Understand Docker network

This chapter will briefly describe the network in Docker. CNM and Libnetwork are limited to the author's personal level and will not be included.

Four network modes of Docker

Docker has four network modes: bridge, none, host and container. It provides various supports such as network isolation, port mapping and interworking network between containers. The following is a direct introduction to these four network modes.

These four network modes can be specified when starting the container. The number of commands or parameters is as follows:

Network mode parameter explain
host mode -–net=host The container and the host share a Network namespace.
container mode –-net={id} The container shares the Network namespace with another container. pod in kubernetes is a Network namespace shared by multiple containers.
none mode –-net=none The container has an independent Network namespace, but it does not have any network settings, such as assigning Veth pairs and bridge connections, configuring IP, etc.
bridge mode -–net=bridge The default is this mode, and the port mapping is specified through - p.

These four modes can be understood as how Docker virtualizes the network, isolation and sharing of containers.

bridge mode

Use Docker to create a container in bridge mode. The command format is as follows:

docker run -itd -p 8080:80 nginx:latest

Bridge mode is called bridge mode. Firstly, docker will create a virtual bridge named docker0 on the host. This virtual network is in the data link layer of the seven layer network model. Whenever a new container is created, the container will be connected to the host network through docker0. Docker0 is equivalent to a bridge.

The newly created containers using bridge mode have a virtual network card named eth0 inside, and the containers can access each other through 172.17.x.x.

In general, the default ip range of the bridge is 172.17.x.x. you can execute the ifpconfig command on the host to view all network cards, which will contain the virtual network card of the Docker container. You can view the ip of a container. In the container, you can also use the ifconfig command to view its own container ip:

root@cda6958393cb:/var# ./ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.2  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:ac:11:00:02  txqueuelen 0  (Ethernet)
        RX packets 347  bytes 9507996 (9.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 278  bytes 22384 (22.3 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

As you can see, the ip address of this container is 172.17.0.2.

The container created by bride is used. Its network is isolated from the host and other containers. The Ethernet interface, port, routing table and DNS configuration are independent. Each container is like an independent host, which is the function of bridge. However, due to the existence of docker0, containers can access other containers through ip.

Container 1 can access container 2 through 172.17.0.3. Similarly, the host can use this ip to access services in container 2.

[Error] prompt

bridge mode is the default mode, even if it is used   docker run -itd nginx:latest   The command starts the container and also creates a virtual IP.

none mode

In this network mode, the container only has lo loopback network without other network cards. This type of network has no way to network, and the outside world cannot access it. A closed network can well ensure the security of the container.

Create a container for the none network:

docker run -itd --net=none nginx:latest
root@5a67da130f62:/var# ./ifconfig 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

host mode

The host mode allows the container to share the network with the host. At this time, the mapped ports may produce conflicts, but the rest of the container (file system, process, etc.) is still isolated. At this time, the container shares the network with the host.

container mode

container mode allows multiple containers to communicate with each other, that is, containers share the network.

First, start A container A, which is usually A bridge network, and then B uses it  –- net={id}   Connect to A and use A's virtual network card. At this time, A and B share the network and can then join containers such as B, C and D.

Posted on Mon, 22 Nov 2021 03:35:33 -0500 by takeiteasy