docker快速入门4-docer网络

docker快速入门4-docer网络

安装好docker引擎的主机上会多出一个虚拟的网络设备docker0，其IP地址为172.17.0.1，可以把它看作是一个虚拟的交换机(网桥)，当创建一个容器时(默认的网络方式为brigde)会同时创建一个虚拟的网络连接，一端连接在容器内，另一端则连接在docker0这个虚拟交换机上。容器内的虚拟网卡默认分配的IP为172.17.0.0/16网段内。

root@node01:~# docker container ls
CONTAINER ID        IMAGE                COMMAND                  CREATED             STATUS              PORTS               NAMES
f705f6f4779a        busybox:latest       "sh"                     7 minutes ago       Up 7 minutes                            bbox01
83436ed405c7        busybox-httpd:v0.2   "/bin/httpd -f -h /d…"   45 minutes ago      Up 45 minutes                           httpd-01
# 安装网桥管理工具
root@node01:~# apt-get install bridge-utils
root@node01:~# brctl show  # 查看网桥
bridge name bridge id       STP enabled interfaces
docker0     8000.02425749873b   no      veth9cb81f9
                                                                    veth9f1b4f7

root@node01:~# ip link show
...
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
    link/ether 02:42:57:49:87:3b brd ff:ff:ff:ff:ff:ff
13: veth9f1b4f7@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
    link/ether 26:8d:9e:92:aa:a6 brd ff:ff:ff:ff:ff:ff link-netnsid 0
21: veth9cb81f9@if20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
    link/ether 1a:94:6b:46:8a:8c brd ff:ff:ff:ff:ff:ff link-netnsid 1

容器内如果想访问宿主机外的资源则会进行地址伪装，默认是使用iptable实现的

oot@node01:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 21 packets, 2248 bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   256 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 18 packets, 2046 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1545 packets, 116K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 1545 packets, 116K bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   202 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0

其中

Chain POSTROUTING (policy ACCEPT 1545 packets, 116K bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   202 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0

表示从172.17.0.0/16网络里的任何地址来源的数据，想访问非从docker0设备出去的资源，即访问宿主机以外的资源都将做MASQUERADE。

docker的网络模型

第一种：Closed container， 封闭式容器，表示此种容器只有Loopback回环地址，不能进行网络相关的请求

第二种：Bridged container，桥接式网络，这是创建容器时默认的网络方式

第三种：Joined container，联盟式网络，表示多个容器共享UTC,IPC,NET三个名称空间，即多个容器具有相同的主机名，相同的网络设备

第四种：Open container，开放式网络，共享宿主机的网络名称空间

网络名称空间探索

为了不影响node01上的环境，另开一主机node02。先创建两个网络名称空间

root@node02:~# ip netns add ns01
root@node02:~# ip netns add ns02
root@node02:~# ip netns list
ns02
ns01

创建一对虚拟网络设备

root@node02:~# ip link add name veth1.1 type veth peer name veth1.2
root@node02:~# ip link show type veth
3: [email protected]: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 4a:1c:b7:38:0f:5e brd ff:ff:ff:ff:ff:ff
4: [email protected]: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 36:72:d3:88:4c:5d brd ff:ff:ff:ff:ff:ff

分配一个虚拟网卡给ns01名称空间

root@node02:~# ip link set dev veth1.2 netns ns01
root@node02:~# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 00:0c:29:aa:9b:4f brd ff:ff:ff:ff:ff:ff
4: veth1.1@if3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 36:72:d3:88:4c:5d brd ff:ff:ff:ff:ff:ff link-netnsid 0
# 查看ns01名称空间的网络设备        
root@node02:~# ip netns exec ns01 ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth1.2: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 4a:1c:b7:38:0f:5e  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@node02:~# ip netns exec ns01 ip link set dev veth1.2 name eth0  # 还可以修改设备名称
root@node02:~# ip netns exec ns01 ifconfig -a
eth0: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 4a:1c:b7:38:0f:5e  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

