08.docker网络 · k8s原理与实践

[TOC] > 官网介绍 [docker网络]( https://docs.docker.com/network/) # docker 4种网络 [network-tutorial-standalone](https://docs.docker.com/network/network-tutorial-standalone/) [network-tutorial-host](https://docs.docker.com/network/network-tutorial-host/) [network-tutorial-overlay](https://docs.docker.com/network/network-tutorial-overlay/) [network-tutorial-macvlan](https://docs.docker.com/network/network-tutorial-macvlan/) # 计算机网络模型 ![](https://github.com/taot168/pmdoc/blob/master/doc/image/docker/%E7%BD%91%E7%BB%9C.png?raw=true) ![](https://github.com/taot168/pmdoc/blob/master/doc/image/docker/TCPIP%20OSI7%E5%B1%82%E6%A8%A1%E5%9E%8B.png?raw=true) # 网卡 ## ip a 状态：UP/DOWN/UNKOWN等 link/ether：MAC 地址 inet：绑定的IP地址网卡文件`cat /etc/sysconﬁg/network-scripts/ifcfg-ens33 ` ## 网卡添加删除ip ### 添加 `ip addr add 192.168.0.200/24 dev ens33 ` ### 删除 `ip addr delete 192.168.0.200/24 dev ens33` ## 网卡启动关闭服务方式：`service network start/restart ` 启动、关闭指定网卡： `ip link set ens33 up/down` 建议用此方式 `ifup/ifdown ens33 ` # Network Namespace linux通过不同的Network Namespace实现网络隔离 ## 命令 ### 列表 `ip netns list ` ### 添加 `ip netns add ns1` ### 删除 `ip netns delete ns1 ` ### 查看ns1下的网卡情况 `ip netns exec ns1 ip a ` ### 启动ns1下的lo网卡 `ip netns exec ns1 ip link set lo up / ip netns exec ns1 ifup lo ` ### 关闭ns1下的lo网卡 `ip netns exec ns1 ip link set lo down / ip netns exec ns1 ifdown lo ` ## 网卡联通通过Virtual Ethernet Pair 实现不同网卡联通 `ip netns ns2 ` ns1 与 ns2 联通 ### 创建link `ip link add veth-ns1 type veth peer name veth-ns2 ` ### 查看link `ip link ` ~~~ [root@localhost ~]# ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 00:0c:29:79:df:91 brd ff:ff:ff:ff:ff:ff 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default link/ether 02:42:4f:9f:67:4e brd ff:ff:ff:ff:ff:ff 5: vetha01817f@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default link/ether fe:b5:e0:38:e4:83 brd ff:ff:ff:ff:ff:ff link-netnsid 0 6: veth-ns2@veth-ns1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether 82:a7:01:5b:e1:3a brd ff:ff:ff:ff:ff:ff 7: veth-ns1@veth-ns2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether a6:8b:29:76:9e:bf brd ff:ff:ff:ff:ff:ff ~~~ ### link与ns关联 `ip link set veth-ns1 netns ns1 ` `ip link set veth-ns2 netns ns2 ` ### 查看宿主机ns1、ns2的link信息 ``` ip link ip netns exec ns1 ip link ip netns exec ns2 ip link ``` ### 为veth-ns1和veth-ns2添加ip ``` ip netns exec ns1 ip addr add 192.168.136.11/24 dev veth-ns1 ip netns exec ns2 ip addr add 192.168.136.12/24 dev veth-ns2 ``` ### 启动veth-ns1和veth-ns2 ``` ip netns exec ns1 ip link set veth-ns1 up ip netns exec ns2 ip link set veth-ns2 up ``` ### 验证 ``` ip netns exec ns1 ip a ip netns exec ns2 ip a ip netns exec ns1 ping 192.168.136.12 ip netns exec ns2 ping 192.168.136.11 ``` # Container 之间的网络 ## 创建container ``` docker run -d --name tomcat01 -p 8081:8080 tomcat docker run -d --name tomcat02 -p 8082:8080 tomcat ``` ##、查看容器ip `docker exec -it tomcat01 ip a ` ``` 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever ``` `docker exec -it tomcat02 ip a ` ``` 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 10: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 172.17.0.4/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever ``` ## 容器互ping ``` docker exec -it tomcat01 ping 172.17.0.4 docker exec -it tomcat02 ping 172.17.0.3 ``` 每一个container都有一个network namespace 不同container之间通过bridge通信 ##、查看网卡接口安装： ``` yum install bridge-utils brctl show ``` ``` [root@localhost ~]# brctl show bridge name bridge id STP enabled interfaces docker0 8000.02424f9f674e no vetha01817f vethd93c2a7 vethed64910 ``` `ip a ` ``` [root@localhost ~]# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:79:df:91 brd ff:ff:ff:ff:ff:ff inet 192.168.136.200/24 brd 192.168.136.