1.ip netns命令
ip netns(ip network name space)命令可以用来对网络名称空进行各种操作,该命令由iproute包提供,默认是安装的。
ip netns帮助文档
[root@docker ~]# ip netns help
Usage: ip netns list
ip netns add NAME
ip netns attach NAME PID
ip netns set NAME NETNSID
ip [-all] netns delete [NAME] #删除
ip netns identify [PID] #识别
ip netns pids NAME
ip [-all] netns exec [NAME] cmd .. #进行相应操作
ip netns monitor #监控
ip netns list-id [target-nsid POSITIVE-INT] [nsid POSITIVE-INT]
NETNSID := auto | POSITIVE-INT
添加网络名称空间
[root@docker ~]# ip netns add oppo
[root@docker ~]# ip netns list
oppo
[root@docker ~]# ll /var/run/netns/ #创建的名称空间在/var/run/netns下
总用量 0
-r--r--r--. 1 root root 0 8月 13 20:16 oppo
#注意
在此目录下mkdir创建的名称空间是不能使用的
2.操作网络名称空间
2.1查看创建的名称空间网卡信息
[root@docker ~]# ip netns exec oppo ip addr
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
#oppo名称空间默认是处于DOWN状态
2.2启动名称空间lo回环口
[root@docker ~]# ip netns exec oppo ip link set lo up
root@docker ~]# ip netns exec oppo ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
[root@docker ~]# ip netns exec oppo ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.072 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.026 ms
2.3网络名称设备veth
一个设备只能属于一个网络名称空间,veth(virtual ethernet) pair属于可转移设备,其它设备(lo,vxlan,ppp,bridge等)是不可以转移的
2.4实现俩名称空间通信
#添加veth类型的网卡设备,默认会创建一对
[root@docker ~]# ip link add type veth
[root@docker ~]# ip a
4: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 56:7c:54:55:81:73 brd ff:ff:ff:ff:ff:ff
5: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 56:17:2f:ca:62:62 brd ff:ff:ff:ff:ff:ff
#添加俩个名称空间
[root@docker ~]# ip netns add vtest01
[root@docker ~]# ip netns add vtest02
#veth0添加到vtest01 veth1添加到vtest02 绑定
[root@docker ~]# ip link set veth0 netns vtest01
[root@docker ~]# ip link set veth1 netns vtest02
#再次查看,显示veth设备全部没有了,而是转移到名称空间内了
[root@docker ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:90:1f:fa brd ff:ff:ff:ff:ff:ff
inet 192.168.136.233/24 brd 192.168.136.255 scope global dynamic noprefixroute ens33
valid_lft 1181sec preferred_lft 1181sec
inet6 fe80::314b:11d8:7c1b:d9bb/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:05:9e:a7:70 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
#查看veth设备bind的情况
[root@docker ~]# ip netns exec vtest01 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4: veth0@if5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 56:7c:54:55:81:73 brd ff:ff:ff:ff:ff:ff link-netns vtest02
[root@docker ~]# ip netns exec vtest02 ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loo
#分别对veth进行开启和创建ip
[root@docker ~]# ip netns exec vtest01 ip link set veth0 up
[root@docker ~]# ip netns exec vtest02 ip link set veth1 up
[root@docker ~]# ip netns exec vtest01 ip addr add 10.0.0.1/24 dev veth0
[root@docker ~]# ip netns exec vtest02 ip addr add 10.0.0.2/24 dev veth1
2.5重命名网卡设备
重命名网卡可以实现规范化
ip netns exec vtest01 ip link set veth0 down
ip netns exec vtest02 ip link set veth1 down
ip netns exec vtest01 ip link set dev veth0 name eth0
ip netns exec vtest02 ip link set dev veth1 name eth1
3.容器常用操作
3.1修改容器主机名
容器的host默认是容器的ID
#运行一个基于busybox镜像取名叫test04的容器,该网络类型是bridge模式,
交互并且退出自动删除容器的模式,容器主机名设置为tom
[root@docker ~]# docker run -it --name test04 --network bridge --hostname tom --rm busybox
/ # hostname
tom
/ # cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.3 tom #主机名与ip成映射关系
~ # cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 192.168.136.2 DNS也会自动配置为宿主机的DNS
