1.实现跨主机网络解决方案: (1)docker原生的overlay和macvlan (2)第三方的flannel、weave、calico 2.众多网络方案与docker集成方法: (1)ibnetwork docker容器网络库 (2)CNM 对容器网络进行抽象 CNM的三类组件 Sandbox:容器网络线,包括容器接口、dns、路由表 Endpoint:将sandbox接入network Network:包含一组endpoint,同一network的endpoint可以进行通信 3.macvlan网络方案实现 Linux内核提供的一种网卡虚拟化技术 无需linux bridge,直接使用物理接口,性能极好 实验前提: 两台虚拟机 172.25.4.111 server1 172.25.4.112 server2 两台虚拟机各自再添加一块物理网卡
[root@server1 ~]# ip addr show 6: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 52:54:00:70:4e:0d brd ff:ff:ff:ff:ff:ff [root@server2 ~]# ip addr show 5: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 52:54:00:bf:79:b8 brd ff:ff:ff:ff:ff:ff打开网络混杂模式
[root@server1 ~]# ip link set up eth1 ##激活网卡 [root@server1 ~]# ip link set eth1 promisc on ##开启混杂模式 [root@server1 ~]# ip addr show eth1 7: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:00:42:36:bd brd ff:ff:ff:ff:ff:ff inet6 fe80::5054:ff:fe42:36bd/64 scope link valid_lft forever preferred_lft forever [root@server2 ~]# ip link set up eth1 [root@server1 ~]# ip link set eth1 promisc on [root@server2 ~]# ip addr show eth1 8: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:00:ac:57:64 brd ff:ff:ff:ff:ff:ff inet6 fe80::5054:ff:feac:5764/64 scope link valid_lft forever preferred_lft forever两台docker主机各自创建macvlan网络并创建容器
[root@server1 ~]# docker network create -d macvlan --subnet 172.20.0.0/24 --gateway 172.20.0.1 -o parent=eth1 macvlan1 ##创建macvlan网络指定网卡为eth1 04d229c2729c0be3ac2188dbe0f789fc3bb59db4c21e8e03476ef02edcbb1b00 [root@server1 ~]# docker run -it --name vm1 --network macvlan1 --ip 172.20.0.11 ubuntu root@f6921a826dfa:/# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 11: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether 02:42:ac:14:00:0b brd ff:ff:ff:ff:ff:ff inet 172.20.0.11/24 brd 172.20.0.255 scope global eth0 valid_lft forever preferred_lft forever root@f6921a826dfa:/# ping 172.20.0.12 PING 172.20.0.12 (172.20.0.12) 56(84) bytes of data. 64 bytes from 172.20.0.12: icmp_seq=1 ttl=64 time=0.678 ms [root@server2 ~]# docker network create -d macvlan --subnet 172.20.0.0/24 --gateway 172.20.0.1 -o parent=eth1 macvlan1 8746407d7ed8263575c4ba572bdd8e66e47a147224bd799f10a850a3eef7b14c [root@server2 ~]# docker run -it --name vm2 --network macvlan1 --ip 172.20.0.12 ubuntu root@96d62389f2e5:/# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 12: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether 02:42:ac:14:00:0c brd ff:ff:ff:ff:ff:ff inet 172.20.0.12/24 brd 172.20.0.255 scope global eth0 valid_lft forever preferred_lft forever root@96d62389f2e5:/# ping 172.20.0.11 PING 172.20.0.11 (172.20.0.11) 56(84) bytes of data. 64 bytes from 172.20.0.11: icmp_seq=1 ttl=64 time=0.361 ms 64 bytes from 172.20.0.11: icmp_seq=2 ttl=64 time=0.313 ms查看桥接
[root@server1 ~]# brctl show ##查看桥接 bridge name bridge id STP enabled interfaces docker0 8000.024252a51104 no [root@server2 ~]# brctl show bridge name bridge id STP enabled interfaces docker0 8000.0242978fae68 no两跨主机容器进行通信时,并没有走桥接口,而是容器接口直接与主机的物理网卡连接,无需NAT及端口映射 4.macvlan的工作机制 macvlan会独占主机网卡,但可以使用vlan子接口实现多macvlan网络 vlan可以将物理二层网络划分为4094个逻辑网络,并且彼此分离,vlan id的取值范围为1~4094
[root@server1 ~]# docker network create -d macvlan --subnet 172.21.0.0/24 --gateway 172.21.0.1 -o parent=eth1.1 macvlan2 7c6f8b7878ea8977c8cf9ee78afc5e43a804864f7db4f7fb22c25b4889f5aa82 [root@server1 ~]# docker network ls NETWORK ID NAME DRIVER SCOPE 5d0d0f1a280e bridge bridge local 66a8ce5625c5 host host local 04d229c2729c macvlan1 macvlan local 7c6f8b7878ea macvlan2 macvlan local ebc2c1a28d75 none [root@server1 ~]# docker run -it --name vm3 --network macvlan2 --ip 172.21.0.11 ubuntu root@38d96425d74e:/# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 13: eth0@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default link/ether 02:42:ac:15:00:0b brd ff:ff:ff:ff:ff:ff inet 172.21.0.11/24 brd 172.21.0.255 scope global eth0 valid_lft forever preferred_lft forever root@38d96425d74e:/# ping 172.20.0.11 ##与macvlan1创建的容器无份额进行通信,因为不同容器之间彼此隔离 PING 172.20.0.11 (172.20.0.11) 56(84) bytes of data. [root@server2 ~]# docker network create -d macvlan --subnet 172.21.0.0/24 --gateway 172.21.0.1 -o parent=eth1.1 macvlan2 9ece6d57a653601f4040da4f0d9fa654b1f9f2329b92568761bfe742e930af28 [root@server2 ~]# docker network ls NETWORK ID NAME DRIVER SCOPE c5884a195193 bridge bridge local 89419321849d host host local 8746407d7ed8 macvlan1 macvlan local 9ece6d57a653 macvlan2 macvlan local 6aeb7580bc0f none null local [root@server2 ~]# docker run -it --name vm4 --network macvlan2 --ip 172.21.0.12 ubuntu root@8653253b460d:/# ping 172.21.0.11 ##跨主机容器之间通过主机网卡实现通信 PING 172.21.0.11 (172.21.0.11) 56(84) bytes of data. 64 bytes from 172.21.0.11: icmp_seq=1 ttl=64 time=0.446 ms 64 bytes from 172.21.0.11: icmp_seq=2 ttl=64 time=0.267 ms 64 bytes from 172.21.0.11: icmp_seq=3 ttl=64 time=0.255 ms ^C --- 172.21.0.11 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.255/0.322/0.446/0.089 ms root@8653253b460d:/# ping 172.20.0.12 ##不同macvlan之间无法通信,需要通信则可以通过网关的方式实现通信 PING 172.20.0.12 (172.20.0.12) 56(84) bytes of data.由此可知: macvlan网络在二层上是隔离的,所以不同的macvlan之间容器不可能实现通信 可以在三层上通过网关将macvlan网络连同起来 docker本身不做任何限制,像传统的vlan网络那样管理
docker network子命令 connect: 连接容器到指定网络 create: 创建网络 disconnect: 断开容器与指定网络连接 inspect: 显示指定网络的详细信息 ls: 显示所有网络 rm: 删除网络
