Docker的网络类型和固定IP设置

时间 2019-12-01

原文原文链接

Docker的网络机制

Docker的网络有三种类型(driver): bridge, host 和 null.linux

birdge: 就如同桥接的switch/hub, 使用bridge网络的container会分配一个当前bridge配置的子网IP, 在经过run建立container时经过 --ip 指定.
host: 须要使用 --network=host 参数指定. 使用主机网络, 此时 container 的网络会附属在主机上, 二者是互通的. 例如在container中的服务监听8080端口, 则主机的8080端口就会自动映射到这个端口.
none: 须要使用 --network=none 参数指定. 不分配局域网的IP

能够经过命令 docker network ls 和 docker network inspect [name] 查看redis

$ docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
771ed6aaa9f8        bridge              bridge              local
243e4b881761        host                host                local
1c2c6b04e22c        none                null                local

$ docker network inspect bridge
[
    {
        "Name": "bridge",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
            ]
        },
      ...
    }
]

在宿主机上, 经过ifconfig能看到bridge的网关IP, 而container IP是不能直接看到的.docker

建立自定义Network

启动Docker容器的时候，使用默认的网络是不支持指派固定IP的ubuntu

docker run -itd --net bridge --ip 172.17.0.10 centos:latest /bin/bash
6eb1f228cf308d1c60db30093c126acbfd0cb21d76cb448c678bab0f1a7c0df6
docker: Error response from daemon: User specified IP address is supported on user defined networks only.

须要使用自定义的network, 建立完后, 在宿主机上能看到新的bridge 的网关IPcentos

$ docker network create --subnet=192.168.250.1/24 mybridge
760fb4aec8aef1eacece34d3a28aee1eabde7c47ce8ef9ec646c7c320a4da195

$ docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
771ed6aaa9f8        bridge              bridge              local
243e4b881761        host                host                local
760fb4aec8ae        mybridge            bridge              local
1c2c6b04e22c        none                null                local

使用固定IP建立Container

$ docker run --name eureka -itd --net mybridge --ip 192.168.250.3 scot-eureka:latest /bin/bash
ba7f9fcb4178c5181d3ea85eca5d03a132b8f32727c1ca0ee13bfd1ec15e4cc8

$ ping 192.168.250.3
PING 192.168.250.3 (192.168.250.3) 56(84) bytes of data.
64 bytes from 192.168.250.3: icmp_seq=1 ttl=64 time=0.102 ms
64 bytes from 192.168.250.3: icmp_seq=2 ttl=64 time=0.102 ms

使用固定IP启动官方4.0.11版本的redis (启动latest=5.0.0版本的redis, 没法连接6379端口, 还没有检查具体缘由, 4.0.11是没问题的)安全

$ docker run   -d --name redis2 --net mybridge --ip 192.168.250.2 redis:4.0.11

Docker的 Macvlan 网络

建立macvlan网络, 可使docker的虚拟网卡直接绑定宿主机的物理网卡, 直接与宿主机所在网络进行通信. 此时, 除了宿主机和docker容器之间没法通讯之外, docker容器与容器之间, 容器与宿主机网段其余机器之间均可以互访.bash

参考的说明 https://docs.docker.com/v17.09/engine/userguide/networking/get-started-macvlan/ 其中特别提到的, 这是由于安全隔离所形成的, 若是须要宿主机和容器之间通讯, 须要增长子网卡.网络

Communication with the Docker host over macvlanide

When using macvlan, you cannot ping or communicate with the default namespace IP address. For example, if you create a container and try to ping the Docker host’s eth0, it will not work. That traffic is explicitly filtered by the kernel modules themselves to offer additional provider isolation and security.ui

A macvlan subinterface can be added to the Docker host, to allow traffic between the Docker host and containers. The IP address needs to be set on this subinterface and removed from the parent address.

建立macvlan的命令

# 断开链接
$ docker network disconnect bridge-local redis
# 删除网络
$ docker network rm bridge-local
# 建立网络
$ docker network create -d macvlan --subnet=192.168.252.0/24 --gateway=192.168.252.1 --aux-address="parent_host=192.168.252.151" -o parent=enp2s0f0 bridge-local
# 将运行中的docker链接至bridge-local
$ docker network connect bridge-local redis --ip 192.168.252.10

参考 http://networkstatic.net/configuring-macvlan-ipvlan-linux-networking/

以及如何在Ubuntu18.04下配置subinterface https://askubuntu.com/questions/971126/17-10-netplan-config-with-bridge