~ # ping www.baidu.com
PING www.baidu.com (36.152.44.96): 56 data bytes
64 bytes from 36.152.44.96: seq=0 ttl=127 time=21.226 ms
64 bytes from 36.152.44.96: seq=1 ttl=127 time=20.096 ms
3.2手动生成DNS
[root@docker ~]# docker run -it --name test04 --network bridge --hostname tom --dns 114.114.114.114 --rm busybox
/ # cat /etc/resolv.conf
search localdomain
nameserver 114.114.114.114
/ # ping baidu.com #能够通信
PING baidu.com (220.181.38.148): 56 data bytes
64 bytes from 220.181.38.148: seq=0 ttl=127 time=27.561 ms
64 bytes from 220.181.38.148: seq=1 ttl=127 time=27.523 ms
/ # nslookup www.baidu.com #查看baidu服务信息
Server: 114.114.114.114
Address: 114.114.114.114:53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com #容器内查看的别名信息
Name: www.a.shifen.com
Address: 36.152.44.96
Name: www.a.shifen.com
Address: 36.152.44.95
3.3添加域名ip
[root@docker ~]# docker run -it --name t1 --network bridge --add-host www.a.com:1.2.3.4 --rm busybox
/ # cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
1.2.3.4 www.a.com #添加成功
4.容器端口
-p :80(随机端口)
指定容器的端口号,通过本地的ip地址分配随机端口号
[root@docker ~]# docker run -it --name web --rm -p 80 nginx
#另一终端查看随机端口情况
[root@docker ~]# docker port web
80/tcp -> 0.0.0.0:49153
80/tcp -> :::49153
查看访问到的内容:
[root@docker ~]# curl 192.168.136.233:49153
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
-p 8080:80(指定端口)
ip地址跟上指定的端口号8080访问
[root@docker ~]# docker run --name web --rm -p 8080:80 nginx
[root@docker ~]# docker port web
80/tcp -> 0.0.0.0:8080
80/tcp -> :::8080
curl: 192.168.136.233:8080 #进行访问
-p 指定ip::容器端口号
只能通过指定的ip和端口号访问
[root@docker ~]# docker run --name web --rm -p 192.168.136.233::80 nginx
[root@docker ~]# docker port web
80/tcp -> 192.168.136.233:49154
5.自定义Docker0网桥的网络属性信息
Docker官网文档:https://docs.docker.com/get-started/overview/
5.1Docker0网络配置修改
修改docker0的网络信息需要修改/etc/docker/daemon.json配置文件
#改json模板前面几行均以“x”: "x",空格逗号分开,最后一行不需要
{ "bip": "192.168.1.5/24", #(bridge ip)指定docker0桥自身的ip地址,本行最重要,其它可以通过计算得到
"fixed-cidr": "192.168.1.5/25",
"fixed-cidr-v6": "2001:db8::/64",
"mtu": 1500,
"default-gateway": "10.20.1.1",
"default-gateway-v6": "2001:db8:abcd::89",
"dns": ["10.20.1.2","10.20.1.3"]
}
具体实例:
[root@docker ~]# cat /etc/docker/daemon.json
{
"bip": "192.168.1.5/24"
}
[root@docker ~]# systemctl daemon-reload
[root@docker ~]# systemctl restart docker
[root@docker ~]# ip a
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:7a:f3:b8:3a brd ff:ff:ff:ff:ff:ff
inet 192.168.1.5/24 brd 192.168.1.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:7aff:fef3:b83a/64 scope link
valid_lft forever preferred_lft forever
5.2Docker远程连接(这个比较捞,了解即可)
docker远程连接是客户端连接到服务端设备,查看修改服务端容器的过程。
dockerd默认监听unix socket的地址(/var/run/docker.sock),使用TCP套接字的话,则需要修改/etc/docker/daemon.json配置文件
服务端:
"hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]
客户端:
dockerd通过-H hsot指定控制哪台主机的docker容器
docker -H host:port ps
远程连接具体实例:
环境:
| 系统 | ip | 角色 |
|---|---|---|
| centos8 | 192.168.136.233 | 服务端 |
| centos8 | 192.168.136.234 | 客户端 |
相应操作:
1.修改/etc/docker/daemon.json文件
[root@docker ~]# cat /etc/docker/daemon.json
{
"bip": "192.168.1.5/24",
"host": ["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"]
}
2.重新加载系统文件
[root@docker ~]# systemctl daemon-reload
#重启docker会出现错误,该错误一定会出现!!配置docker.conf即可
[root@docker ~]# systemctl restart docker
Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xe" for details.
