Docker容器单机网络架构全攻略:深入探索内外网互访的奥秘三 docker网络基础-内外互访3.1 docker容器互访3.2 docker容器访问外网3.3 容器外部网络访问内部网络3.4 查看容器详细信息3.5 查看容器ip地址3.6 查看网络端口地址转换
Docker容器单机网络架构全攻略:深入探索内外网互访的奥秘
三 docker网络基础-内外互访
3.1 docker容器互访
docker容器的网关在宿主机网桥的虚拟接口docker0上。
[superman@docker ~]$ docker attach superman01
/ #
/ # route -n
/ # exit
[superman@docker ~]$
[superman@docker ~]$ ip add list
示例:
[superman@docker ~]$ docker attach superman01
/ #
/ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.17.0.1 0.0.0.0 UG 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
/ #
/ # exit
[superman@docker ~]$
[superman@docker ~]$ ip add list
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:ae:f5:f2 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.121/24 brd 192.168.0.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::bf89:d5fb:2136:8e25/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: virbr0: mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:2b:e7:4a brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:2b:e7:4a brd ff:ff:ff:ff:ff:ff
5: docker0: mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:c3:e7:1d:ce brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:c3ff:fee7:1dce/64 scope link
valid_lft forever preferred_lft forever
[superman@docker ~]$
3.2 docker容器访问外网
容器内部网络访问外部网络时,动态NAPT - 动态网络地址端口转换;只能内部网络访问外部网络,无法外部网络主动访问内部网络。
查看网络端口地址转换
[root@docker ~]# iptables -t nat -nL
示例:
[root@docker ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
RETURN all -- 192.168.122.0/24 224.0.0.0/24
RETURN all -- 192.168.122.0/24 255.255.255.255
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
[root@docker ~]#
MASQUERADE 可以进行地址转换,并且可以动态查找出接口网卡地址。:
3.3 容器外部网络访问内部网络
[superman@docker ~]$ docker run -d -p 12001:8080 --name superman111 httpd_superman:1.0
示例:
[superman@docker ~]$ docker run -d -p 12001:80 --name superman111 httpd_superman:1.0
217082e68dc0ef37e3423f3ae4d828c8ce0f0d774fa7e9bdec0d6004ba81ca6b
[superman@docker ~]$
[superman@docker ~]$
[superman@docker ~]$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
217082e68dc0 httpd_superman:1.0 "httpd-foreground" 5 seconds ago Up 5 seconds 0.0.0.0:12001->80/tcp, :::12001->80/tcp superman111
52c743b3f9d3 alpine "/bin/sh" 32 minutes ago Up 22 minutes superman01
[superman@docker ~]$
[superman@docker ~]$ curl 192.168.0.121:12001
lang=en>
charset=UTF-8>
Welcome to Apache
[superman@docker ~]$
3.4 查看容器详细信息
[superman@docker ~]$ docker inspect superman111
示例:
[superman@docker ~]$ docker inspect superman111
[
{
"Id": "217082e68dc0ef37e3423f3ae4d828c8ce0f0d774fa7e9bdec0d6004ba81ca6b",
"Created": "2024-06-22T10:21:28.169951515Z",
"Path": "httpd-foreground",
"Args": [],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 12176,
"ExitCode": 0,
"Error": "",
"StartedAt": "2024-06-22T10:21:28.424480637Z",
"FinishedAt": "0001-01-01T00:00:00Z"
},
"Image": "sha256:f0d394fd69d57ec39fc080860e39d5da4c4f9b6702f477d7b033b6e1ed997b10",
"ResolvConfPath": "/var/lib/docker/containers/217082e68dc0ef37e3423f3ae4d828c8ce0f0d774fa7e9bdec0d6004ba81ca6b/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/217082e68dc0ef37e3423f3ae4d828c8ce0f0d774fa7e9bdec0d6004ba81ca6b/hostname",
"HostsPath": "/var/lib/docker/containers/217082e68dc0ef37e3423f3ae4d828c8ce0f0d774fa7e9bdec0d6004ba81ca6b/hosts",
"LogPath": "/var/lib/docker/containers/217082e68dc0ef37e3423f3ae4d828c8ce0f0d774fa7e9bdec0d6004ba81ca6b/217082e68dc0ef37e3423f3ae4d828c8ce0f0d774fa7e9bdec0d6004ba81ca6b-json.log",
"Name": "/superman111",
"RestartCount": 0,
"Driver": "overlay2",
"Platform": "linux",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "",
"ExecIDs": null,
"HostConfig": {
"Binds": null,
"ContainerIDFile": "",
"LogConfig": {
"Type": "json-file",
"Config": {}
},
"NetworkMode": "default",
"PortBindings": {
"80/tcp": [
{
"HostIp": "",
"HostPort": "12001"
}
]
},
"RestartPolicy": {
"Name": "no",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"ConsoleSize": [
32,
123
],
"CapAdd": null,
"CapDrop": null,
"CgroupnsMode": "host",
"Dns": [],
"DnsOptions": [],
"DnsSearch": [],
"ExtraHosts": null,
"GroupAdd": null,
"IpcMode": "private",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "runc",
