五、docker的网络模式
5.1 Docker的四种网络模式
当你安装docker时,它会自动创建三个网络,可使用如下命令查看:
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
7390284b02d6 bridge bridge local
d6f8e8de2c03 host host local
ec6c758e2ed2 none null local
Bridge:此模式会为每一个容器分配、设置IP等。使用 --net=bridge 指定,默认设置。
host:容器将不会虚拟出自己的网卡,配置自己的IP等,而是使用宿主机的IP和端口。使用--net=host 指定。
None:该模式关闭了容器的网络功能。使用 --net=none 指定。
Container:创建的容器不会创建自己的网卡,配置自己的IP,而是和一个指定的容器共享IP、端口范围。使用 --net=container:NAMEorID 指定。
5.2 None网络模式
使用none模式,Docker容器拥有自己的Network Namespace,但是,并不为Docker容器进行任何网络配置。也就是说,这个Docker容器没有网卡、IP、路由等信息,只有lo 网络接口。需要我们自己为Docker容器添加网卡、配置IP等。
不参与网络通信,运行于此类容器中的进程仅能访问本地回环接口;仅适用于进程无须网络通信的场景中,例如:备份、进程诊断及各种离线任务等。None模式示意图如下所示:
[root@localhost ~]# docker run -it --network none --rm busybox:latest
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
/ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
/ # exit
5.3 Host网络模式
如果启动容器的时候使用host模式,那么这个容器将不会获得一个独立的Network Namespace,而是和宿主机共用一个Network Namespace。容器将不会虚拟出自己的网卡,配置自己的IP等,而是使用宿主机的IP和端口。但是,容器的其他方面,如文件系统、进程列表等还是和宿主机隔离的。Host模式示意图如下所示:
[root@localhost ~]# ip a show ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:fb:63:04 brd ff:ff:ff:ff:ff:ff
altname enp2s1
inet 192.168.168.101/24 brd 192.168.168.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fefb:6304/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@localhost ~]# docker run --name busybox --rm -it --network host busybox:latest
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel qlen 1000
link/ether 00:0c:29:fb:63:04 brd ff:ff:ff:ff:ff:ff
inet 192.168.168.101/24 brd 192.168.168.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fefb:6304/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
link/ether 02:42:1e:0f:2f:31 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:1eff:fe0f:2f31/64 scope link
valid_lft forever preferred_lft forever
37: veth0a9f628@if36: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue master docker0
link/ether ea:67:63:ea:8d:5a brd ff:ff:ff:ff:ff:ff
inet6 fe80::e867:63ff:feea:8d5a/64 scope link
valid_lft forever preferred_lft forever
38: br-f65f09f8a274: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether 02:42:40:d3:87:29 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-f65f09f8a274
valid_lft forever preferred_lft forever
inet6 fe80::42:40ff:fed3:8729/64 scope link
valid_lft forever preferred_lft forever
/ # exit
5.4 container网络模式
这个模式指定新创建的容器和已经存在的一个容器共享一个 Network Namespace,而不是和宿主机共享。新创建的容器不会创建自己的网卡,配置自己的 IP,而是和一个指定的容器共享 IP、端口范围等。同样,两个容器除了网络方面,其他的如文件系统、进程列表等还是隔离的。两个容器的进程可以通过 lo 网卡设备通信。Container模式示意图如下:
(1)先用bridge网络模式启动容器1
[root@localhost ~]# docker run -d --name web4 nginx:1.27.2-alpine
e5c5ae64f304fd37af4952659b4139f0d478bee732bc784ede8c36c93f638f76
[root@localhost ~]# docker inspect web4 | grep -i ipaddress
"SecondaryIPAddresses": null,
"IPAddress": "172.17.0.3",
"IPAddress": "172.17.0.3",
(2)再使用Container 网络模式创建容器2
[root@localhost ~]# docker run --name busybox --rm -it --network container:web4 busybox:latest
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
43: eth0@if44: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
#web1上启动的nginx服务在该容器中可以直接访问
/ # wget -O - -q 172.17.0.3
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
#注意文件系统并不共享
/ # ls /usr/share
ls: /usr/share: No such file or directory
5.5 Bridge网络模式
安装docker时会自动创建一个docker0网桥,运行容器时,你可以使用docker run --network=<NETWORK>选项指定容器应连接到哪个网络,否则Docker守护程序默认将容器连接到docker0虚拟网桥,通过docker0网桥以及Iptables nat表配置与宿主机通信。
Docker 随机分配一个本地未占用的私有网段( 在 RFC1918 中定义) 中的一个地址给docker0 接口。 此后启动的容器内的网口也会自动分配一个同一网段的地址。docker0的IP地址则为容器的默认网关。在主机上创建一对虚拟网卡veth pair设备,Docker将veth pair设备的一端放在新创建的容器中,并命名为eth0(容器的网卡),另一端放在主机中,以vethxxx这样类似的名字命名,并将这个网络设备加入到docker0网桥中(bridge模式示意图如下图所示)。可以通过brctl show命令查看。
[root@localhost ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.02421e0f2f31 no
[root@localhost ~]# ip a show docker0
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:1e:0f:2f:31 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:1eff:fe0f:2f31/64 scope link
valid_lft forever preferred_lft forever
通过这种方式, 主机可以跟容器通信, 容器之间也可以相互通信。 Docker 就创建了在主机和所有容器之间一个虚拟共享网络。
