Docker高级篇之网络详解-云原生核心_LFT:TOM

前面给大家项目的介绍了Docker的基础内容Docker基础篇接下来给大家系统的介绍下Docker高级篇的内容:网络核心、Docker实战、DockerCompose、Harbor以及Swarm。欢迎关注收藏哦

Docker网络介绍

Docker是基于LinuxKernel的namespace,CGroups,UnionFileSystem等技术封装成的一种自定义容器格式,从而提供了一套虚拟运行环境。

namespace:用来做隔离的,比如pid、net、mnt

CGroups:ControllerGroups用来做资源限制,比如内存和CPU等

UnionFileSystems:用来做Image和Container分层

1.计算机网络模型

Docker网络官网:https://docs.docker.com/network/。

OSI:开放系统互联参考模型(OpenSystemInterconnect)

TCP/IP:传输控制协议/网际协议(TransmissionControl/InternetProtocol),是指能够在多个不同网络间实现信息传输的协议簇。TCP/IP协议不仅仅指的是TCP和IP两个协议,而是指一个由FTP、SMTP、TCP、UDP、IP等协议构成的协议簇,只是因为在TCP/IP协议中TCP协议和IP协议最具代表性,所以被称为TCP/IP协议。

分层思想:分层的基本想法是每一层都在它的下层提供的服务基础上提供更高级的增值服务,而最高层提供能运行分布式应用程序的服务

在这里插入图片描述客户端发送请求:在这里插入图片描述

服务端接受请求:

在这里插入图片描述

2Liunx中网卡

2.1查看网卡信息

查看网卡的命令:ipa

$ipa1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scopehostlovalid_lftforeverpreferred_lftforeverinet6::1/128scopehostvalid_lftforeverpreferred_lftforever2:eth0:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether52:54:00:4d:77:d3brdff:ff:ff:ff:ff:ffinet10.0.2.15/24brd10.0.2.255scopeglobalnoprefixroutedynamiceth0valid_lft85987secpreferred_lft85987secinet6fe80::5054:ff:fe4d:77d3/64scopelinkvalid_lftforeverpreferred_lftforever3:eth1:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether08:00:27:6e:31:45brdff:ff:ff:ff:ff:ffinet192.168.56.10/24brd192.168.56.255scopeglobalnoprefixrouteeth1valid_lftforeverpreferred_lftforeverinet6fe80::a00:27ff:fe6e:3145/64scopelinkvalid_lftforeverpreferred_lftforever4:docker0:<NO-CARRIER,BROADCAST,MULTICAST,UP>mtu1500qdiscnoqueuestateDOWNgroupdefaultlink/ether02:42:bf:79:9f:debrdff:ff:ff:ff:ff:ffinet172.17.0.1/16brd172.17.255.255scopeglobaldocker0valid_lftforeverpreferred_lftforever

“Fake_Phishing138590 ”地址将300ETH转入 TornadoCash:金色财经报道,据CertiK监测,被Etherscan标注为Fake_Phishing138590 地址(0x04C64)已收到300ETH(约522000美元)并存入 TornadoCash。CertiK提醒如果已经授权该钱包,请及时撤销权限。[2023/3/23 13:22:00]

通过ipa可以看到当前的centos中有的4个网卡信息作用分别是

名称作用lo本地网卡eth0连接网络的网卡eth1和宿主机通信的网卡docker0docker的网卡

iplinksodvqhow:

$iplinksodvqhow1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNmodeDEFAULTgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:002:eth0:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPmodeDEFAULTgroupdefaultqlen1000link/ether52:54:00:4d:77:d3brdff:ff:ff:ff:ff:ff3:eth1:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPmodeDEFAULTgroupdefaultqlen1000link/ether08:00:27:6e:31:45brdff:ff:ff:ff:ff:ff4:docker0:<NO-CARRIER,BROADCAST,MULTICAST,UP>mtu1500qdiscnoqueuestateDOWNmodeDEFAULTgroupdefaultlink/ether02:42:bf:79:9f:debrdff:ff:ff:ff:ff:ff

