Docker

本文是在原文基础上的实际操作验证记录和细节补充。

默认情况下,容器连接到虚拟网桥docker0提供的虚拟子网中,容器之间通过默认网关（虚拟网桥docker0接口地址）建立连接。
如果不使用虚拟网桥，用户也可以通过创建两个容器间的点到点链路，将一对peer接口分别放到两个容器，来实现容器直连。
容器的直连链路不需要子网和子网掩码。

1 - 启动容器

[root@CentOS-7 ~]# docker run -it -d --net=none --name node-A centos /bin/bash
2c5683fbdf0880271013357e9a40b7549ad1c570c855bf591341ad7e7ac3f64e
[root@CentOS-7 ~]# 
[root@CentOS-7 ~]# docker run -it -d --net=none --name node-B centos /bin/bash
33c209f70d0b5d48963793873088006349133652190d86444417b408830fd20d
[root@CentOS-7 ~]#
[root@CentOS-7 ~]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
33c209f70d0b        centos              "/bin/bash"         2 minutes ago       Up 2 minutes                            node-B
2c5683fbdf08        centos              "/bin/bash"         2 minutes ago       Up 2 minutes                            node-A
[root@CentOS-7 ~]#
[root@CentOS-7 ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
1d732a1c4f67        bridge              bridge              local               
2e217e480705        host                host                local               
c31d9a1acfc0        none                null                local               
[root@CentOS-7 ~]# docker network inspect none
[
    {
        "Name": "none",
        "Id": "c31d9a1acfc0b2ef806bef75c492b77189c32ae21bdca4eeef709b015ba95923",
        "Scope": "local",
        "Driver": "null",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": []
        },
        "Internal": false,
        "Containers": {
            "2c5683fbdf0880271013357e9a40b7549ad1c570c855bf591341ad7e7ac3f64e": {
                "Name": "node-A",
                "EndpointID": "73131ca12a7f7c1e036f7dcb26eb7d6d50f315767db1eddd829a89d45f4b17a3",
                "MacAddress": "",
                "IPv4Address": "",
                "IPv6Address": ""
            },
            "33c209f70d0b5d48963793873088006349133652190d86444417b408830fd20d": {
                "Name": "node-B",
                "EndpointID": "0be67083bf14916b3accfbf9641c9099a69f8b7597a53eeeb88659315e193117",
                "MacAddress": "",
                "IPv4Address": "",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]
[root@CentOS-7 ~]#

如果不指定"--net=none", 容器可以使用默认bridge网络通信。

2 - 根据进程ID创建网络名称空间跟踪文件

[root@CentOS-7 ~]# pid_A=`docker inspect -f '{{.State.Pid}}' node-A`
[root@CentOS-7 ~]# pid_B=`docker inspect -f '{{.State.Pid}}' node-B`
[root@CentOS-7 ~]# 
[root@CentOS-7 ~]# mkdir -p /var/run/netns
[root@CentOS-7 ~]# ln -s /proc/$pid_A/ns/net /var/run/netns/$pid_A
[root@CentOS-7 ~]# ln -s /proc/$pid_B/ns/net /var/run/netns/$pid_B
[root@CentOS-7 ~]# 

3 - 创建peer接口并配置路由

[root@CentOS-7 ~]# ip link add node-A type veth peer name node-B
[root@CentOS-7 ~]# 
[root@CentOS-7 ~]# ip link set node-A netns $pid_A
[root@CentOS-7 ~]# ip netns exec $pid_A ip addr add 10.1.1.1/32 dev node-A
[root@CentOS-7 ~]# ip netns exec $pid_A ip link set node-A up
[root@CentOS-7 ~]# ip netns exec $pid_A ip route add 10.1.1.2/32 dev node-A
[root@CentOS-7 ~]# 
[root@CentOS-7 ~]# ip link set node-B netns $pid_B
[root@CentOS-7 ~]# ip netns exec $pid_B ip addr add 10.1.1.2/32 dev node-B
[root@CentOS-7 ~]# ip netns exec $pid_B ip link set node-B up
[root@CentOS-7 ~]# ip netns exec $pid_B ip route add 10.1.1.1/32 dev node-B
[root@CentOS-7 ~]# 

4 - 验证

容器可以相互ping通和建立连接。

[root@CentOS-7 ~]# docker attach node-A
[root@2c5683fbdf08 /]#
[root@2c5683fbdf08 /]# ip addr show |grep node-A
83: node-A@if82: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    inet 10.1.1.1/32 scope global node-A
[root@2c5683fbdf08 /]#
[root@2c5683fbdf08 /]# ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.
64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=0.113 ms
64 bytes from 10.1.1.1: icmp_seq=2 ttl=64 time=0.106 ms
^C
--- 10.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.106/0.109/0.113/0.011 ms
[root@2c5683fbdf08 /]# ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=0.180 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=0.110 ms
^C
--- 10.1.1.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.110/0.133/0.180/0.034 ms
[root@2c5683fbdf08 /]# [root@CentOS-7 ~]# 
[root@CentOS-7 ~]# 
[root@CentOS-7 ~]# 
[root@CentOS-7 ~]# docker attach node-B
[root@33c209f70d0b /]# 
[root@33c209f70d0b /]# ip addr show |grep node-B
82: node-B@if83: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    inet 10.1.1.2/32 scope global node-B
[root@33c209f70d0b /]# 
[root@33c209f70d0b /]# ping 10.1.1.2
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=0.113 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=0.084 ms
^C
--- 10.1.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.084/0.098/0.113/0.017 ms
[root@33c209f70d0b /]# 
[root@33c209f70d0b /]# ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data.
64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=0.189 ms
64 bytes from 10.1.1.1: icmp_seq=2 ttl=64 time=0.122 ms
^C
--- 10.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.122/0.155/0.189/0.035 ms
[root@33c209f70d0b /]# [root@CentOS-7 ~]# 
[root@CentOS-7 ~]#