3. docker容器网络管理

docker容器网络管理

• 一、docker网络的工作模式
• • 1、bridge模式
  • 2、host模式
  • 3、container模式
  • 4、none模式
• 二、flannel+etcd网络
• • 1、flannel工作原理介绍
  • 2、flannel网络部署
  • [2.1 环境描述](#2.1 环境描述)
  • [2.2 两台物理机安装docker](#2.2 两台物理机安装docker)
  • [2.3 安装配置etcd数据库](#2.3 安装配置etcd数据库)
  • [2.4 安装配置flannel](#2.4 安装配置flannel)
  • • [2.4.1 安装配置flannel](#2.4.1 安装配置flannel)
    • [2.4.2 在etcd数据库中写入flannel网络信息](#2.4.2 在etcd数据库中写入flannel网络信息)
    • [2.4.3 启动flannel](#2.4.3 启动flannel)
    • [2.4.4 配置flannel接管docker0](#2.4.4 配置flannel接管docker0)
  • [2.5 测试容器通信](#2.5 测试容器通信)

一、docker网络的工作模式

支持的网络模式：bridge, host, container, none

[root@martin-host ~]# docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
4a6c8a41e530   bridge    bridge    local
8911ee674667   host      host      local
171e827698d3   none      null      local
[root@martin-host ~]# 

1、bridge模式

实际就是NAT模式

SNAT：网关、路由转发、SNAT规则

DNAT：-p, -P；注意端口冲突

2、host模式

• 容器会和物理机共享同一个网络命名空间

[root@martin-host ~]# docker run -tid --name=test1 --net=host  centos:7 
9c2f91bc45c00bc4f43d679a670f008b220a9890ea86d00b79846e1f7f220daa

[root@martin-host ~]# docker ps -a
CONTAINER ID   IMAGE      COMMAND       CREATED         STATUS         PORTS     NAMES
9c2f91bc45c0   centos:7   "/bin/bash"   3 seconds ago   Up 3 seconds             test1

[root@martin-host ~]# docker run -tid --net=host --name=test2 nginx:1.18
1af0a7132848773ee43045ecbbba58c00ef37af9342504df425fc0d197a92da6
[root@martin-host ~]# 

容易出现端口冲突

3、container模式

新建的容器会与一个已有的容器(bridge模式)共享同一个网络命名空间

减少通信时的网络消耗的

[root@martin-host ~]# docker run -tid --name=test4 centos:7 
10ebb4a937142a36424f522a6b3e88e12c2462820b40504136eae826ab8c15dc

[root@martin-host ~]# docker run -tid --name=test5 --net=container:test4 centos:7 
10ebb4a937142a36424f522a6b3e88e12c2462820b40504136eae826ab8c15dc

4、none模式

容器没有自己的网络命名空间

[root@martin-host ~]# docker run -tid --name=test8 --net=none centos:7 
a3111d29310a162819dc84e4d7352b21f3482bbf1be4c618bf5c1d8d267892b6

二、flannel+etcd网络

1、flannel工作原理介绍

解决跨物理机容器间通信的问题：

1、改变容器的IP分配方式

2、特殊线路连接容器网络

2、flannel网络部署

2.1 环境描述

192.168.140.10 docker/flannel/etcd

192.168.140.11 docker/flannel

2.2 两台物理机安装docker

2.3 安装配置etcd数据库

[root@martin-host ~]# yum install -y etcd

[root@martin-host ~]# vim /etc/etcd/etcd.conf 
ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:2379"
ETCD_ADVERTISE_CLIENT_URLS="http://0.0.0.0:2379"

[root@martin-host ~]# systemctl enable --now etcd
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.
[root@martin-host ~]# 
[root@martin-host ~]# netstat -tunlp | grep etcd
tcp        0      0 127.0.0.1:2380          0.0.0.0:*               LISTEN      20101/etcd          
tcp6       0      0 :::2379                 :::*                    LISTEN      20101/etcd    

[root@martin-host ~]# etcdctl set file01/name martin
martin
[root@martin-host ~]# etcdctl get file01/name
martin

2.4 安装配置flannel

2.4.1 安装配置flannel

[root@martin-host ~]# yum install -y flannel 

[root@martin-host ~]# vim /etc/sysconfig/flanneld 
FLANNEL_ETCD_ENDPOINTS="http://192.168.140.10:2379"

# etcd config key.  This is the configuration key that flannel queries
# For address range assignment
FLANNEL_ETCD_PREFIX="/atomic.io/network"

2.4.2 在etcd数据库中写入flannel网络信息

[root@martin-host ~]# etcdctl mk /atomic.io/network/config '{"Network":"10.88.0.0/16"}'
{"Network":"10.88.0.0/16"}
[root@martin-host ~]# 

2.4.3 启动flannel

[root@martin-host ~]# systemctl enable --now flanneld.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.
Created symlink from /etc/systemd/system/docker.service.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.
[root@martin-host ~]#

[root@martin-host ~]# ifconfig flannel0
flannel0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1472
        inet 10.88.54.0  netmask 255.255.0.0  destination 10.88.54.0
        inet6 fe80::64e:b3fe:833f:bbd3  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2.4.4 配置flannel接管docker0

[root@martin-host ~]# vim /usr/lib/systemd/system/docker.service 
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $DOCKER_NETWORK_OPTIONS

[root@martin-host ~]# systemctl daemon-reload
[root@martin-host ~]# systemctl restart docker
[root@martin-host ~]# 
[root@martin-host ~]# ifconfig docker0
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1472
        inet 10.88.54.1  netmask 255.255.255.0  broadcast 10.88.54.255
        inet6 fe80::42:4bff:fed0:c4a  prefixlen 64  scopeid 0x20<link>
        ether 02:42:4b:d0:0c:4a  txqueuelen 0  (Ethernet)
        RX packets 23132  bytes 3492875 (3.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 35113  bytes 38048558 (36.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


[root@martin-host ~]# ls /run/flannel/
docker  subnet.env
[root@martin-host ~]# cat /run/flannel/docker 
DOCKER_OPT_BIP="--bip=10.88.54.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=true"
DOCKER_OPT_MTU="--mtu=1472"
DOCKER_NETWORK_OPTIONS=" --bip=10.88.54.1/24 --ip-masq=true --mtu=1472"

另外一个物理主机参考上述flannel配置 

2.5 测试容器通信

修改iptables防火墙数据转发链的默认策略

[root@martin-host ~]# iptables -P FORWARD ACCEPT

[root@martin-host ~]# docker exec -ti test1 bash
[root@fc0cdb7e5dcd /]# 
[root@fc0cdb7e5dcd /]# ping 10.88.86.2
PING 10.88.86.2 (10.88.86.2) 56(84) bytes of data.
64 bytes from 10.88.86.2: icmp_seq=18 ttl=60 time=0.643 ms
64 bytes from 10.88.86.2: icmp_seq=19 ttl=60 time=1.04 ms