以文件的形式查看网卡:ls/sys/class/net

$ls/sys/class/netdocker0eth0eth1lo

2.2配置文件

在Linux中网卡对应的其实就是文件,所以找到对应的网卡文件即可,存放的路径

$cd/etc/sysconfig/network-scripts/$lsifcfg-eth0ifdown-ethifdown-pppifdown-tunnelifup-ipppifup-postifup-TeamPortnetwork-functions-ipv6ifcfg-eth1ifdown-ipppifdown-routesifupifup-ipv6ifup-pppifup-tunnelifcfg-loifdown-ipv6ifdown-sitifup-aliasesifup-isdnifup-routesifup-wirelessifdownifdown-isdnifdown-Teamifup-bnepifup-plipifup-sitinit.ipv6-globalifdown-bnepifdown-postifdown-TeamPortifup-ethifup-plusbifup-Teamnetwork-functions

2.3网卡操作

网卡中增加ip地址

Billions项目组ipa1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scopehostlovalid_lftforeverpreferred_lftforeverinet6::1/128scopehostvalid_lftforeverpreferred_lftforever2:eth0:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether52:54:00:4d:77:d3brdff:ff:ff:ff:ff:ffinet10.0.2.15/24brd10.0.2.255scopeglobalnoprefixroutedynamiceth0valid_lft84918secpreferred_lft84918secinet192.168.100.120/24scopeglobaleth0Billions项目组Billions项目组增加了一个IP地址valid_lftforeverpreferred_lftforeverinet6fe80::5054:ff:fe4d:77d3/64scopelinkvalid_lftforeverpreferred_lftforever3:eth1:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether08:00:27:6e:31:45brdff:ff:ff:ff:ff:ffinet192.168.56.10/24brd192.168.56.255scopeglobalnoprefixrouteeth1valid_lftforeverpreferred_lftforeverinet6fe80::a00:27ff:fe6e:3145/64scopelinkvalid_lftforeverpreferred_lftforever4:docker0:<NO-CARRIER,BROADCAST,MULTICAST,UP>mtu1500qdiscnoqueuestateDOWNgroupdefaultlink/ether02:42:bf:79:9f:debrdff:ff:ff:ff:ff:ffinet172.17.0.1/16brd172.17.255.255scopeglobaldocker0valid_lftforeverpreferred_lftforever

远程医疗平台Citaldoc已进行ADA支付测试:10月24日消息,拉丁美洲远程医疗应用Citaldoc正在测试将ADA支付整合到其平台中,已完成其首笔ADA支付交易测试。其分享的截图显示Cardano的ADA测试网成功处理一笔10000枚ADA的测试交易。(Crypto News Flash)[2022/10/24 16:36:58]

删除IP地址:ipaddrdelete192.168.100.120/24deveth0

Billions项目组ipa1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scopehostlovalid_lftforeverpreferred_lftforeverinet6::1/128scopehostvalid_lftforeverpreferred_lftforever2:eth0:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether52:54:00:4d:77:d3brdff:ff:ff:ff:ff:ffinet10.0.2.15/24brd10.0.2.255scopeglobalnoprefixroutedynamiceth0valid_lft84847secpreferred_lft84847secinet6fe80::5054:ff:fe4d:77d3/64scopelinkvalid_lftforeverpreferred_lftforever3:eth1:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether08:00:27:6e:31:45brdff:ff:ff:ff:ff:ffinet192.168.56.10/24brd192.168.56.255scopeglobalnoprefixrouteeth1valid_lftforeverpreferred_lftforeverinet6fe80::a00:27ff:fe6e:3145/64scopelinkvalid_lftforeverpreferred_lftforever4:docker0:<NO-CARRIER,BROADCAST,MULTICAST,UP>mtu1500qdiscnoqueuestateDOWNgroupdefaultlik/ether02:42:bf:79:9f:debrdff:ff:ff:ff:ff:ffinet172.17.0.1/16brd172.17.255.255scopeglobaldocker0valid_lftforeverpreferred_lftforever

2.4网卡信息解析

状态:UP/DOWN/UNKOWN等

link/ether:MAC地址

inet:绑定的IP地址

3NetworkNamespace

NetworkNamespace是实现网络虚拟化的重要功能,它能创建多个隔离的网络空间,它们有独自的网络栈信息。不管是虚拟机还是容器,运行的时候仿佛自己就在独立的网络中。

