CentOS 上的 Docker 与 LAN 网络的桥接 [英] Docker on CentOS with bridge to LAN network
问题描述
我的服务器 VLAN 为 10.101.10.0/24,我的 Docker 主机为 10.101.10.31.如何在我的 Docker 主机 (VM) 上配置桥接网络,以便所有容器都可以直接连接到我的 LAN 网络,而无需在默认 172.17.0.0/16 上重定向端口?我尝试搜索,但到目前为止我发现的所有方法都导致 SSH 会话丢失,我必须从控制台进入 VM 才能恢复我所做的步骤.
有多种方法可以做到这一点.我最成功的两个方法是将子网路由到 docker 网桥并在主机 LAN 上使用自定义网桥.
Docker Bridge,路由网络
这样做的好处是只需要本地 docker 工具来配置 docker.它的缺点是需要向您的网络添加路由,该路由不在 docker 权限范围内,通常是手动的(或依赖于网络人员").
启用 IP 转发
/etc/sysctl.conf: net.ipv4.ip_forward = 1sysctl -p/etc/sysctl.conf在您的 VM 网络上创建一个具有新子网的 docker 网桥,例如
10.101.11.0/24docker network create routed0 --subnet 10.101.11.0/24告诉网络的其余部分
10.101.11.0/24应该通过10.101.10.X路由,其中 X 是您的 docker 主机的 IP.这是外部路由器/网关/网络人"配置.在 linux 网关上,您可以添加一条路由:ip route add 10.101.11.0/24 via 10.101.10.31在网桥上创建具有 10.101.11.0/24 地址的容器.
docker run --net routed0 busybox ping 10.101.10.31docker run --net routed0 busybox ping 8.8.8.8
那么你就完成了.容器具有可路由的 IP 地址.如果您对网络方面没问题,或者在网络上运行类似 RIP/OSPF 或
使用虚拟机会使这变得有点复杂,因为您在主虚拟机的接口上运行具有额外 MAC 地址的额外接口,首先需要额外的Promiscuous"配置才能使其工作.
桥接接口的永久网络配置因发行版而异.以下命令概述了如何设置界面,并在重启后消失.当您更改主网络接口配置时,您将需要控制台访问权限或进入 VM 的单独路由.
在主机上创建一个网桥.
ip link add name shared0 type bridgeip link set shared0 up在
/etc/sysconfig/network-scripts/ifcfg-br0DEVICE=shared0类型=桥BOOTPROTO=静态DNS1=8.8.8.8网关=10.101.10.1IPADDR=10.101.10.31网罩=255.255.255.0开机=是将主接口附加到网桥,通常是
eth0ip 链接设置 eth0ip 链接设置 eth0 主共享 0在
/etc/sysconfig/network-scripts/ifcfg-eth0DEVICE=eth0开机=是类型=以太网IPV6INIT=否USERCTL=否桥=共享0重新配置您的网桥以使用
eth0的 ip 配置.ip addr add dev shared0 10.101.10.31/24ip route 通过 10.101.10.1 添加默认值使用
10.101.10.0/24地址连接容器.CONTAINERID=$(docker run -d --net=none busybox sleep 600)管道共享 1 $CONTAINERID 10.101.10.43/24@10.101.10.Y或者在容器内使用 DHCP 客户端
pipework shared1 $CONTAINERID dhclient
Docker macvlan 网络
Docker 已经添加了一个名为 macvlan 的网络驱动程序,它可以使容器看起来直接连接到主机所在的物理网络.容器附加到主机上的 parent 接口.
docker network create -d macvlan --subnet=10.101.10.0/24 --gateway=10.101.10.1 -o parent=eth0 pub_net这将遇到相同的虚拟机/软交换问题,其中网络和接口需要 mac 地址混杂.
I have a server VLAN of 10.101.10.0/24 and my Docker host is 10.101.10.31. How do I configure a bridge network on my Docker host (VM) so that all the containers can connect directly to my LAN network without having to redirect ports around on the default 172.17.0.0/16? I tried searching but all the howtos I've found so far have resulted in losing SSH session which I had to go into the VM from a console to revert the steps I did.
There's multiple ways this can be done. The two I've had most success with are routing a subnet to a docker bridge and using a custom bridge on the host LAN.
Docker Bridge, Routed Network
This has the benefit of only needing native docker tools to configure docker. It has the down side of needing to add a route to your network, which is outside of dockers remit and usually manual (or relies on the "networking guy").
Enable IP forwarding
/etc/sysctl.conf: net.ipv4.ip_forward = 1 sysctl -p /etc/sysctl.confCreate a docker bridge with new subnet on your VM network, say
10.101.11.0/24docker network create routed0 --subnet 10.101.11.0/24Tell the rest of the network that
10.101.11.0/24should be routed via10.101.10.Xwhere X is IP of your docker host. This is the external router/gateway/"network guy" config. On a linux gateway you could add a route with:ip route add 10.101.11.0/24 via 10.101.10.31Create containers on the bridge with 10.101.11.0/24 addresses.
docker run --net routed0 busybox ping 10.101.10.31 docker run --net routed0 busybox ping 8.8.8.8
Then your done. Containers have routable IP addresses. If you're ok with the network side, or run something like RIP/OSPF on the network or Calico that takes care of routing then this is the cleanest solution.
Custom Bridge, Existing Network (and interface)
This has the benefit of not requiring any external network setup. The downside is the setup on the docker host is more complex. The main interface requires this bridge at boot time so it's not a native docker network setup. Pipework or manual container setup is required.
Using a VM can make this a little more complicated as you are running extra interfaces with extra MAC addresses over the main VM's interface which will need additional "Promiscuous" config first to allow this to work.
The permanent network config for bridged interfaces varies by distro. The following commands outline how to set the interface up and will disappear after reboot. You are going to need console access or a seperate route into your VM as you are changing the main network interface config.
Create a bridge on the host.
ip link add name shared0 type bridge ip link set shared0 upIn
/etc/sysconfig/network-scripts/ifcfg-br0DEVICE=shared0 TYPE=Bridge BOOTPROTO=static DNS1=8.8.8.8 GATEWAY=10.101.10.1 IPADDR=10.101.10.31 NETMASK=255.255.255.0 ONBOOT=yesAttach the primary interface to the bridge, usually
eth0ip link set eth0 up ip link set eth0 master shared0In
/etc/sysconfig/network-scripts/ifcfg-eth0DEVICE=eth0 ONBOOT=yes TYPE=Ethernet IPV6INIT=no USERCTL=no BRIDGE=shared0Reconfigure your bridge to have
eth0's ip config.ip addr add dev shared0 10.101.10.31/24 ip route add default via 10.101.10.1Attach containers to bridge with
10.101.10.0/24addresses.CONTAINERID=$(docker run -d --net=none busybox sleep 600) pipework shared1 $CONTAINERID 10.101.10.43/24@10.101.10.YOr use a DHCP client inside the container
pipework shared1 $CONTAINERID dhclient
Docker macvlan network
Docker has since added a network driver called macvlan that can make a container appear to be directly connected to the physical network the host is on. The container is attached to a parent interface on the host.
docker network create -d macvlan
--subnet=10.101.10.0/24
--gateway=10.101.10.1
-o parent=eth0 pub_net
This will suffer from the same VM/softswitch problems where the network and interface will need be promiscuous with regard mac addresses.
这篇关于CentOS 上的 Docker 与 LAN 网络的桥接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
