One article second will Docker network (bridge, host, none)

 

Table of contents

1. docker network

​edit

2. none network

3. host network

4. bridge network

5. Custom network

1.docker network create

2.docker network inspect

3.docker network connect

6. Real environment practice

---

1. docker network

When projects use Docker at scale, the problem of container communication arises. To solve container communication problems, you must first understand a lot about networking. As the most popular lightweight container technology, Docker has many commendable functions, such as Docker image management. However, Docker also has many imperfections, and the network aspect is the weaker part of Docker. Therefore, it is necessary for us to have a deep understanding of Docker's network knowledge to meet higher network requirements.

default network

After installing Docker, three types of networks will be created by default, which can be docker network lschecked by .

[root@localhost ~]# docker network ls
cNETWORK ID     NAME      DRIVER    SCOPE
b2d0689a7644   bridge    bridge    local
c598e7da9321   host      host      local
36391f761fe6   none      null      local

network mode	Introduction
none	The container has an independent network namespace, but it does not have any network settings.
host	The container will not virtualize its own network card, configure automatic IP, etc., but use the host's IP and port
bridge	Assign and set IP, etc. for each container, and connect the container to a docker0 virtual bridge, which is the default mode
custom network	Create a network according to your needs

 

2. none network

The none network mode refers to disabling network functions, only the abbreviation of lo interface local, which stands for 127.0.0.1, that is, localhost local loopback interface. --net nonePass parameters or --network nonespecify when creating the container ;

The none network is a network with nothing. The container hanging under this network does not have any other network cards except lo, and it is a closed space.

[root@localhost ~]# docker run -it --network=none busybox
/ # ls
bin   dev   etc   home  proc  root  sys   tmp   usr   var
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever

In usage scenarios, the none network can be used in some applications that require high security and do not require networking. For example, the only purpose of a container is to generate random passwords, which can be stored in the none network to avoid passwords being stolen.

3. host network

A Docker Container using the host network mode can directly use the host's IP address to communicate with the outside world. If the host's eth0 is a public IP, then the container also has this public IP. At the same time, the port of the service in the container can also use the port of the host, without additional NAT conversion;

[root@localhost ~]# docker run -it --network host busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:10:b7:cb brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.5/24 brd 192.168.2.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe10:b7cb/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
    link/ether 02:42:48:47:28:8a brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:48ff:fe47:288a/64 scope link
       valid_lft forever preferred_lft forever

In the container, you can see all the network cards of the host, and even the hostname belongs to the host. What is the usage scenario of the host network? The biggest advantage of directly using the docker host network is performance. If the container has high requirements for network transmission efficiency, you can choose the host network. Of course, the inconvenience is to sacrifice some flexibility. For example, to consider the problem of port conflict, the port already used on the docker host can no longer be used.

Another use of the docker host is to allow the container to directly configure the host network. For example, some cross-host network solutions also run in the container mode. These solutions need to configure the network, such as managing iptables.

Let me take nginx as an example to view some host network characteristics

[root@localhost ~]# docker run -it --network=host nginx

It can be accessed normally without port mapping.

Of course, close the firewall, or develop port 80.

4. bridge network

In this mode, the Docker daemon creates a virtual Ethernet bridge docker0, and newly created containers are automatically bridged to this interface, and packets are automatically forwarded between any network cards attached to it.

When docker is installed, a Linux bridge named docker0 will be created. If --network is not specified, the created container will hang on docker0 by default.

[root@localhost ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
docker0         8000.02424847288a       no

Currently there are no other network devices on docker0, let's create a container to see the changes

[root@localhost ~]# docker run -itd busybox
0fee2a50ff1136c302604c13b5b51a2b72d904268ff8d69df07a8d01a1c2c6a9
[root@localhost ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
docker0         8000.02424847288a       no              vethe833331

A new network interface vethe833331 is mounted on docker0, and vethe331aee3 is the virtual network card of the newly created container

View the network card configuration of the container just created

[root@localhost ~]# docker exec -it 0fee2a50ff11 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.17.0.1      0.0.0.0         UG    0      0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0

The subnet of the original briage network configuration is 172.17.0.0/16, and the gateway is 172.17.0.1. This gateway is docker0.

[root@localhost ~]# ifconfig docker0
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::42:48ff:fe47:288a  prefixlen 64  scopeid 0x20<link>
        ether 02:42:48:47:28:8a  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5  bytes 438 (438.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

5. Custom network

In addition to the three automatically created networks of none, host, and bridge, users can also create user-defined networks according to business needs.

1.docker network create

Format:

docker network create [OPTIONS] NETWORK

options:

--driver，-d：驱动程序管理网络，选项网络类型
--gateway：主子网的IPv4或IPv6网关
--subnet：CIDR格式的子网，表示一个网段

Create a network card in the 192.168.8.0 network segment, the gateway is 192.168.8.254

[root@localhost ~]# docker network create --driver bridge --gateway 192.168.8.254 --subnet 192.168.8.0/24 mynet1
37c8fcb1b7c93184f4efadac4cb849651b60738d1c3d667c3352a6e367a0a633
[root@localhost ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
br-37c8fcb1b7c9         8000.024213041d24       no
docker0         8000.02424847288a       no              vethe833331
[root@localhost ~]# docker run -it --network mynet1 busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
15: eth0@if16: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
    link/ether 02:42:c0:a8:08:01 brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.1/24 brd 192.168.8.255 scope global eth0
       valid_lft forever preferred_lft forever
/ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.8.254   0.0.0.0         UG    0      0        0 eth0
192.168.8.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

2.docker network inspect

Display detailed information for one or more networks

Format:

docker network inspect [OPTIONS] NETWORK [NETWORK...]

options:

--format，-f：自定义格式输出

View the details of the network card just created

[root@localhost ~]# docker network inspect mynet1
[
    {
        "Name": "mynet1",
        "Id": "37c8fcb1b7c93184f4efadac4cb849651b60738d1c3d667c3352a6e367a0a633",
        "Created": "2023-07-11T22:04:40.965301103+08:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "192.168.8.0/24",
                    "Gateway": "192.168.8.254"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {},
        "Options": {},
        "Labels": {}
    }
]

3.docker network connect

Connect the container to the network

Format:

docker network connect [OPTIONS] NETWORK CONTAINER

Create a network and add it to the container

[root@localhost ~]# docker network connect mynet02 041b95cd171e
[root@localhost ~]# docker exec -it 041b95cd171e /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
20: eth0@if21: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
    link/ether 02:42:c0:a8:08:01 brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.1/24 brd 192.168.8.255 scope global eth0
       valid_lft forever preferred_lft forever
22: eth1@if23: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
    link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth1
       valid_lft forever preferred_lft forever

4.docker network rm

remove one or more networks

Format:

docker network rm NETWORK [NETWORK...]

options:

--force，-f：强制删除网络

Delete the network just created

[root@localhost ~]# docker network rm -f mynet1
mynet1
[root@localhost ~]# docker network rm -f mynet02
mynet02
[root@localhost ~]# docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
b2d0689a7644   bridge    bridge    local
c598e7da9321   host      host      local
36391f761fe6   none      null      local

6. Real environment practice

1. External access container

网卡改为host模式

2. How to access between containers on different network segments

为容器添加双网卡