docker0和eth0有什么关系？ [英] What is the relation between docker0 and eth0?

问题描述

我知道默认情况下docker创建一个虚拟网桥 docker0 ，并且所有容器网络都链接到 docker0 。

I know by default docker creates a virtual bridge docker0, and all container network are linked to docker0.

如上所示：

• 容器 eth0 与 vethXXX


• vethXXX 链接到 docker0 与链接到交换机的计算机相同

• container eth0 is paired with vethXXX
• vethXXX is linked to docker0 same as a machine linked to switch

但是 docker0 与主机 eth0 之间是什么关系？
更具体地说：

But what is the relation between docker0 and host eth0? More specifically:

1. 当数据包从容器流到docker0时，如何知道将其转发到eth0，然后再到外部世界？


2. 当外部数据包到达eth0时，为什么将其转发到docker0然后再转发到容器？而不是处理它还是将其丢弃？

1. When a packet flows from container to docker0, how does it know it will be forwarded to eth0, and then to the outside world?
2. When an external packet arrives to eth0, why it is forwarded to docker0 then container? instead of processing it or drop it?

问题2可能有点令人困惑，我会把它保留在那里并解释一下多一点：

Question 2 can be a little confusing, I will keep it there and explained a little more:

• 这是一个由容器（问题1）初始化的返回包：由于外部不知道容器网络，数据包将发送到主机 eth0 。如何将其转发到容器？我的意思是，必须有一些存储信息的地方，我该如何检查呢？

• It is a return packet that initialed by container(in question 1): since the outside does not know container network, the packet is sent to host eth0. How it is forwarded to container? I mean, there must be some place to store the information, how can I check it?

预先感谢！

阅读答案和官方网络文章后，我发现下图更准确地表示为 docker0 和 eth0 没有直接链接，而是可以转发数据包：

After reading the answer and official network articles, I find the following diagram more accurate that docker0 and eth0 has no direct link,instead they can forward packets:

http://dockerone.com/uploads/article/20150527/e84946a8e9df0ac6d109c35786ac4833.png

推荐答案

默认 docker0 网桥与主机以太网设备之间没有直接链接。如果对容器使用-net = host 选项，则主机网络堆栈将在容器中可用。

There is no direct link between the default docker0 bridge and the hosts ethernet devices. If you use the --net=host option for a container then the hosts network stack will be available in the container.

当数据包从容器流到docker0时，如何知道将其转发到eth0，然后再转发给外界？

When a packet flows from container to docker0, how does it know it will be forwarded to eth0, and then to the outside world?

docker0 桥具有分配给它的Docker网络的 .1 地址，通常在172.17或172.18。

The docker0 bridge has the .1 address of the Docker network assigned to it, this is usually something around a 172.17 or 172.18.

$ ip address show dev docker0
8: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:03:47:33:c1 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 scope global docker0
       valid_lft forever preferred_lft forever

为容器分配了一个veth接口，该接口连接到 docker0 网桥。

Containers are assigned a veth interface which is attached to the docker0 bridge.

$ bridge link
10: vethcece7e5 state UP @(null): <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master docker0 state forwarding priority 32 cost 2

在默认Docker网络上创建的容器会收到 .1 地址作为其默认路由。

Containers created on the default Docker network receive the .1 address as their default route.

$ docker run busybox ip route show
default via 172.17.0.1 dev eth0 
172.17.0.0/16 dev eth0  src 172.17.0.3 

Docker使用NAT MASQUERADE进行出站流量从那里开始，它将遵循主机上的标准出站路由，这可能会或可能不会涉及 eth0 。

Docker uses NAT MASQUERADE for outbound traffic from there and it will follow the standard outbound routing on the host, which may or may not involve eth0.

$ iptables -t nat -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0  

iptables处理连接跟踪并返回流量。

iptables handles the connection tracking and return traffic.

当外部数据包到达eth0时，为什么是f到达docker0然后是容器？而不是处理它还是丢弃它？

When an external packet arrives to eth0, why it is forwarded to docker0 then container? instead of processing it or drop it?

如果您询问容器出站流量的返回路径，请参见上面的iptables作为 MASQUERADE 将映射回连接。

If you are asking about the return path for outbound traffic from the container, see iptables above as the MASQUERADE will map the connection back through.

如果您是指新的入站流量，则默认情况下不会将数据包转发到容器中。实现此目的的标准方法是设置端口映射。 Docker启动了一个守护程序，该守护程序侦听端口X上的主机，然后转发到端口Y上的容器。

If you mean new inbound traffic, Packets are not forwarded into a container by default. The standard way to achieve this is to setup a port mapping. Docker launches a daemon that listens on the host on port X and forwards to the container on port Y.

我不确定为什么也没有将NAT用于入站流量。我遇到了一些问题，试图将大量端口映射到容器中，从而导致将真实世界的界面完全映射到容器中。

I'm not sure why NAT wasn't used for inbound traffic as well. I've run into some issues trying to map large numbers of ports into containers which led to mapping real world interfaces completely into containers.

这篇关于docker0和eth0有什么关系？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！