现在宿主机上只有veth1.1这个虚拟网卡，veth1.2则被移动到了ns01名称空间。

给两个虚拟设备配置IP地址并激活

root@node02:~# ifconfig veth1.1 10.0.0.1/24 up
root@node02:~# ip netns exec ns01 ifconfig eth0 10.0.0.2/24 up
root@node02:~# ip netns exec ns01 ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.2  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::481c:b7ff:fe38:f5e  prefixlen 64  scopeid 0x20<link>
        ether 4a:1c:b7:38:0f:5e  txqueuelen 1000  (Ethernet)
        RX packets 9  bytes 726 (726.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 656 (656.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@node02:~# ifconfig veth1.1
veth1.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.1  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::3472:d3ff:fe88:4c5d  prefixlen 64  scopeid 0x20<link>
        ether 36:72:d3:88:4c:5d  txqueuelen 1000  (Ethernet)
        RX packets 10  bytes 796 (796.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 796 (796.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

测试不同名称空间的虚拟网卡的连通性

root@node02:~# ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.043 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.059 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.059 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=0.091 ms
64 bytes from 10.0.0.2: icmp_seq=5 ttl=64 time=0.058 ms
^C
--- 10.0.0.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4031ms
rtt min/avg/max/mdev = 0.043/0.062/0.091/0.015 ms
root@node02:~# ip netns exec ns01 ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.048 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.087 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.084 ms
^C
--- 10.0.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3040ms
rtt min/avg/max/mdev = 0.020/0.059/0.087/0.029 ms

也可把宿主机上的veth1.1移动到ns02名称空间中

root@node02:~# ip link set dev veth1.1 netns ns02
root@node02:~# ip netns exec ns02 ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth1.1: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 36:72:d3:88:4c:5d  txqueuelen 1000  (Ethernet)
        RX packets 23  bytes 1874 (1.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 23  bytes 1874 (1.8 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

# 移动后IP地址信息丢失，需要重新设置
root@node02:~# ip netns exec ns02 ifconfig veth1.1 10.0.0.3/24 up
root@node02:~# ip netns exec ns02 ifconfig
veth1.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.3  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::3472:d3ff:fe88:4c5d  prefixlen 64  scopeid 0x20<link>
        ether 36:72:d3:88:4c:5d  txqueuelen 1000  (Ethernet)
        RX packets 25  bytes 2054 (2.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 42  bytes 3048 (3.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@node02:~# ip netns exec ns02 ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.132 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.061 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.060 ms
^C
--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2030ms
rtt min/avg/max/mdev = 0.060/0.084/0.132/0.034 ms

服务暴露

先整理一个运行容器时的一些选项

root@node01:~# docker container run \
--name bbox-03 \
-i \
-t \
--network bridge \
--hostname bbox03.learn.io \
--add-host b.163.com:1.1.1.1 \
--add-host c.163.com:2.2.2.2 \
--dns 114.114.114.114 \
--dns 8.8.8.8 \
--rm \
busybox:latest

--network   指定容器使用的网络模型，none， host, bridge，默认为bridge
--hostname  指定容器的主机名，如果不指定为容器的ID
--add-host  为容器的/etc/hosts增加一条解析记录，可以多次使用
--dns       为容器设置dns服务器，可以多次使用
--rm        表示退出容器后自动删除容器

服务暴露有4种方式

docker container run -p <containerPort> 将指定容器端口映射至宿主机所有地址的一个动态端口

docker container run -p <hostPort>:<containerPort> 将容器端口映射至宿主机所有地址的指定端口

docker container run -p <ip>::<containerPort> 将容器端口映射至宿主机指定IP的动态端口

docker container run -p <ip>:<hostPort>:<containerPort> 将容器端口映射至宿主机指定IP的指定端口

如果要暴露多个端口，-p可以使用多次

root@node01:~# docker container run -i -t --name httpd-01 --rm -p 80 busybox-httpd:v0.2

root@node01:~# docker container ls
CONTAINER ID        IMAGE                COMMAND                  CREATED             STATUS              PORTS                   NAMES
3708cbbc6a99        busybox-httpd:v0.2   "/bin/httpd -f -h /d…"   10 seconds ago      Up 9 seconds        0.0.0.0:32768->80/tcp   httpd-01
root@node01:~# docker port httpd-01  # 查看端口映射情况
80/tcp -> 0.0.0.0:32768

