8cac57a8ce1cf5f8de06f365451d6f987e526000c2277c036c97fa79d37",
"MacAddress": "02:42:ac:11:00:02",
"IPv4Address": "172.17.0.2/16",
"IPv6Address": ""
}
},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]

可以通过断开容器从网络中移除容器。为此，提供网络名称和容器名称。可以使用容器ID。在这个例子中，名字更快。

[root@aniu-k8s ~]# docker network disconnect bridge networktest
[root@aniu-k8s ~]# docker network inspect bridge
[
{
"Name": "bridge",
"Id": "83b13d1a6851e0a564b82363ef95c0122608f37d6f70a9191440be9802893e01",
"Created": "2017-11-29T14:12:09.651104078+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]

虽然可以从网络断开容器，但不能删除名为网桥的内置网桥网络。网络是将容器与其他容器或其他网络隔离的自然方式。所以，当你对Docker有更多的经验时，你会想创建自己的网络。

创建自己的bridge网络

Docker引擎本身支持桥接网络和覆盖网络。桥接网络仅限于运行Docker Engine的单个主机。覆盖网络可以包括多个主机，并且是更高级的主题。对于这个例子，你将创建一个桥梁网络:

参考：https://docs.docker.com/engine/reference/commandline/network_create/

[root@aniu-k8s ~]# docker network create -d bridge my_bridge
31b20c144a8468d0128e738f4032dfba799b5260fcc4fd19124a432fa2b2ede2

-d参数告诉Docker为新网络使用网桥驱动程序。您可以将此标志关闭，因为桥是此标志的默认值。继续并在您的机器上列出网络：

[root@aniu-k8s ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
83b13d1a6851        bridge              bridge              local
bb75b5a2446b        host                host                local
31b20c144a84        my_bridge           bridge              local
350704680a43        none                null                local

如果你检查网络，你会发现它没有任何东西

[root@aniu-k8s ~]# docker network inspect my_bridge
[
{
"Name": "my_bridge",
"Id": "31b20c144a8468d0128e738f4032dfba799b5260fcc4fd19124a432fa2b2ede2",
"Created": "2017-11-29T16:39:30.869809937+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.18.0.0/16", # 仔细看，ip地址已经变化，可以通过指定--subnet=192.168.0.0/16 br0参数，自定义ip
"Gateway": "172.18.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]

将容器添加到网络

启动一个运行PostgreSQL数据库的容器，并传递 –net=my_bridge 标志将其连接到你的新网络：

$ docker run -d --net=my_bridge --name db training/postgres

如果你检查你的my_bridge，你会看到它有一个容器连接。您也可以检查您的容器，以查看它连接的位置：

[root@aniu-k8s ~]# docker inspect --format='{{json .NetworkSettings.Networks}}' db
{"my_bridge":{"IPAMConfig":null,"Links":null,"Aliases":["0f6ce012b967"],"NetworkID":"31b20c144a8468d0128e738f4032dfba799b5260fcc4fd19124a432fa2b2ede2","EndpointID":"dde2f9d3463088873bfd086cecc37eb006824826df9be0eb951410e7752bf7e5","Gateway":"172.18.0.1","IPAddress":"172.18.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:12:00:02","DriverOpts":null}}

继续启动自己熟悉的web应用程序，使用默认网络

docker run -d --name web training/webapp python app.py

您的Web应用程序在哪个网络下运行？检查应用程序，你会发现它运行在默认的桥梁网络。

[root@aniu-k8s ~]# docker inspect --format='{{json .NetworkSettings.Networks}}'  web
{"bridge":{"IPAMConfig":null,"Links":null,"Aliases":null,"NetworkID":"83b13d1a6851e0a564b82363ef95c0122608f37d6f70a9191440be9802893e01","EndpointID":"22025b98fa050359d6e7dd2a716f2b265e5df7f6ca2c13210aef4b73c63f795c","Gateway":"172.17.0.1","IPAddress":"172.17.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:11:00:02","DriverOpts":null}}

然后，获取您的网站的IP地址

[root@aniu-k8s ~]# docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' web
172.17.0.2

现在，打开一个shell连接到正在运行的db容器中：

[root@aniu-k8s ~]# docker exec -it db bash
root@0f6ce012b967:/# ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
^C
--- 172.17.0.2 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 5999ms

root@0f6ce012b967:/# exit
exit

稍后，使用CTRL-C结束ping，您将发现ping失败。这是因为两个容器在不同的网络上运行。你可以解决这个问题。然后，使用exit命令关闭容器。

Docker网络允许您将容器连接到尽可能多的网络。您也可以附加一个已经运行的容器。继续并将正在运行的Web应用程序附加到my_bridge。

$ docker network connect my_bridge web
[root@aniu-k8s ~]# docker network inspect my_bridge
[
{
"Name": "my_bridge",
"Id": "31b20c144a8468d0128e738f4032dfba799b5260fcc4fd19124a432fa2b2ede2",
"Created": "2017-11-29T16:39:30.869809937+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.18.0.0/16",
"Gateway": "172.18.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"0f6ce012b96798d29d2363199c289315f7f52a06d01aa0702e727f8355a48190": {
"Name": "db",
"EndpointID": "dde2f9d3463088873bfd086cecc37eb006824826df9be0eb951410e7752bf7e5",
"MacAddress": "02:42:ac:12:00:02",
"IPv4Address": "172.18.0.2/16",
"IPv6Address": ""
},
"e7e11e1c094ba9b16456677ebe4658d4f6ea1cc3757debaccbdb049e7b769e50": {
"Name": "web",
"EndpointID": "2d88e9122ee58212261ea635041c3daf22a6098c9dad8c6a61468e05b28a01b2",
"MacAddress": "02:42:ac:12:00:03",
"IPv4Address": "172.18.0.3/16",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {}
}
]

再次打开一个shell到数据库应用程序，并尝试ping命令。这次只需使用容器名称而不是IP地址。

[root@aniu-k8s ~]# docker exec -it db bash
root@0f6ce012b967:/# ping web
PING web (172.18.0.3) 56(84) bytes of data.
64 bytes from web.my_bridge (172.18.0.3): icmp_seq=1 ttl=64 time=0.134 ms
64 bytes from web.my_bridge (172.18.0.3): icmp_seq=2 ttl=64 time=0.047 ms
64 bytes from web.my_bridge (172.18.0.3): icmp_seq=3 ttl=64 time=0.047 ms
64 bytes from web.my_bridge (172.18.0.3): icmp_seq=4 ttl=64 time=0.047 ms
64 bytes from web.my_bridge (172.18.0.3): icmp_seq=5 ttl=64 time=0.043 ms
^C
--- web ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.043/0.063/0.134/0.036 ms

ping显示它正在联系不同的IP地址，my_bridge上的地址与桥接网络上的地址不同。