Coding With Fun
Home Docker Django Node.js Articles Python pip guide FAQ Policy

Docker Network

May 22, 2021 Docker From entry to practice

Docker's network implementation actually leverages network namespace and virtual network devices (especially veth pairs) on Linux. It is recommended that you familiarize yourself with the basic concepts of these two parts before reading this chapter.

Basic principle

First, to implement network communication, the machine needs at least one network interface (physical or virtual) to send and receive packets;

The network interfaces in Docker are virtual by default. O ne of the advantages of virtual interfaces is that forwarding is more efficient. L inux implements data forwarding between virtual interfaces by copying data in the kernel, and packets from the sending cache of the sending interface are copied directly to the receiving cache of the receiving interface. For local systems and in-container systems, it looks like a normal Ethernet card, but it doesn't really need to communicate with external network devices, much faster.

The Docker container network leverages this technology. It creates a virtual interface within the local host and container and connects them to each other (such a pair of interfaces is veth pair

Create network parameters

When Docker creates a container, he does the following:

  • Create a pair of virtual interfaces, which are placed in the local host and the new container.
  • The local host side bridges to the default docker0 or specified bridge and has a unique name, such as veth65f9;
  • Put one end of the container in the new container and change the name as eth0, this interface is only visible in the name space of the container;
  • Get an idle address assigned to the container's eth0 from the bridge's available address segment and configure the default route to the bridge network card veth65f9.

Once this is done, containers can use eth0 virtual network cards to connect to other containers and other networks.

The network configuration of the container can --net parameter at docker run and there are four optional values:

  • --net=bridge is the default and connects to the default bridge.
  • --net=host Docker not to put the container network in an isolated namespace, that is, not to containerize the network within the container. A t this point, the container uses the local host's network, which has full access to the local host interface. C ontainer processes can open low-range ports just like other root host processes, access local network services such as D-bus, and allow containers to do things that affect the entire host system, such as restarting the host. S o be very careful when using this option. If you use --privileged=true allowed to configure the host's network stack directly.
  • --net=container:NAME_or_ID Docker put the process of the new container into a network stack of existing containers, which have their own file systems, process lists, and resource limits, but share network resources such as IP addresses and ports with existing containers, lo loopback interface.
  • --net=none Docker put the new container in an isolated network stack, but does not configure the network. After that, the user can configure it himself.

Network configuration details

After the --net=none they can configure the network themselves so that the container has access to the network as usual. Through this process, you can learn the details of docker's configuration network.

First, start a /bin/bash specify --net=none parameter. 

$ sudo docker run -i -t --rm --net=none base /bin/bash
root@63f36fc01b5f:/#

Find the process id of the container on the local host and create a network namespace for it. 

$ sudo docker inspect -f '{{.State.Pid}}' 63f36fc01b5f
2778
$ pid=2778
$ sudo mkdir -p /var/run/netns
$ sudo ln -s /proc/$pid/ns/net /var/run/netns/$pid

Check the IP and subnet mask information for the bridged network card. 

$ ip addr show docker0
21: docker0: ...
inet 172.17.42.1/16 scope global docker0
...

Create a pair of "veth pair" interfaces A and B, bind A to the bridge docker0 and enable it 

$ sudo ip link add A type veth peer name B
$ sudo brctl addif docker0 A
$ sudo ip link set A up

Place B in the container's network namespace, named eth0, start it and configure an available IP (bridge segment) and default gateway. 

$ sudo ip link set B netns $pid
$ sudo ip netns exec $pid ip link set dev B name eth0
$ sudo ip netns exec $pid ip link set eth0 up
$ sudo ip netns exec $pid ip addr add 172.17.42.99/16 dev eth0
$ sudo ip netns exec $pid ip route add default via 172.17.42.1

These are the specific processes by which Docker configures the network.

When the container ends, Docker emptys the container, the eth0 within the container is cleared along with the network namespace, and the A interface is automatically docker0

In addition, users can ip netns exec to configure the network within the container by configuring it in the specified network namespace.


Related

Docker configures DNS

Docker's other security features

Docker removes the mirror

Docker fig.yml reference

Docker Fig live wordpress

Start the Docker container

Docker CoreOS project

Docker creates a mirror

Docker Common Warehouse MySQL

Docker joint file system