3.1NetworkNamespce实战

添加一个namespace

ipnetnsaddns1

查看当前具有的namespace

ipnetnslistBillions项目组ipnetnslistns1

删除namespace

ipnetnsdeletens1Billions项目组ipnetnslistns1Billions项目组ipnetnslistBillions项目组ipnetnsexecns1ipa1:lo:<LOOPBACK>mtu65536qdiscnoopstateDOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00在这里插入图片描述启动网络状态

ENS域名88888.eth以41ETH的价格售出:12月4日消息,ENS域名88888.eth在X2Y2上以41ETH(约5.17万美元)的价格售出。该域名曾在7个月前以6.88ETH的价格被出售。[2022/12/4 21:21:18]

ipnetnsexecns1ifuploBillions项目组ipnetnsexecns1ifuploBillions项目组

关掉网络状态

Billions项目组ipnetnsexecns1ipa1:lo:<LOOPBACK>mtu65536qdiscnoqueuestateDOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00

还可以通过link来设置状态

Billions项目组ipnetnsexecns1ipa1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scopehostlovalid_lftforeverpreferred_lftforeverinet6::1/128scopehostvalid_lftforeverpreferred_lftforeverBillions项目组ipnetnsexecns1ipa1:lo:<LOOPBACK>mtu65536qdiscnoqueuestateDOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scopehostlovalid_lftforeverpreferred_lftforeverBillions项目组ipnetnsaddns2Billions项目组ipnetnsexecns1iplink1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNmodeDEFAULTgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:006:veth-ns1@if5:<BROADCAST,MULTICAST>mtu1500qdiscnoopstateDOWNmodeDEFAULTgroupdefaultqlen1000link/ether7e:bb:ee:13:a2:9abrdff:ff:ff:ff:ff:fflink-netnsid1Billions项目组ipnetnsexecns1iplinksodvqetveth-ns1upBillions项目组ipa1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scopehostlovalid_lftforeverpreferred_lftforeverinet6::1/128scopehostvalid_lftforeverpreferred_lftforever2:eth0:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether52:54:00:4d:77:d3brdff:ff:ff:ff:ff:ffinet10.0.2.15/24brd10.0.2.255scopeglobalnoprefixroutedynamiceth0valid_lft66199secpreferred_lft66199secinet6fe80::5054:ff:fe4d:77d3/64scopelinkvalid_lftforeverpreferred_lftforever3:eth1:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether08:00:27:6e:31:45brdff:ff:ff:ff:ff:ffinet192.168.56.10/24brd192.168.56.255scopeglobalnoprefixrouteeth1valid_lftforeverpreferred_lftforeverinet6fe80::a00:27ff:fe6e:3145/64scopelinkvalid_lftforeverpreferred_lftforever4:docker0:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscnoqueuestateUPgroupdefaultlink/ether02:42:52:d4:0a:9fbrdff:ff:ff:ff:ff:ffinet172.17.0.1/16brd172.17.255.255scopeglobaldocker0valid_lftforeverpreferred_lftforeverinet6fe80::42:52ff:fed4:a9f/64scopelinkvalid_lftforeverpreferred_lftforever24:veth78a90d0@if23:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscnoqueuemasterdocker0stateUPgroupdefaultlink/ether7e:6b:8c:bf:7e:30brdff:ff:ff:ff:ff:fflink-netnsid2inet6fe80::7c6b:8cff:febf:7e30/64scopelinkvalid_lftforeverpreferred_lftforever26:vetha2bfbf4@if25:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscnoqueuemasterdocker0stateUPgroupdefaultlink/etherce:2f:ed:e5:61:32brdff:ff:ff:ff:ff:fflink-netnsid3inet6fe80::cc2f:edff:fee5:6132/64scopelinkvalid_lftforeverpreferred_lftforever

AIDOC官方团队发布声明:AIDOC智能合约安全:近期部分币种爆出以太坊ERC20智能合约漏洞,只是该币种编写技术存在问题,并非整个以太坊问题。为此,天医AIDOC官方技术团队在第一时间对AIDOC的以太坊ERC20智能合约代码进行检测,通过技术社区论证结果展示AIDOC代码是安全可靠的,并没有发现任何漏洞,特此公告说明。AIDOC友情提醒:智能合约产生批量交易代码时需要考虑三重溢出检测来保证智能合约安全,天医已经采用三重检测保证安全。[2018/4/25]

