在同一主机上的不同网络中的 Docker 容器之间进行通信 [英] Communicating between Docker containers in different networks on the same host

问题描述

是否有可能使同一主机内不同网络中的容器进行通信?请注意，我目前没有使用 docker-compose.

以下是我所做的总结.我使用以下命令创建了两个网络

The following is a summary of what I did. I created two networks using the following commands

docker network create --driver bridge mynetwork1   
docker network create --driver bridge mynetwork2

然后我使用以下命令在每个创建的网络上运行两个容器:

Then I ran two containers on each of these created networks using the commands:

docker run --net=mynetwork1 -it name=mynet1container1 mycontainerimage
docker run --net=mynetwork1 -it name=mynet1container2 mycontainerimage
docker run --net=mynetwork2 -it name=mynet2container1 mycontainerimage
docker run --net=mynetwork2 -it name=mynet2container2 mycontainerimage

然后我从使用创建的网络中识别出每个容器的 IP 地址

I then identified the IP Addresses of each of the containers from the networks created using

docker network inspect mynetwork1
docker network inspect mynetwork2

使用那些我能够在同一网络中的容器之间进行通信，但我无法跨网络的容器之间进行通信.只有将容器添加到同一网络才能进行通信.

Using those I was able to communicate between the containers in the same network, but I could not communicate between the containers across the networks. Communication was possible only by adding the containers to the same network.

非常感谢...

推荐答案

不同网络中的容器无法相互通信，因为 iptables 会丢弃此类数据包.这显示在过滤器表中的 DOCKER-ISOLATION-STAGE-1 和 DOCKER-ISOLATION-STAGE-2 链中.

Containers in different networks can not communicate with each other because iptables drop such packets. This is shown in the DOCKER-ISOLATION-STAGE-1 and DOCKER-ISOLATION-STAGE-2 chains in the filter table.

    sudo iptables -t filter -vL

可以将规则添加到 DOCKER-USER 链中，以允许不同网络之间的通信.在上述场景中，以下命令将允许 mynetwork1 中的任何容器与 mynetwork2 中的任何容器进行通信.

Rules can be added to DOCKER-USER chain to allow communication between different networks. In the above scenario, the following commands will allow ANY container in mynetwork1 to communicate with ANY containers in mynetwork2.

需要先找到网络的网桥接口名称(mynetwork1 和 mynetwork2).它们的名称通常看起来像 br-07d0d51191df 或 br-85f51d1cfbf6，可以使用命令ifconfig"或ip link show"找到它们.由于有多个网桥接口，要为感兴趣的网络识别正确的网桥接口，网桥接口的 inet 地址(显示在 ifconfig 中)应与命令 'docker network inspect mynetwork1' 中显示的子网地址匹配

The bridge interface names of the network (mynetwork1 and mynetwork2) need to be found first. Their names are usually look like br-07d0d51191df or br-85f51d1cfbf6 and they can be found using command "ifconfig" or "ip link show". Since there are multiple bridge interfaces, to identify the correct ones for the networks of interest, the inet address of the bridge interface (shown in ifconfig) should match the subnet address shown in command 'docker network inspect mynetwork1'

    sudo iptables -I DOCKER-USER -i br-########1 -o br-########2 -j ACCEPT
    sudo iptables -I DOCKER-USER -i br-########2 -o br-########1 -j ACCEPT

可以微调规则以仅允许特定 IP 之间的通信.例如，

The rules can be fine tuned to allow only communications between specific IPs. E.g,

    sudo iptables -I DOCKER-USER -i br-########1 -o br-########2 -s 172.17.0.2 -d 172.19.0.2 -j ACCEPT
    sudo iptables -I DOCKER-USER -i br-########2 -o br-########1 -s 172.19.0.2 -d 172.17.0.2 -j ACCEPT

这篇关于在同一主机上的不同网络中的 Docker 容器之间进行通信的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！