CentOS上的Docker与LAN网络的桥接 [英] Docker on CentOS with bridge to LAN network

问题描述

我的服务器VLAN为10.101.10.0/24，我的Docker主机为10.101.10.31.如何在Docker主机(VM)上配置桥接网络，以便所有容器都可以直接连接到LAN网络，而不必在默认的172.17.0.0/16上重定向端口?我尝试搜索，但是到目前为止我发现的所有方法都导致SSH会话丢失，我不得不从控制台进入VM来还原我执行的步骤.

I have a server VLAN of 10.101.10.0/24 and my Docker host is 10.101.10.31. How do I configure a bridge network on my Docker host (VM) so that all the containers can connect directly to my LAN network without having to redirect ports around on the default 172.17.0.0/16? I tried searching but all the howtos I've found so far have resulted in losing SSH session which I had to go into the VM from a console to revert the steps I did.

推荐答案

有多种方法可以完成此操作.我最成功的两个是将子网路由到docker网桥，并在主机LAN上使用自定义网桥.

There's multiple ways this can be done. The two I've had most success with are routing a subnet to a docker bridge and using a custom bridge on the host LAN.

这的好处是仅需要本地docker工具来配置docker.它的缺点是需要添加到网络的路由，这不在dockers权限范围内，通常是手动的(或依赖于网络专家").

This has the benefit of only needing native docker tools to configure docker. It has the down side of needing to add a route to your network, which is outside of dockers remit and usually manual (or relies on the "networking guy").

1. 启用IP转发

1. Enable IP forwarding

/etc/sysctl.conf: net.ipv4.ip_forward = 1
sysctl -p /etc/sysctl.conf

在您的VM网络上使用新子网创建一个docker bridge，例如10.101.11.0/24

Create a docker bridge with new subnet on your VM network, say 10.101.11.0/24

docker network create routed0 --subnet 10.101.11.0/24

告诉网络的其余部分，应该通过10.101.10.X路由10.101.11.0/24，其中X是您的Docker主机的IP.这是外部路由器/网关/网络人"配置.在Linux网关上，您可以使用以下命令添加路由:

Tell the rest of the network that 10.101.11.0/24 should be routed via 10.101.10.X where X is IP of your docker host. This is the external router/gateway/"network guy" config. On a linux gateway you could add a route with:

ip route add 10.101.11.0/24 via 10.101.10.31

在具有10.101.11.0/24地址的网桥上创建容器.

Create containers on the bridge with 10.101.11.0/24 addresses.

docker run --net routed0 busybox ping 10.101.10.31
docker run --net routed0 busybox ping 8.8.8.8

然后完成.容器具有可路由的IP地址. 如果您可以接受网络方面的服务，或者在网络上运行RIP/OSPF之类的程序，或者运行 Calico 关心路由，那么这是最干净的解决方案.

Then your done. Containers have routable IP addresses. If you're ok with the network side, or run something like RIP/OSPF on the network or Calico that takes care of routing then this is the cleanest solution.

这样做的好处是不需要任何外部网络设置.不利的一面是docker主机上的设置更加复杂.主界面在启动时需要此网桥，因此它不是本机docker network设置. 管道或手动设置容器是必需的.

This has the benefit of not requiring any external network setup. The downside is the setup on the docker host is more complex. The main interface requires this bridge at boot time so it's not a native docker network setup. Pipework or manual container setup is required.

使用VM会使情况变得更加复杂，因为您正在主VM接口上运行带有额外MAC地址的额外接口，该接口首先需要其他混杂"配置，以使其正常工作.

Using a VM can make this a little more complicated as you are running extra interfaces with extra MAC addresses over the main VM's interface which will need additional "Promiscuous" config first to allow this to work.

桥接接口的永久网络配置因发行版而异.以下命令概述了如何设置接口，重新启动后将消失.更改主网络接口配置时，您将需要控制台访问权限或进入VM的单独路由.

The permanent network config for bridged interfaces varies by distro. The following commands outline how to set the interface up and will disappear after reboot. You are going to need console access or a seperate route into your VM as you are changing the main network interface config.

1. 在主机上创建网桥.

1. Create a bridge on the host.

ip link add name shared0 type bridge
ip link set shared0 up

在/etc/sysconfig/network-scripts/ifcfg-br0

DEVICE=shared0
TYPE=Bridge
BOOTPROTO=static
DNS1=8.8.8.8
GATEWAY=10.101.10.1
IPADDR=10.101.10.31
NETMASK=255.255.255.0
ONBOOT=yes

将主要接口附加到网桥，通常为eth0

ip link set eth0 up
ip link set eth0 master shared0

在/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
ONBOOT=yes
TYPE=Ethernet
IPV6INIT=no
USERCTL=no
BRIDGE=shared0

将网桥重新配置为具有eth0的ip配置.

Reconfigure your bridge to have eth0's ip config.

ip addr add dev shared0 10.101.10.31/24
ip route add default via 10.101.10.1

附加容器以使用10.101.10.0/24地址进行桥接.

Attach containers to bridge with 10.101.10.0/24 addresses.

CONTAINERID=$(docker run -d --net=none busybox sleep 600)
pipework shared1 $CONTAINERID 10.101.10.43/24@10.101.10.Y

或在容器内使用DHCP客户端

Or use a DHCP client inside the container

pipework shared1 $CONTAINERID dhclient

Docker macvlan网络

此后，Docker添加了一个名为macvlan的网络驱动程序，该驱动程序可以使容器看起来直接连接到主机所在的物理网络.容器已附加到主机上的parent接口.

Docker macvlan network

Docker has since added a network driver called macvlan that can make a container appear to be directly connected to the physical network the host is on. The container is attached to a parent interface on the host.

docker network create -d macvlan \
  --subnet=10.101.10.0/24 \
  --gateway=10.101.10.1  \
  -o parent=eth0 pub_net

这将遇到相同的VM/softswitch问题，其中需要网络和接口关于mac地址，是不正确的.

This will suffer from the same VM/softswitch problems where the network and interface will need be promiscuous with regard mac addresses.

这篇关于CentOS上的Docker与LAN网络的桥接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！