-p 80:80时

root@node01:~# docker port httpd-01
80/tcp -> 0.0.0.0:80

-p 192.168.101.40::80时

root@node01:~# docker port httpd-01
80/tcp -> 192.168.101.40:32768

-p 192.168.101.40:8080:80时

root@node01:~# docker port httpd-01
80/tcp -> 192.168.101.40:8080

联盟模式及host网络

多个docker容器可以共享网络名称空间，即多个容器共用网络设备。

先基于busybox:latest镜像运行一个容器

root@node01:~# docker container run -i -t --rm --hostname b1 --name bbox-01 busybox:latest
/ # hostname
b1
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1116 (1.0 KiB)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

另起终端再运行一个容器，增加--network container:bbox-01选项

root@node01:~# docker container run -i -t --rm --hostname b2 --name bbox-02 --network container:bbox-01  busybox:latest
docker: Error response from daemon: conflicting options: hostname and the network mode.
See 'docker run --help'.
root@node01:~# docker container run -i -t --rm  --name bbox-02 --network container:bbox-01  busybox:latest
/ # hostname
b1
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1116 (1.0 KiB)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

发现bbox-01与bbox-02两个容器的网络地址完全相同。而且使用了--network container:bbox-01选项后与--hostname是相冲突的，两容器的hostname也是相同的。两容器共用了网络名称空间和主机名名称空间。

为了进一步验证两容器共享网络名称空间，在第一个终端运行的容器中启用一个httpd服务

/ # echo "Hello Word." > /tmp/index.html
/ # httpd -h /tmp
/ # netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 :::80                   :::*                    LISTEN

再到第二个终端的容器中查看网络监听

 # netstat -tanl
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 :::80                   :::*                    LISTEN
/ # wget -O - -q http://localhost
Hello Word.
/ #

同样有监听了80端口。

既然两个容器间可以共享网络名称空间，那容器也可以共享宿主机的网络

root@node01:~# docker container run -i -t --rm --name bbox-04 --network host busybox:latest
/ # hostname
node01
/ # ifconfig
docker0   Link encap:Ethernet  HWaddr 02:42:57:49:87:3B
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
          inet6 addr: fe80::42:57ff:fe49:873b/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:927 (927.0 B)  TX bytes:3376 (3.2 KiB)

ens33     Link encap:Ethernet  HWaddr 00:0C:29:96:48:2C
          inet addr:192.168.101.40  Bcast:192.168.101.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe96:482c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:34294 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15471 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:22539440 (21.4 MiB)  TX bytes:1727705 (1.6 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:290 errors:0 dropped:0 overruns:0 frame:0
          TX packets:290 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:28034 (27.3 KiB)  TX bytes:28034 (27.3 KiB)

获取到的主机名，网络设备都是宿主机的。这样在容器内运行一个服务监听一端口，那外部通过访问宿主机的网络地址就可以访问到，这样的做的好处在于程序就打包在容器里，而网络使用宿主机的网络，如果宿主机损坏或需要部署多个程序，只需要把镜像copy到其他运行有docker引擎的主机后直接run起来就行，部署变得简单。

自定义docker0及daemon监听

docker0属性定义

默认情况下虚拟设备docker0的地址是172.17.0.1，容器分配的子网地址为172.17.0.0/16，容器默认的nameserver为宿主机使用的nameserver，默认网关指向docker0的ip地址，这些信息都可以自定义设置。