注:bridge模式是docker的默认网络模式,不写–net参数,就是bridge模式。使用docker run -p时,docker实际是在iptables做了DNAT规则,实现端口转发功能。可以使用iptables -t nat -vnL查看。
5.5.1 使用默认的网桥
#未指定网络模式则默认为bridge模式
[root@localhost ~]# docker run -d -P --name web3 nginx:1.14-alpine
009f12f2142c6a297cd8cf3d0fb078037a03e2a8388c581016df9015ecaecd66
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
009f12f2142c nginx:1.14-alpine "nginx -g 'daemon of…" 4 seconds ago Up 3 seconds 0.0.0.0:32775->80/tcp, [::]:32775->80/tcp web3
[root@localhost ~]#
[root@localhost ~]# iptables -t nat -vnL DOCKER
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:32775 to:172.17.0.2:80
[root@localhost ~]# docker exec -it web3 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
36: eth0@if37: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.17.0.1 0.0.0.0 UG 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
#尝试ping宿主机
/ # ping -c2 192.168.168.101
PING 192.168.168.101 (192.168.168.101): 56 data bytes
64 bytes from 192.168.168.101: seq=0 ttl=64 time=0.062 ms
64 bytes from 192.168.168.101: seq=1 ttl=64 time=0.043 ms
5.5.2 自定义网桥
#也可以在创建网桥时指定网段docker network create -d bridge --subnet 10.100.0.0/24 --gateway 10.100.0.1 my-bridge
[root@localhost ~]# docker network create -d bridge my-bridge
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
7390284b02d6 bridge bridge local
d6f8e8de2c03 host host local
f65f09f8a274 my-bridge bridge local
ec6c758e2ed2 none null local
[root@localhost ~]# brctl show
bridge name bridge id STP enabled interfaces
br-f65f09f8a274 8000.024240d38729 no
docker0 8000.02421e0f2f31 no veth0a9f628
[root@localhost ~]# ip a show br-f65f09f8a274
38: br-f65f09f8a274: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:40:d3:87:29 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-f65f09f8a274
valid_lft forever preferred_lft forever
[root@localhost ~]# docker run --name busybox --rm -it --network my-bridge busybox:latest
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
41: eth0@if42: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.18.0.1 0.0.0.0 UG 0 0 0 eth0
172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
/ # ping 192.168.168.101
PING 192.168.168.101 (192.168.168.101): 56 data bytes
64 bytes from 192.168.168.101: seq=0 ttl=64 time=0.278 ms
64 bytes from 192.168.168.101: seq=1 ttl=64 time=0.060 ms
5.6 容器间的通信
5.6.1 同一台主机上的容器间的通信
(1)容器都使用默认的Bridge网络模式
- 两个容器使用ip地址互相访问
#运行第一个容器
[root@localhost ~]# docker run --rm -it busybox:1.36 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
#运行第二个容器
[root@localhost ~]# docker run -it --rm busybox:latest /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
13: eth0@if14: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
#第一个容器ping第二个容器
/ # ping -c2 172.17.0.3
PING 172.17.0.3 (172.17.0.3): 56 data bytes
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.056 ms
64 bytes from 172.17.0.3: seq=1 ttl=64 time=0.066 ms
#第二个容器ping第一个容器
/ # ping -c2 172.17.0.2
PING 172.17.0.2 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.032 ms
64 bytes from 172.17.0.2: seq=1 ttl=64 time=0.062 ms
- 容器间使用名字互相访问
[root@localhost ~]# docker run --rm -it --name test-name busybox:1.36 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
19: eth0@if20: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@localhost ~]# docker run -it --rm --link test-name:server1 busybox:latest /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
21: eth0@if22: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.4/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
/ # cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.3 server1 d9a9e6278e9f test-name
172.17.0.4 9e6943af3424
/ # ping -c 2 server1
PING server1 (172.17.0.3): 56 data bytes
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.035 ms
64 bytes from 172.17.0.3: seq=1 ttl=64 time=0.073 ms
--- server1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.035/0.054/0.073 ms
/ # ping -c 2 test-name
PING test-name (172.17.0.3): 56 data bytes
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.035 ms
64 bytes from 172.17.0.3: seq=1 ttl=64 time=0.062 ms
