码头工人网络如何工作? [英] How does docker network work?
问题描述
对于docker网络机制中IP分配的过程,我有些不了解。
假设我运行了几个容器。每个人都有自己的IP地址-这些IP地址来自哪里?
如果其中一个容器侦听端口,然后我进入浏览器并编写< IP> ;:< PORT> 并查看网页-我的计算机如何知道解决该问题(这是本地IP地址)?
There is something that I don't understand about the process of IPs allocation in the docker network mechanism.
Suppose I run a few containers. Each gets its own IP address - from where these IP addresses came from?
If one of the container listen to a port, and I go to the browser and write the <IP>:<PORT> and see the webpage - How does my computer know to resolve that (That this is a local IP address)?
推荐答案
对Docker网络的完整讨论不在本文的讨论范围之内,因此我仅假设您所谈论的问题关于 bridge 网络(这是默认设置)。
A full discussion of Docker networking is out of scope here, so I'll just assume from your question you're talking about bridge networking (which is the default).
启动Docker守护程序时( dockerd ),它将在您的本地计算机上创建一个名为 docker0 的以太网桥网络接口。
When you start the Docker daemon (dockerd) it creates a ethernet bridge network interface on your local machine called docker0.
~ > ifconfig
docker0 Link encap:Ethernet HWaddr 12:42:09:64:a9:dd
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
inet6 addr: fe80::42:9ff:fe64:a9da/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:86 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:11923 (11.9 KB)
可以根据需要对此进行自定义,但通常默认设置都可以。
This can be customized if neccessary but usually defaults are fine.
在Docker中,这表示为称为 bridge 的网络:
This is represented in Docker as a network called bridge:
~ > docker network inspect bridge
[
{
"Name": "bridge",
"Id": "25191b73563206a321498c0fac55a897de6ba0333d19f0bdc32c78d290b9fedc",
"Created": "2018-05-07T18:31:08.680222396-07:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
注意 inet addr / Gateway 相同。另请注意:
Notice the inet addr / Gateway are the same. Also notice:
"com.docker.network.bridge.name": "docker0"
要回答问题的一部分,您的容器IP地址是从此子网分配的( 172.17.0.0/16 )。现在我们知道已经设置了一些网络内容,让我们运行一个容器,看看会发生什么。
To answer one part of your question, your container IP addresses are allocated from this subnet (172.17.0.0/16) that Docker creates. Now we know some networking stuff has been setup, let's run a container and see what happens.
~ > docker run -d -p 7000:5000 johnharris85/simple-hostname-reporter:2
eeba0f9d23bbd3c10ddf61120ce5d7d1ded6db1515fc37725b68eae12ab6c9b5
$ p>我们可以看到该容器在我的网桥网络上有一个ip地址:
We can see that this container has an ip address on my bridge network:
~ > docker container inspect eeb --format "{{ .NetworkSettings.Networks.bridge.IPAddress }}"
172.17.0.2
实际上,我可以使用该IP地址和容器端口来运行我的应用程序(尝试 172.17.0.2:5000 在您的浏览器中!)。但是,这不是非常可扩展/动态的,因为重新启动容器时此IP地址可能会更改。
In fact, I can use that IP address and the container port to hit my app (try 172.17.0.2:5000 in your browser!). However this is not very scalable / dynamic as this IP address could change when my container is restarted. Also I had to do a bunch of stuff to find it.
不是必须这样做,而是将主机上的端口7000映射到容器中的端口5000。 (这是我的应用程序正在监听的端口),因此我可以在浏览器中访问 localhost:7000 并点击我的应用程序(也可以尝试!)。
Instead of having to do that, I am mapping port 7000 on my host machine to port 5000 in my container (this is the port my application is listening on) so I can visit localhost:7000 in my browser and hit my app (try that too!).
好的,那么什么使到我机器上的端口7000的流量神奇地路由到容器中的端口5000?
OK great, so what makes the traffic to port 7000 on my machine magically route to port 5000 in my container?
让我们看一下 iptables !::
~ > sudo iptables -t nat -S
# ... some stuff
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 7000 -j DNAT --to-destination 172.17.0.2:5000
就我们而言,最重要的一行是我在上面留下的那一行。它说:对于所有来自docker0接口(!-i docker0 )的流量,使用TCP协议( -p tcp ),指定用于端口7000(-dport 7000 ),实际上将其路由至172.17.0.2:5000(-至目标172.17.0.2:5000 )。当然,这有点简化了,但是本质上是怎么回事。
The (most) important line as far as we're concerned here is the one I've left in above. It says "for all traffic not coming from the docker0 interface (! -i docker0), using the TCP protocol (-p tcp), destined for port 7000 (--dport 7000) , actually route it to 172.17.0.2:5000 (--to-destination 172.17.0.2:5000)". That is a little simplified of course, but essentially what's going on.
现在,如果您启动另一个容器(这次我们绑定到主机端口9999):
Now if you start another container (this time let's bind to host port 9999):
~ > docker run -d -p 9999:5000 johnharris85/simple-hostname-reporter:2
ac4df2bd0a961bfa08735d64fa7f6e69f171e7e499fb86d2ecac6cfba350a5d4
$ b $ p>并对其IP进行快速检查:
And do a quick check of it's IP:
~ > docker container inspect ac4 --format "{{ .NetworkSettings.Networks.bridge.IPAddress }}"
172.17.0.3
现在再次
~ > sudo iptables -t nat -S
# ... some stuff
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 7000 -j DNAT --to-destination 172.17.0.2:5000
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9999 -j DNAT --to-destination 172.17.0.3:5000
注意,我们现在有了另一条规则,相同的结构,这次是说到端口9999的所有流量,发送到我们的新容器IP(-目标172.17.0.3:5000)。
Notice we now have another rule, same structure, this time saying for all traffic to port 9999, send to our new container IP (--to-destination 172.17.0.3:5000).
停止容器,您会发现这些规则消失了!
Stop the containers and you'll notice these rules disappear!
IANA网络专家,所以有些内容可能会简化一些,但希望对您有所帮助!
IANA networking expert, so some stuff might be a little simplified but hope it helps!
这篇关于码头工人网络如何工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