# 自定义docer0桥的网络属性： /etc/docker/daemon.json 文件
{
    "bip": "10.1.0.1/16",
    "fixed-cidr": "10.1.0.0/16",
    "fixed-cidr-v6": "",
    "mtu": 1500,
    "default-gateway": "",
    "default-gateway-v6": "",
    "dns": ["",""]
}

最核心的是bip即bridge ip，其他的大多都可以通过计算得出。如果要修改docker0的网络地址及容器分配的ip地址，只修改bip，然后重新启动docker进程。

dockerd监听网络套接字

方法一

dockerd守护进程的C/S模型，其默认监听unix socket格式的地址，位置在/var/run/docker.sock，如果要使用TCP套接字，在/etc/docker/daemon.json中增加hosts这个key

"hosts" ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]

root@node01:~# vim /etc/docker/daemon.json
{
        "registry-mirrors": [
                "https://1nj0zren.mirror.aliyuncs.com",
                "https://docker.mirrors.ustc.edu.cn",
                "http://registry.docker-cn.com"
        ],
        "insecure-registries": [
                "docker.mirrors.ustc.edu.cn"
        ],
        "debug": true,
        "experimental": true，
        "hosts": ["unix:///var/run/docker.sock","tcp://0.0.0.0:2375"]
}

关闭dockerd

root@node01:/lib/systemd/system# systemctl stop docker
Warning: Stopping docker.service, but it can still be activated by:
  docker.socket

有个警告信息，尝试启动失败

root@node01:/lib/systemd/system# systemctl start docker
Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xe" for details.

修改/lib/systemd/system/docker.service文件

[Service]
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
修改为
ExecStart=/usr/bin/dockerd --containerd=/run/containerd/containerd.sock

root@node01:/lib/systemd/system# systemctl daemon-reload  # docker.service更改后需要重新加载
root@node01:/lib/systemd/system# systemctl start docker
root@node01:/lib/systemd/system# ss -tanl
State              Recv-Q              Send-Q                            Local Address:Port                            Peer Address:Port
LISTEN             0                   128                               127.0.0.53%lo:53                                   0.0.0.0:*
LISTEN             0                   128                                     0.0.0.0:22                                   0.0.0.0:*
LISTEN             0                   128                                           *:2375                                       *:*
LISTEN             0                   128                                        [::]:22                                      [::]:*

2375已监听。但停止docker可能有警告信息，不知有何影响

root@node01:/lib/systemd/system# systemctl stop docker
Warning: Stopping docker.service, but it can still be activated by:
  docker.socket
root@node01:/lib/systemd/system# systemctl start docker
root@node01:/lib/systemd/system# ss -tanl | grep 2375
LISTEN   0         128                       *:2375                   *:*

在node2上调用docker命令操作node1上的资源

root@node02:~# docker -H 192.168.101.40:2375 image ls
REPOSITORY               TAG                 IMAGE ID            CREATED             SIZE
busybox-httpd            v0.2                985f056d206d        12 hours ago        1.22MB
zhaochj/httpd            v0.1                985f056d206d        12 hours ago        1.22MB
busybox-httpd            v0.1                806601ab5565        12 hours ago        1.22MB
nginx                    stable-alpine       8c1bfa967ebf        7 days ago          21.5MB
busybox                  latest              c7c37e472d31        2 weeks ago         1.22MB
quay.io/coreos/flannel   v0.12.0-amd64       4e9f801d2217        4 months ago        52.8MB

方法二

更多信息请参考：https://docs.docker.com/engine/reference/commandline/dockerd/

直接修改/lib/systemd/system/docker.service文件，不用去修改/etc/docker/daemon.json文件

[Service]
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
修改为
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375 --containerd=/run/containerd/containerd.sock

root@node01:/lib/systemd/system# systemctl daemon-reload
root@node01:/lib/systemd/system# systemctl stop docker
root@node01:/lib/systemd/system# systemctl start docker
root@node01:/lib/systemd/system# ss -tanl | grep 2375
LISTEN   0         128                       *:2375                   *:*

监听在网络套接字上docker认为这是有潜在风险，不安全的，不建议开启。