--- test-name ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.035/0.048/0.062 ms
/ #
(2)容器使用不同的bridge模式
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
9d160e040474 bridge bridge local
d6f8e8de2c03 host host local
f65f09f8a274 my-bridge bridge local
ec6c758e2ed2 none null local
#查看新添加的网桥
[root@localhost ~]# brctl show
bridge name bridge id STP enabled interfaces
br-f65f09f8a274 8000.02427ef21b98 no vethf8467c8
docker0 8000.0242c16db1ae no vethcde7c3a
#运行第一个容器使用bridge模式
[root@localhost ~]# docker run --rm --network bridge -it busybox:1.36 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
5: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
#在另外一个终端窗口运行第二个容器使用my-bridge模式
[root@localhost ~]# docker run -it --rm --network my-bridge busybox:latest /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
valid_lft forever preferred_lft forever
#两个容器互相访问,访问失败
#第一个容器ping第二个容器
/ # ping 172.18.0.2
PING 172.18.0.2 (172.18.0.2): 56 data bytes
#第二个容器ping第一个容器
/ # ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2): 56 data bytes
查看防火墙规则
#重新配置iptables规则
#(1)先将旧的iptables规则保存至iptables.sh文件中
[root@localhost ~]# iptables-save > /root/iptables.sh
#(2)修改iptables.sh文件,注释下面两行
#-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
#-A DOCKER-ISOLATION-STAGE-2 -o br-f65f09f8a274 -j DROP
#(3)导入新的iptables规则
[root@localhost ~]# iptables-restore < /root/iptables.sh
#两个容器互相测试
#第一个容器访问第二个容器
/ # ping -c2 172.18.0.2
PING 172.18.0.2 (172.18.0.2): 56 data bytes
64 bytes from 172.18.0.2: seq=0 ttl=63 time=0.066 ms
64 bytes from 172.18.0.2: seq=1 ttl=63 time=0.093 ms
#第二个容器访问第一个容器
/ # ping -c3 172.17.0.2
PING 172.17.0.2 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: seq=0 ttl=63 time=0.067 ms
64 bytes from 172.17.0.2: seq=1 ttl=63 time=0.095 ms
64 bytes from 172.17.0.2: seq=2 ttl=63 time=0.095 ms
5.6.2 不同主机上的容器间的通信
两个主机上的容器之间的通信前提是宿主机之间的网络是可以互相通信的,然后个容器才可以通过宿主机访问到对方的容器,实现原理是在宿主机做一个网络路由就可以实现宿主机A的容器访问宿主机容器B的目的。
由于docker默认网段是172.17.0.X/24,如果要做路由每个宿主机的docker使用的默认网段不能一致。
#服务器A使用默认网段
#服务器B修改默认网段为10.10.0.X/24
[root@node02 yum.repos.d]# vim /usr/lib/systemd/system/docker.service
#修改该行信息
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --bip=10.10.0.1/24
[root@node02 yum.repos.d]# systemctl daemon-reload
[root@node02 yum.repos.d]# systemctl start docker
[root@node02 yum.repos.d]# ip a show docker0
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:bb:a0:47:ca brd ff:ff:ff:ff:ff:ff
inet 10.10.0.1/24 brd 10.10.0.255 scope global docker0
valid_lft forever preferred_lft forever
#服务器A启动容器
[root@localhost ~]# docker run -it --rm busybox:1.36 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
9: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
#服务器B启动容器
[root@node02 ~]# docker run -it --rm busybox:latest /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:0a:0a:00:02 brd ff:ff:ff:ff:ff:ff
inet 10.10.0.2/24 brd 10.10.0.255 scope global eth0
valid_lft forever preferred_lft forever
#容器间互相访问测试,无法访问
/ # ping -c2 10.10.0.2
PING 10.10.0.2 (10.10.0.2): 56 data bytes
--- 10.10.0.2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
/ # ping -c 2 172.17.0.2
PING 172.17.0.2 (172.17.0.2): 56 data bytes
--- 172.17.0.2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
#给serverA添加静态路由,当本机要访问10.10.0.0/24网段的主机的时候,网关指定为serverB宿主机的地址
[root@localhost ~]# route add -net 10.10.0.0/24 gw 192.168.168.102
#设置防火墙规则
[root@localhost ~]# iptables -A FORWARD -s 192.168.168.0/24 -j ACCEPT
#给serverB添加静态路由,网关地址为serverA的地址
[root@node02 ~]# route add -net 172.17.0.0/24 gw 192.168.168.101
#设置防火墙规则
[root@localhost ~]# iptables -A FORWARD -s 192.168.168.0/24 -j ACCEPT
#测试
#宿主机A容器访问宿主机B容器
/ # ping -c2 10.10.0.2
PING 10.10.0.2 (10.10.0.2): 56 data bytes
64 bytes from 10.10.0.2: seq=0 ttl=62 time=0.461 ms
64 bytes from 10.10.0.2: seq=1 ttl=62 time=0.556 ms
--- 10.10.0.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.461/0.508/0.556 ms
#宿主机B容器访问宿主机A容器
/ # ping -c 2 172.17.0.2
PING 172.17.0.2 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: seq=0 ttl=62 time=0.491 ms
64 bytes from 172.17.0.2: seq=1 ttl=62 time=0.575 ms