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::8510:a675:844e:6602/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:4f:9f:67:4e brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:4fff:fe9f:674e/64 scope link valid_lft forever preferred_lft forever 5: vetha01817f@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether fe:b5:e0:38:e4:83 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::fcb5:e0ff:fe38:e483/64 scope link valid_lft forever preferred_lft forever 9: vethed64910@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether ba:80:2d:96:08:2d brd ff:ff:ff:ff:ff:ff link-netnsid 3 inet6 fe80::b880:2dff:fe96:82d/64 scope link valid_lft forever preferred_lft forever 11: vethd93c2a7@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether 6a:f0:73:88:fa:b7 brd ff:ff:ff:ff:ff:ff link-netnsid 4 inet6 fe80::68f0:73ff:fe88:fab7/64 scope link valid_lft forever preferred_lft forever ``` ##、bidge详细 `docker network inspec bridge ` ``` [root@localhost ~]# docker network inspect bridge [ { "Name": "bridge", "Id": "ba3815ba7f71806a2bcce01bf75caf5fd6872f70711703d8a7cb9e93780429b3", "Created": "2019-12-19T06:45:57.074925444+05:30", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16", "Gateway": "172.17.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": { "378d9007df186d2ab40851ff208d48469c640ed74ea1a40bb737b4f6d6d1cffe": { "Name": "my-mysql", "EndpointID": "895ff12e03961ae9814b3f4db24edaa528659500af34df492650ef79cf58cf6e", "MacAddress": "02:42:ac:11:00:02", "IPv4Address": "172.17.0.2/16", "IPv6Address": "" }, "d6b020a87c6462c4f88fe7813b581dfa4880ff780cb1b7217f83af7d4d7810b4": { "Name": "tomcat02", "EndpointID": "b311ca2594fd9fd1d4f2099a47d16457d0f91ccea995c829e1fa9223dfcc2e4a", "MacAddress": "02:42:ac:11:00:04", "IPv4Address": "172.17.0.4/16", "IPv6Address": "" }, "f4f84050ad9bae40e8b9abe64b1b37ff3c4fbd4a4222707e8223213d6e4423ae": { "Name": "tomcat01", "EndpointID": "7232c4a2c9ae5c0364f3b22fcd82fa86a76c8f4053b52752a1777c414f80f4c0", "MacAddress": "02:42:ac:11:00:03", "IPv4Address": "172.17.0.3/16", "IPv6Address": "" } }, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] ``` ##、container tomcat01、tomcat02之间网络图 ![](https://github.com/taot168/pmdoc/blob/master/doc/image/docker/%E5%90%8C%E6%9C%BA%E5%99%A8container%20%E7%BD%91%E7%BB%9C.png?raw=true) ## container访问互联网 ![](https://github.com/taot168/pmdoc/blob/master/doc/image/docker/container%E8%AE%BF%E9%97%AE%E4%BA%92%E8%81%94%E7%BD%91.png?raw=true) ## container指定网络 ``` docker network create tomcat-net 或者 docker network create --subnet=172.18.0.0/24 tomcat-net docker network inspect tomcat-net docker run -d --name custom-net-tomcat --network tomcat-net tomcat docker exec -it custom-net-tomcat ip a brctl show ``` ``` [root@localhost ~]# brctl show bridge name bridge id STP enabled interfaces br-dd4d6a260972 8000.0242b277b462 no veth4bb70db docker0 8000.02424f9f674e no vetha01817f vethd93c2a7 vethed64910 ``` tomcat01连接到tomcat-net以实现ustom-net-tomcat 、tomcat01互通 `docker network connect tomcat-net tomcat01`