溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
1、在純Docker的環境,Docker支持4類網絡模式:
● host模式:使用宿主機的IP和端口
● container模式:和已存在的容器共享網絡
● none模式: 不進行網絡配置
● bridge模式: 默認模式,使用橋接網絡,Kubernetes使用此模式。
2、Docker 網絡模型
通過上圖,可以清楚的表示容器的網絡結構,其中容器中的網卡eth0和綁定在Docker0網橋上的vethxxx設備是一對veth設備對。其中vethxxx由于綁定到docker0網橋,所以沒有IP地址,容器中的eth0分配了和docker0同一網段的地址,這樣就實現了容器的互聯。
3、查看運行兩個容器的宿主:
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:15:c2:12 brd ff:ff:ff:ff:ff:ff
inet 192.168.20.17/24 brd 192.168.20.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe15:c212/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:fa:6f:13:18 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:faff:fe6f:1318/64 scope link
valid_lft forever preferred_lft forever
7: veth47e9040@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
link/ether f2:4e:50:a5:fb:b8 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::f04e:50ff:fea5:fbb8/64 scope link
valid_lft forever preferred_lft forever
19: veth46fb1f6@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
link/ether 7a:96:bc:c7:03:d8 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::7896:bcff:fec7:3d8/64 scope link
valid_lft forever preferred_lft forever4、通過查看橋接網卡信息,可以驗證這兩個veth綁定在docker0上:
# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242fa6f1318 no veth46fb1f6
veth47e90405、查看容器的network namespace
# docker inspect 506a694d09fb|grep Pid
"Pid": 2737,
"PidMode": "",
"PidsLimit": 0,
# mkdir /var/run/netns
# ln -s /proc/2737/ns/net /var/run/netns/506a694d09fb
# ip netns list
506a694d09fb (id: 0)
6d9742fb3c2d (id: 1)分別查看兩個容器的IP:
# ip netns exec 506a694d09fb ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 scope global eth0
valid_lft forever preferred_lft foreve
# ip netns exec 6d9742fb3c2d ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
18: eth0@if19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.3/16 scope global eth0
valid_lft forever preferred_lft forever可以發現這兩個容器屬于不同網絡命名空間,但是在同一網段,通過veth設備對,綁定docker0互聯。
通過ethtool -S veth-name 可以查看到對應的peer端,這里就不再演示,其實通過veth的名稱(vethxxx@ifNO)也可以發現所指的接口信息。
6、如果執行ip netns exec命令報錯,說明docker把網絡netns又隱藏了一層,可以先進入docker守護進程的mount命名空間,在進入對應的網絡命名空間,執行下面的nsenter命令。
[root@jumpserver ~]# nsenter -t 6807 -m nsenter --net=/var/run/docker/netns/a4fdba0d4cd4 ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
46: eth0@if47: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:2/64 scope link
valid_lft forever preferred_lft forever6807為docker主進程pid,可以通過pstree -p命令獲取。
參考文章:
https://blog.51cto.com/tryingstuff/2165805
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
