Learning Notes that Docker Container Network Beginners Have to Read

  Container technology, docker

[Technology Salon 002] Data Center: Construction Practice of Yixin Agile Data Center | Yixin Technology Salon will be broadcast live online at 8: 00 pm on May 23. Click to sign up

I. Docker

Docker is an open source application container engine, based on Go language and open source in accordance with Apache2.0 protocol.

Docker allows developers to package their applications and dependencies into a lightweight, portable container, and then release it to any popular Linux machine. It can also implement virtualization. Containers use sandbox mechanism completely, and there will be no interface between them (similar to iPhone app), more importantly, the performance cost of containers is extremely low.

Compared with traditional virtual machines, they have absolute advantages such as fast start-up, improved performance, and operation and maintenance costs, and are more and more favored by development and operation and maintenance children’s shoes.

II. Classification of Docker Network Patterns

1. bridge Mode, –net=bridge (Default)

2. host mode, –net=host

3. container mode uses–-net =container: specify the container name

4. none mode, –net=none

5. User-defined mode

III. Detailed Explanation of Docker Network Mode

3.1 bridge model

The default mode of the Docker network is adopted by default if the –net parameter is not added when docker run starts the container. After installing docker, the system will automatically add a bridge docker 0 for Docker. The container obtains an IP address of the same network segment as docker0 through DHCP, and is connected to the docker0 bridge by default. The IP address of docker0 is used as a gateway to realize network intercommunication between the container and the host. In addition, the container using Bridge mode under the same host can communicate directly.

Experimental part

Environment: VMware installs Centos7 virtual machines.

First install the container in Centos virtual machine

yum -y install docker-io  ####安装docker

Start the container service and check the startup status systemctl startdoc

After starting the docker service, you will find that the host has an additional docker0 network card.
(PS: At present, this machine can directly access the Internet through the address

We started a centos container and entered bash. Since we don’t have a local image file without Centos, by default we download it directly from Docker’s website image warehouse.

[root@cesrc ~]# docker run -itd centos /bin/bash

View the container that started

[root@cesrc ~]# docker ps –a

Enter the container and check the IP configuration.

[root@cesrc ~]# docker attach b670

There is no ifconfig command by default, and net-tools is installed under yum.

yum install net-tools

Check the ip and routing configuration of the container. The container is assigned the same segment address as docker0 and the default route is pointed to docker0

This container can be directly connected to the Internet.

iptables -t nat –vnL, looking at iptables generated by docker, we can see that docker0 has SNAT on the container.

Start another container

docker run -itd --name centos2 centos /bin/bash

The containers on this host can communicate directly with each other.

The network operation mode of this mode is shown in the following figure

3.2 host mode

The container will not virtualize its own network card and configure its own IP, etc., but will directly use the IP and port of the host, but the file system is isolated from the host.

docker run -itd --net=host --name host-rq centos /bin/bash

Enter container

The process of the container is as follows, independent of the host.

3.3 Container mode

This mode specifies that the newly created container and the existing container share a Network, and that the existing specified container is independent of the network.

Create the original container s-centos

[root@cesrc ~]# docker run -itd --name s-centos centos /bin/bash


Create a new container d-centos and use the network of existing containers

[root@cesrc ~]# docker run -itd --net=container:s-centos --name d-centos centos /bin/bash


Enter the container separately to see if the IP configuration and file system are independent



3.4 None mode

The network will not be created when created in this mode, and there will not be only lo in the ip container. Users can customize the container network based on this. If they want to manually configure and specify the ip address of the docker container using pipework, they must be in none mode.

docker run -itd --net=none --name n-centos centos /bin/bash

Containers generated in None mode must be manually configured before accessing the Internet.

3.5 User-defined Mode

The user-defined mode mainly includes three network drivers: bridge, overlay and macvlan. Bridge drivers are used to create bridge networks similar to those mentioned earlier; Overlay and macvlan drivers are used to create a network across hosts. In this example, Flannel and etcd are used to implement docker communication across physical machines using overlay technology.

Flannel implements container cross-host communication through the following process:

Plan and configure the docker0 subnet range for all hosts in the etcd; Flanneld on each host allocates subnets for docker0 of the host according to the configuration in the etcd to ensure that docker0 network segments on all hosts are not duplicated, and stores the results (i.e., the corresponding relationship between docker0 subnet information on the host and the host IP) into the etcd library, thus the corresponding relationship between docker subnet information on all hosts and the host IP is saved in the etcd library; When communication with containers on other hosts is needed, the etcd database is searched, outip (IP of destination host) corresponding to the subnet of the destination container is found, the original data packet is encapsulated in VXLAN or UDP data packet, and the IP layer is encapsulated with outip as the destination IP; Since the destination IP is the host IP, the route is reachable. VXLAN or UDP packets arrive at the destination host to decapsulate, solve the original packets, and finally arrive at the destination container.

