Copyright belongs to the author, any form of reprint please contact the author to obtain authorization and indicate the source.
Starting from the Linux network namespace, Docker’s built-in network host and Bridge are explained in detail to show how network isolation and communication between different containers are realized.
Network Basics review
- Network Base Reference
- Conceptual reference for routing
- IP address and route reference
- Public IP address and private IP address reference
- Network address translation NAT reference
ping
Command to verify network IP reachability.telnet
Verify the availability of network services- Linux network namespace
- Docker network reference
Docker bridge,
How does docker Bridge Network map to host IP address for Internet access? veth26d281@if13 has its own independent networkspace, which is also an interface of the native docker0 nic.
docker exec test1 ip a
eth0@if14
veth26d281@if13
brctl show
veth26d281
docker0
eth0@if14
veth26d281@if13
Link between containers
When we use Docker, we often need to connect to other containers. For example, web services need to connect to databases. As usual, you need to start the database container, map out the port, and then configure the client container, and then access. For this scenario, Docker provides the –link parameter.
docker run -d --name test2 --link test1 busybox
Copy the code
More link content reference
Port mapping of containers
If the port mapping between the host machine and the virtual machine is not configured when the container is started, external programs cannot access the virtual machine because there are no ports. The statement for port mapping is
docker run -d --name redis -p [hostPort]:[containerPort] redis:latest
Copy the code
The -p parameter assigns the container port to be mapped to the host port. HostPort indicates the hostPort. ContainerPort Specifies the PORT of the VM.
Four network modes for containers
When we use docker run to create a Docker container, we can use the — NET option to specify the network mode of the container, Docker has the following 4 network modes:
- Host mode, specified using –net=host.
- Container mode: use –net= Container :[containerName]/[containerId] to specify the container mode.
- None mode, specified with –net= None.
- Bridge mode, specified using –net=bridge, default setting.
Here are the network modes of Docker:
-
As we all know, Docker uses Linux Namespaces technology to isolate resources, such as PID Namespace to isolate processes, Mount Namespace to isolate file systems, and Network Namespace to isolate networks. A Network Namespace provides an independent Network environment. Network adapters, routes, and Iptable rules are isolated from other Network namespaces. A Docker container is typically assigned a separate Network Namespace. However, if the host mode is used when the container is started, the container will not get a separate Network Namespace, but will share a Network Namespace with the host. The container does not virtualize its own network card, configure its own IP address, etc., but uses the IP address and port of the host.
For example, we start a Docker container with a Web application in host mode on a machine at 10.10.101.105/24 and listen on port TCP80. When we run anything like ifconfig in the container to view the network environment, we see information from the host. External applications can access the container using 10.10.101.105:80 without any NAT, as if running directly on the host. However, other aspects of the container, such as the file system and process list, are still isolated from the host.
-
The Container pattern is easy to understand once you understand the host pattern. This pattern specifies that newly created containers share a Network Namespace with an existing container, rather than with the host. A newly created container does not create its own network adapter or configure its own IP address. Instead, it shares IP addresses and ports with a specified container. Also, the two containers are isolated from each other except for the network aspects, such as file systems, process lists, and so on. The processes of the two containers can communicate through the LO network device.
-
None Mode This mode is different from the first two. In this mode, Docker containers have their own Network Namespace, but do not perform any Network configuration for Docker containers. That is, the Docker container has no network card, IP, routing, etc. We need to add network cards and configure IP for Docker containers by ourselves.
-
Bridge mode Bridge mode is the default Network setting of Docker. This mode assigns Network namespaces to each container, sets IP addresses, and connects Docker containers on a host to a virtual bridge. Let’s focus on this pattern.
Common explanations for Overlay and Underlay
- Cross-host networking means that containers on different hosts are connected using the same virtual network. The topology and implementation technology of the virtual network is the network model.
- Docker overlay is an overlay network, which establishes a VxLAN tunnel between hosts. Original packets are encapsulated into VxLAN packets at the sending end and unpacked at the receiving end after arriving at the destination.
- Macvlan The Macvlan network connects containers through vlans at Layer 2 and connects to different MACvlans at Layer 3 depending on external gateways. Packets are sent directly without encapsulation and belong to the Underlay network.
- We discussed two types of backend: VXLAN and host-GW. Vxlan is similar to Docker Overlay and belongs to overlay network. Host-gw uses a host as a gateway and relies on Layer-3 IP forwarding. It does not need packet encapsulation like vxLAN and belongs to the Underlay network.
- Weave is a VxLAN implementation that is part of an overlay network.
More details can be found here
Docker Overlay network and ETCD implement multi-machine container communication
Detailed steps for applying the sample diagram can be found here
Expansion of reading
Overlay -networks Docker network — single host network
This article covers commands
What network modes does docker have on the current machine
docker network ls
View the specified network details
docker network inspect [networkName]
docker network inspect bridge
Create test2 container and connect test1 container to share communication network
docker run -d --name test2 --link test1 busybox
Create a network pattern for bridge named my-Bridge
docker network create -d bridge my-bridge
Create an overlay network mode called Demo
docker network create -d overlay demo
# --network Specifies the network mode of the container
docker run -d --name test3 --network my-bridge busybox
The test2 container is connected to my-Bridge network mode
docker network connect my-bridge test2
docker run --name web -d nginx
docker run --name nginx -d -p 80:80 nginx
docker run -p ip:[hostPort]:[containerPort] redis
# -e Sets the environment variable
docker run -d --link redis --name flask-redis -e REDIS_HOST=redis [image]
--tail Specifies the number of rows
docker logs -f-t --tail [number of rows] Container nameSee the last 10 lines of the docker container named S12 in real time
docker logs -f -t --tail 10 s12
Copy the code