3.查看官网文档解决问题
请创建一个/etc/systemd/system/docker.service.d/docker.conf包含以下内容的新文件,
以删除-H默认情况下启动守护程序时使用的参数。
[root@docker docker.service.d]# pwd
/etc/systemd/system/docker.service.d
[root@docker docker.service]# cat docker.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd
[root@docker ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:2375
#2375端口已起
4.服务端启动一个容器
[root@docker ~]# docker run --name web --rm -p 8080:80 nginx
[root@docker ~]# docker port web
80/tcp -> 0.0.0.0:8080
80/tcp -> :::8080
#(客户端)查看到服务端的容器信息
[root@192 ~]# docker -H 192.168.136.233:2375 ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
09e9ffd0cafa nginx "/docker-entrypoint.…" About a minute ago Up About a minute 0.0.0.0:8080->80/tcp, :::8080->80/tcp web
6.自定义Docker网桥
系统默认的3种桥模式
[root@docker ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
126834ad50ad bridge bridge local
1ee1539d1299 host host local
4b16e7092184 none null local
自定义一个br0的网桥
subnet:子网 -d:守护进程
[root@docker ~]# docker network create -d bridge --subnet "10.0.0.0/24" --gateway "10.0.0.1" br0
aba825bc95dff2aca307dcd27229f6432ca735b9736d92492bf97f868e12c34d
使用一个自定义br0网桥的容器
[root@docker ~]# docker run -it --name web --rm --network br0 busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
78: eth0@if79: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:0a:00:00:02 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.2/24 brd 10.0.0.255 scope global eth0
valid_lft forever preferred_lft forever
现在使用一个默认bridge的容器
[root@docker ~]# docker run -it --name web1 --rm --network bridge busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
80: eth0@if81: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:c0:a8:01:01 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
俩容器能通信吗??
/ # ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
/ # ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
#很明显不能!!怎样才能通信呢?
很简单,只需要docker network把br0的网络加入到bridge里面即可
[root@docker ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a4b1081abd2b busybox "sh" 20 seconds ago Up 19 seconds web1 #bridge
118c11274699 busybox "sh" 42 seconds ago Up 41 seconds web #br0
#将自定义br0网段加入到 bridge里面去
[root@docker ~]# docker network connect br0 a4b1081abd2b
#bridge模式下的容器查看ip
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
86: eth0@if87: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:c0:a8:01:01 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
88: eth1@if89: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:0a:00:00:03 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.3/24 brd 10.0.0.255 scope global eth1
valid_lft forever preferred_lft forever #多了一个网段
#测试通信
/ # ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: seq=0 ttl=64 time=0.165 ms
64 bytes from 10.0.0.2: seq=1 ttl=64 time=0.086 ms
64 bytes from 10.0.0.2: seq=2 ttl=64 time=0.064 ms
#依次类推,各个模式网段均可以加入到其它网络模式内,实现通信!!