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": [],
"BlkioDeviceReadBps": [],
"BlkioDeviceWriteBps": [],
"BlkioDeviceReadIOps": [],
"BlkioDeviceWriteIOps": [],
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": [],
"DeviceCgroupRules": null,
"DeviceRequests": null,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": null,
"OomKillDisable": false,
"PidsLimit": null,
"Ulimits": null,
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"MaskedPaths": [
"/proc/asound",
"/proc/acpi",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/proc/scsi",
"/sys/firmware",
"/sys/devices/virtual/powercap"
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
},
"GraphDriver": {
"Data": {
"LowerDir": "/var/lib/docker/overlay2/747e4eb58808925896353d9e312f3a76a122f61a91a0d82cd76dfe3678999cc8-init/diff:/var/lib/docker/overlay2/e26e6dc0229910dde680df7d4e999253f6ae6af4287515e543fd2e27c51c78a6/diff:/var/lib/docker/overlay2/03b49278fced73e9848efec6f17c5c3aa87536c7dc7537385435fab596ad37b1/diff:/var/lib/docker/overlay2/0f922151522c8625825b82ae897c679f4156553c28de64ffd6dc24cbacb87b10/diff:/var/lib/docker/overlay2/0d10ddaad447420608a991bf9d1eeb2eab43aa94d357b11e27cbebecb266a397/diff:/var/lib/docker/overlay2/bed8bb10a171b8d67d7c17b9f3b790c155566c9fc74d1ccd569579ffd5b0c832/diff:/var/lib/docker/overlay2/db81c66aaafe71538fea4043788a774bd5bebb0b2c9efe9caa2005aa428fc8a6/diff",
"MergedDir": "/var/lib/docker/overlay2/747e4eb58808925896353d9e312f3a76a122f61a91a0d82cd76dfe3678999cc8/merged",
"UpperDir": "/var/lib/docker/overlay2/747e4eb58808925896353d9e312f3a76a122f61a91a0d82cd76dfe3678999cc8/diff",
"WorkDir": "/var/lib/docker/overlay2/747e4eb58808925896353d9e312f3a76a122f61a91a0d82cd76dfe3678999cc8/work"
},
"Name": "overlay2"
},
"Mounts": [],
"Config": {
"Hostname": "217082e68dc0",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"80/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/apache2/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"HTTPD_PREFIX=/usr/local/apache2",
"HTTPD_VERSION=2.4.52",
"HTTPD_SHA256=0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9",
"HTTPD_PATCHES="
],
"Cmd": [
"httpd-foreground"
],
"Image": "httpd_superman:1.0",
"Volumes": null,
"WorkingDir": "/usr/local/apache2",
"Entrypoint": null,
"OnBuild": null,
"Labels": {},
"StopSignal": "SIGWINCH"
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "068ab2ed2e4269b0610e5b84f6b53b9ca1bf83408c7286f602cdefe761d6ed4e",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"80/tcp": [
{
"HostIp": "0.0.0.0",
"HostPort": "12001"
},
{
"HostIp": "::",
"HostPort": "12001"
}
]
},
"SandboxKey": "/var/run/docker/netns/068ab2ed2e42",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "d44fa4f0b0d4316370ecaa6c62f7c19f564c95fa932784c7d46731dd1c4e4bdb",
"Gateway": "172.17.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.3",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "02:42:ac:11:00:03",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "0ac9369f53ff7623c5df0b738afc319120253041213f4d162346847179bb185d",
"EndpointID": "d44fa4f0b0d4316370ecaa6c62f7c19f564c95fa932784c7d46731dd1c4e4bdb",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.3",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "02:42:ac:11:00:03",
"DriverOpts": null
}
}
}
}
]
[superman@docker ~]$
3.5 查看容器ip地址
[superman@docker ~]$ docker inspect superman111 | grep -i ipaddress
示例:
[superman@docker ~]$ docker inspect superman111 | grep -i ipaddress
"SecondaryIPAddresses": null,
"IPAddress": "172.17.0.3",
"IPAddress": "172.17.0.3",
[superman@docker ~]$
3.6 查看网络端口地址转换
[root@docker ~]# iptables -t nat -nL
示例:
[root@docker ~]# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
RETURN all -- 192.168.122.0/24 224.0.0.0/24
RETURN all -- 192.168.122.0/24 255.255.255.255
MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24
MASQUERADE tcp -- 172.17.0.3 172.17.0.3 tcp dpt:80
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:12001 to:172.17.0.3:80
[root@docker ~]#
PS:因为公众号平台更改了推送规则,如果不想错过内容,记得读完点一下“在看”,加个“星标”,这样每次新文章推送才会第一时间出现在你的订阅列表里。点“在看”支持我吧!
? 点赞,你的认可是我创作的动力!
⭐️ 收藏,你的青睐是我努力的方向!
✏️ 评论,你的意见是我进步的财富!