然后查看tomcat01中的网络:dockerexec-ittomcat01ipa可以发现

Billions项目组ping172.17.0.2PING172.17.0.2(172.17.0.2)56(84)bytesofdata.64bytesfrom172.17.0.2:icmp_seq=1ttl=64time=0.038ms64bytesfrom172.17.0.2:icmp_seq=2ttl=64time=0.038ms^C---172.17.0.2pingstatistics---2packetstransmitted,2received,0%packetloss,time999msrttmin/avg/max/mdev=0.038/0.038/0.038/0.000ms

既然可以ping通,而且centos和tomcat01又属于两个不同的NetWorkNameSpace,他们是怎么连接的?看图

在这里插入图片描述其实在tomcat01中有一个eth0和centos的docker0中有一个veth是成对的,类似于之前实战中的veth-ns1和veth-ns2,要确认也很简单

yuminstallbridge-utilsbrctlshow

执行

Billions项目组dockernetworklsNETWORKIDNAMEDRIVERSCOPE92242fc0f805bridgebridgelocal96b999d7fcc2hosthostlocal17b86f9caa33nonenulllocal

不妨检查一下bridge:dockernetworkinspectbridge

"Containers":{"4b3500fed6b99c00b3ed1ae46bd6bc33040c77efdab343175363f32fbcf42e63":{"Name":"tomcat01","EndpointID":"40fc0925fcb59c9bb002779580107ab9601640188bf157fa57b1c2de9478053a","MacAddress":"02:42:ac:11:00:02","IPv4Address":"172.17.0.2/16","IPv6Address":""},"92d2ff3e9be523099ac4b45058c5bf4652a77a27b7053a9115ea565ab43f9ab0":{"Name":"tomcat02","EndpointID":"1d6c3bd73e3727dd368edf3cc74d2f01b5c458223f844d6188486cb26ea255bc","MacAddress":"02:42:ac:11:00:03","IPv4Address":"172.17.0.3/16","IPv6Address":""}}

在tomcat01容器中是可以访问互联网的,顺便把这张图画一下咯,NAT是通过iptables实现的

在这里插入图片描述

4.2自定义NetWork

创建一个network,类型为Bridge

dockernetworkcreatetomcat-net或者dockernetworkcreatetomcat-net--subnet=172.18.0.0/24tomcat-net

查看已有的NetWork:dockernetworkls

Billions项目组dockernetworklsNETWORKIDNAMEDRIVERSCOPEb5c9cfbc0410bridgebridgelocal96b999d7fcc2hosthostlocal17b86f9caa33nonenulllocal43915cba1f92tomcat-netbridgelocal

AIDOC价格上涨,今日涨幅达17.73%:根据火币交易平台数据显示,AIDOC最新成交价格为人民币1.00元,24小时最高价达人民币1.01元,最低价格为人民币0.70元,24小时成交量27686230AIDOC,涨幅达17.73%。AIDOC从医疗数据切入,研发的AI超能医生形成天医分布式“大脑”结合智慧硬体、物联网等设备,构建智慧医疗全产业链生态,把生命体征数据写入区块链克隆出比特数字人,让每个人都拥有一个全天候守护的私人AI超能医生。[2018/1/25]

查看tomcat-net详情信息:dockernetworkinspecttomcat-net

Billions项目组dockerrun-d--namecustom-net-tomcat--networktomcat-nettomcat-ip:1.0264b3901f8f12fd7f4cc69810be6a24de48f82402b1e5b0df364bd1ee72d8f0e

查看custom-net-tomcat的网络信息:截取了关键信息

12:br-43915cba1f92:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscnoqueuestateUPgroupdefaultlink/ether02:42:71:a6:67:c7brdff:ff:ff:ff:ff:ffinet172.18.0.1/16brd172.18.255.255scopeglobalbr-43915cba1f92valid_lftforeverpreferred_lftforeverinet6fe80::42:71ff:fea6:67c7/64scopelinkvalid_lftforeverpreferred_lftforever14:veth282a555@if13:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscnoqueuemasterbr-43915cba1f92stateUPgroupdefaultlink/ether3a:3d:83:15:3f:edbrdff:ff:ff:ff:ff:fflink-netnsid3inet6fe80::383d:83ff:fe15:3fed/64scopelinkvalid_lftforeverpreferred_lftforever