(The picture is taken from the Internet)

Experimental planning

The steps for Node1 node to install etcd are as follows

1. Install etcd program

yum install -y etcd

2. Modify the etcd configuration file. The configuration file is in/etc /etc/etcd/etcd.conf In this lab, etcd is deployed on a stand-alone basis. No strict changes have been made to the cluster configuration.The configuration is as follows:



ETCD_DATA_DIR="/var/lib/etcd/host129.etcd"  #etcd数据保存目录






ETCD_NAME="host129"    #etcd实例名称

3. Set up network segments to be distributed to docker containers in the later period.

etcdctl mk /network/config '{"Network":"", "SubnetMin": "", "SubnetMax": ""}'

4. Set up startup to start etcd service and start the service

systemctl enable etcd

systemctl start etcd

The steps to install etcd for Node2 nodes are as follows

1. Install Docker and Flannel Services

yum install -y docker flannel

2. Modify Flannel configuration file as follows

Flanneld configuration options

# etcd url location.  Point this to the server where etcd runs

FLANNEL_ETCD_ENDPOINTS="" ##设置etcd地址和端口信息

# etcd config key.  This is the configuration key that flannel queries

# For address range assignment


# Any additional options that you want to pass

FLANNEL_OPTIONS="-iface=ens33"     ##设置Flannel与etcd通讯网卡

3. Set startup parameters

cd /usr/libexec/flannel/ 
./mk-docker-opts.sh –i

4. Start Docker and Flannel Services

systemctl enable docker flanneld

systemctl start docker flannel

5. Turn on the forwarding function of the host computer (be sure to turn it on. Many online tutorials do not mention this, which makes it impossible to connect)


6. Create a container and enter the container to view IP

docker run -itd centos /bin/bash

docker ps –a

docker attach 6c

The operation on Node2 node is also performed on Node3, and finally the acquired IP of Node3 is shown in the figure:

Test container

Containers on Node2 and node3 are mutually accessible

The host computer generates routing entries to each node

The above-mentioned method can realize docker communication across hosts. In addition, there are two other methods:

  • Static routing method added to other host containers on the host machine
  • Bridging mode

Both methods are better understood, referring to the two pictures extracted from the network.

Original link:https://www.cnblogs.com/yy-cx …

Static routing method:

Bridging method:

IV. Summary of Common Concepts and Commands of Docker

4.1 Docker Mirror

As we all know, the operating system is divided into kernel and user space. For Linux, after the kernel starts, the root file system is mounted to provide user space support. The Docker Image is equivalent to a root file system. For example, the official image ubuntu:16.04 contains a complete set of root file system of Ubuntu 16.04 minimum system.

4.2 Docker container

The relationship between Image and Container is just like classes and instances in object-oriented programming. Image is a static definition, and container is an entity at runtime of image. Containers can be created, started, stopped, deleted, paused, etc.

4.3 Docker Registry

After the mirror image is built, it can be easily run on the current host computer. However, if the mirror image needs to be used on other servers, we need a centralized service for storing and distributing the mirror image, and Docker Registry is such a service.

Public and private.

Mirror management command

1) acquiring a mirror image

The command to get a mirror from the Docker Mirror Warehouse isdocker pull. The command format is:

docker pull [选项] [Docker Registry 地址[:端口号]/]仓库名[:标签]

The command refers to docker pull ubuntu:16.04

If you do not specify tag, you will download the latest by default.

docker pull mirrors.aliyun.com:ubuntuFrom ariyun warehouse

2) List Mirrors

docker image ls

The list contains the warehouse name, label, mirror ID, creation time, and space occupied.

3) Delete Mirror

docker rmiMirror Id delete mirror file

docker rmi -fMirror ID forces mirror removal

4) Container Management

docker createCreate does not start

docker startStart container

Docker stop container nameTermination container

Dockrestart container nameRestart container

docker rm idDelete container

docker run -it centos /bin/shAfter the container exit is created and started, the container will exit automatically. if you want to continue running as a daemon, you need to change todocker run -itd centos /bin/sh

docker psView running containers

docker ps –aView all containers, including stopped containers.

5) Entering the container

docker attchNames Enter Containers

docker exec -it``` 容器```id command | docker exec -it 7813e41ec005 /bin/sh

6) Export container to file

docker export -o test_for_run_tarContainer ID

OrDockexportcontainer ID >test_for_stop_tar

7) Import file becomes mirror image

docker import test_for_run_tar - test/ubuntu:v1.0

8) Data Management

A) a data volume is a special directory that can be used by a container, mapping the directory of the operating system to the container

docker run -d -P --name web -v /src/webapp:/opt/webapp centos /bin/sh

Mount the host’s /src/webapp to the container’s /opt/webapp directory, which is readable and writable by default

docker run -d -P --name web -v /src/webapp:/opt/webapp:ro centos /bin/sh


B) data volume containers, containers that can be shared by other containers

First create a data volume container

root@localhost /]# docker run -it -v /cunchu --name chuchurongqi centos

[root@90bd63b06074 /]# ls

bin cunchu dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var

[root@90bd63b06074 /]# cd cunchu/

[root@90bd63b06074 cunchu]# vi qiang.txt

Create a new container and use the name of the –volumes-from data volume container to mount the data volume in the container volume.

[root@localhost /]# docker run -it --volumes-from chuchurongqi --name db2 centos

Author: Network Security-Wang Zhiqiang

The original text started at: Yixin Security Emergency Response Center

Source:Yixin Institute of Technology