Docker

来源：互联网发布：java语言程序设计一编辑：程序博客网时间：2024/06/10 23:28

本文是在原文基础上的实际操作验证记录和细节补充。

默认情况下,容器连接到虚拟网桥docker0提供的虚拟子网中,容器之间通过默认网关（虚拟网桥docker0接口地址）建立连接。
如果不使用虚拟网桥，用户也可以通过创建两个容器间的点到点链路，将一对peer接口分别放到两个容器，来实现容器直连。
容器的直连链路不需要子网和子网掩码。

1 - 启动容器

[root@CentOS-7 ~]# docker run -it -d --net=none --name node-A centos /bin/bash2c5683fbdf0880271013357e9a40b7549ad1c570c855bf591341ad7e7ac3f64e[root@CentOS-7 ~]# [root@CentOS-7 ~]# docker run -it -d --net=none --name node-B centos /bin/bash33c209f70d0b5d48963793873088006349133652190d86444417b408830fd20d[root@CentOS-7 ~]#[root@CentOS-7 ~]# docker psCONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES33c209f70d0b        centos              "/bin/bash"         2 minutes ago       Up 2 minutes                            node-B2c5683fbdf08        centos              "/bin/bash"         2 minutes ago       Up 2 minutes                            node-A[root@CentOS-7 ~]#[root@CentOS-7 ~]# docker network lsNETWORK ID          NAME                DRIVER              SCOPE1d732a1c4f67        bridge              bridge              local               2e217e480705        host                host                local               c31d9a1acfc0        none                null                local               [root@CentOS-7 ~]# docker network inspect none[    {        "Name": "none",        "Id": "c31d9a1acfc0b2ef806bef75c492b77189c32ae21bdca4eeef709b015ba95923",        "Scope": "local",        "Driver": "null",        "EnableIPv6": false,        "IPAM": {            "Driver": "default",            "Options": null,            "Config": []        },        "Internal": false,        "Containers": {            "2c5683fbdf0880271013357e9a40b7549ad1c570c855bf591341ad7e7ac3f64e": {                "Name": "node-A",                "EndpointID": "73131ca12a7f7c1e036f7dcb26eb7d6d50f315767db1eddd829a89d45f4b17a3",                "MacAddress": "",                "IPv4Address": "",                "IPv6Address": ""            },            "33c209f70d0b5d48963793873088006349133652190d86444417b408830fd20d": {                "Name": "node-B",                "EndpointID": "0be67083bf14916b3accfbf9641c9099a69f8b7597a53eeeb88659315e193117",                "MacAddress": "",                "IPv4Address": "",                "IPv6Address": ""            }        },        "Options": {},        "Labels": {}    }][root@CentOS-7 ~]#

如果不指定"--net=none", 容器可以使用默认bridge网络通信。

2 - 根据进程ID创建网络名称空间跟踪文件

[root@CentOS-7 ~]# pid_A=`docker inspect -f '{{.State.Pid}}' node-A`[root@CentOS-7 ~]# pid_B=`docker inspect -f '{{.State.Pid}}' node-B`[root@CentOS-7 ~]# [root@CentOS-7 ~]# mkdir -p /var/run/netns[root@CentOS-7 ~]# ln -s /proc/$pid_A/ns/net /var/run/netns/$pid_A[root@CentOS-7 ~]# ln -s /proc/$pid_B/ns/net /var/run/netns/$pid_B[root@CentOS-7 ~]#

3 - 创建peer接口并配置路由

[root@CentOS-7 ~]# ip link add node-A type veth peer name node-B[root@CentOS-7 ~]# [root@CentOS-7 ~]# ip link set node-A netns $pid_A[root@CentOS-7 ~]# ip netns exec $pid_A ip addr add 10.1.1.1/32 dev node-A[root@CentOS-7 ~]# ip netns exec $pid_A ip link set node-A up[root@CentOS-7 ~]# ip netns exec $pid_A ip route add 10.1.1.2/32 dev node-A[root@CentOS-7 ~]# [root@CentOS-7 ~]# ip link set node-B netns $pid_B[root@CentOS-7 ~]# ip netns exec $pid_B ip addr add 10.1.1.2/32 dev node-B[root@CentOS-7 ~]# ip netns exec $pid_B ip link set node-B up[root@CentOS-7 ~]# ip netns exec $pid_B ip route add 10.1.1.1/32 dev node-B[root@CentOS-7 ~]#

4 - 验证

容器可以相互ping通和建立连接。

[root@CentOS-7 ~]# docker attach node-A[root@2c5683fbdf08 /]#[root@2c5683fbdf08 /]# ip addr show |grep node-A83: node-A@if82: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000    inet 10.1.1.1/32 scope global node-A[root@2c5683fbdf08 /]#[root@2c5683fbdf08 /]# ping 10.1.1.1PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=0.113 ms64 bytes from 10.1.1.1: icmp_seq=2 ttl=64 time=0.106 ms^C--- 10.1.1.1 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1000msrtt min/avg/max/mdev = 0.106/0.109/0.113/0.011 ms[root@2c5683fbdf08 /]# ping 10.1.1.2PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=0.180 ms64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=0.110 ms^C--- 10.1.1.2 ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 2000msrtt min/avg/max/mdev = 0.110/0.133/0.180/0.034 ms[root@2c5683fbdf08 /]# [root@CentOS-7 ~]# [root@CentOS-7 ~]# [root@CentOS-7 ~]# [root@CentOS-7 ~]# docker attach node-B[root@33c209f70d0b /]# [root@33c209f70d0b /]# ip addr show |grep node-B82: node-B@if83: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000    inet 10.1.1.2/32 scope global node-B[root@33c209f70d0b /]# [root@33c209f70d0b /]# ping 10.1.1.2PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=0.113 ms64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=0.084 ms^C--- 10.1.1.2 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 999msrtt min/avg/max/mdev = 0.084/0.098/0.113/0.017 ms[root@33c209f70d0b /]# [root@33c209f70d0b /]# ping 10.1.1.1PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=0.189 ms64 bytes from 10.1.1.1: icmp_seq=2 ttl=64 time=0.122 ms^C--- 10.1.1.1 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1000msrtt min/avg/max/mdev = 0.122/0.155/0.189/0.035 ms[root@33c209f70d0b /]# [root@CentOS-7 ~]# [root@CentOS-7 ~]#