查看网卡接口信息

Billions项目组dockerexec-itcustom-net-tomcatping172.17.0.2PING172.17.0.2(172.17.0.2)56(84)bytesofdata.^C---172.17.0.2pingstatistics---3packetstransmitted,0received,100%packetloss,time2000ms

此时如果tomcat01容器能够连接上tomcat-net上应该就可以了

dockernetworkconnecttomcat-nettomcat01Billions项目组dockerexec-itcustom-net-tomcatpingtomcat01PINGtomcat01(172.18.0.3)56(84)bytesofdata.64bytesfromtomcat01.tomcat-net(172.18.0.3):icmp_seq=1ttl=64time=0.031ms

5深入分析Container网络-Host&None

5.1Host

Host模式下,容器将共享主机的网络堆栈,并且主机的所有接口都可供容器使用.容器的主机名将与主机系统上的主机名匹配

创建一个容器,并指定网络为host

dockerrun-d--namemy-tomcat-host--networkhosttomcat-ip:1.0

查看ip地址

dockerexec-itmy-tomcat-hostipa

检查host网络

dockernetworkinspecthost"Containers":{"f495a6892d422e61daab01e3fcfa4abb515753e5f9390af44c93cae376ca7464":{"Name":"my-tomcat-host","EndpointID":"77012b1ac5d15bde3105d2eb2fe0e58a5ef78fb44a88dc8b655d373d36cde5da","MacAddress":"","IPv4Address":"","IPv6Address":""}}

5.2None

None模式不会为容器配置任何IP,也不能访问外部网络以及其他容器.它具有环回地址,可用于运行批处理作业.

创建一个tomcat容器,并指定网络为none

dockerrun-d--namemy-tomcat-none--networknonetomcat-ip:1.0

查看ip地址

dockerexec-itmy-tomcat-none

检查none网络

dockernetworkinspectnone"Containers":{"c957b61dae93fbb9275acf73c370e5df1aaf44a986579ee43ab751f790220807":{"Name":"my-tomcat-none","EndpointID":"16bf30fb7328ceb433b55574dc071bf346efa58e2eb92b6f40d7a902ddc94293","MacAddress":"","IPv4Address":"","IPv6Address":""}}

6端口映射

创建一个tomcat容器,名称为port-tomcat

dockerrun-d--nameport-tomcattomcat-ip:1.0

思考如何访问tomcat的服务

dockerexec-itport-tomcatbashcurllocalhost:8080

如果要载centos7上访问呢

dockerexec-itport-tomcatipacurl172.17.0.4:8080

如果我们需要在centos中通过localhost来访问呢?这时我们就需要将port-tomcat中的8080端口映射到centos上了

dockerrm-fport-tomcatdockerrun-d--nameport-tomcat-p8090:8080tomcat-ip:1.0curllocalhost:8090

centos7是运行在win10上的虚拟机,如果想要在win10上通过ip:port方式访问呢?

Billions项目组这种方式等同于桥接网络。也可以给该网络指定使用物理机哪一块网卡,比如#config.vm.network"public_network",:bridge=>'en1:Wi-Fi(AirPort)'config.vm.network"public_network"centos7:ipa--->192.168.8.118win10:浏览器访问192.168.8.118:9080在这里插入图片描述

7多机之间通信

具体深入介绍会在DockerSwarm中详聊,本节简单介绍。

在同一台centos7机器上,发现无论怎么折腾,我们一定有办法让两个containerodvq通信。那如果是在两台centos7机器上呢?画个图

在这里插入图片描述VXLAN技术实现:VirtualExtensibleLAN(虚拟可扩展局域网)。在这里插入图片描述

ps:掌握了Docker的网络,其实也就掌握整个技术的核心了,如果文章有帮助欢迎关注点赞收藏哦

https://www.ixiera.com

郑重声明: 本文版权归原作者所有, 转载文章仅为传播更多信息之目的, 如作者信息标记有误, 请第一时间联系我们修改或删除, 多谢。

金宝趣谈

ADA氢燃料电池汽车优缺点分析_MIR:24K

点击上面“电动知家”可以订阅哦 氢燃料电池是使用氢这种化学元素,制造成储存能量的电池。其基本原理是电解水的逆反应,把氢和氧分别供给阳极和阴极,氢通过阳极向外扩散和电解质发生反应后,放出电子通过外.

[0:15ms0-3:817ms