Docker 之桥接网络 (二)

参考：https://docs.docker.com/network/network-tutorial-standalone/

一、与独立容器联网

本系列教程讨论独立Docker容器的连网。要使用群集服务联网，请参阅使用群集服务联网。如果您需要了解更多关于Docker网络的内容，请参阅概述。

本主题包括三个不同的教程。您可以在Linux、Windows或Mac上运行它们，但是对于最后两个，您需要在其他地方运行第二个Docker主机。

使用默认网桥演示如何使用Docker为您自动设置的默认网桥。这个网络不是生产系统的最佳选择。
使用用户定义的桥接网络显示如何创建和使用您自己的自定义桥接网络，以连接运行在相同Docker主机上的容器。对于在生产环境中运行的独立容器，建议这样做。

虽然覆盖网络通常用于群服务，Docker 17.06和更高版本允许你使用一个覆盖网络用于独立容器。这是覆盖网络使用教程的一部分。

二、使用默认桥接网络

在本例中，您将在同一个Docker主机上启动两个不同的alpine容器，并进行一些测试，以了解它们之间如何通信。您需要安装并运行Docker。

1、打开终端窗口。在做任何其他事情之前，请先列出当前的网络。如果您从未在这个Docker守护进程上添加过网络或初始化过集群，那么应该看看以下内容。你可能会看到不同的网络，但你至少应该看到这些(网络id将是不同的):

$ docker network lsNETWORK ID          NAME                DRIVER              SCOPE
17e324f45964        bridge              bridge              local
6ed54d316334        host                host                local
7092879f2cc8        none                null                local

列出了默认的网桥网络，以及主机和非主机。后两个不是完全成熟的网络，但用于启动直接连接到Docker守护进程主机的网络堆栈的容器，或启动没有网络设备的容器。本教程将把两个容器连接到桥接网络。

2、启动两个运行ash的alpine容器，这是alpine的默认shell，而不是bash。-dit 标志意味着启动分离的容器(在后台)、交互的容器(可以输入)和TTY容器(可以看到输入和输出)。由于您正在启动它，所以不会立即连接到容器。相反，将打印容器的ID。因为没有指定任何--network 标志，所以容器连接到默认网桥网络。

$ docker run -dit --name alpine1 alpine ash$ docker run -dit --name alpine2 alpine ash

检查两个容器是否都已启动:

$ docker container lsCONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
602dbf1edc81        alpine              "ash"               4 seconds ago       Up 3 seconds                            alpine2
da33b7aa74b0        alpine              "ash"               17 seconds ago      Up 16 seconds

检查桥梁网络，看看有什么容器连接到它。

$ docker network inspect bridge[{"Name": "bridge","Id": "17e324f459648a9baaea32b248d3884da102dde19396c25b30ec800068ce6b10","Created": "2017-06-22T20:27:43.826654485Z","Scope": "local","Driver": "bridge","EnableIPv6": false,"IPAM": {"Driver": "default","Options": null,"Config": [{"Subnet": "172.17.0.0/16","Gateway": "172.17.0.1"}]},"Internal": false,"Attachable": false,"Containers": {"602dbf1edc81813304b6cf0a647e65333dc6fe6ee6ed572dc0f686a3307c6a2c": {"Name": "alpine2","EndpointID": "03b6aafb7ca4d7e531e292901b43719c0e34cc7eef565b38a6bf84acf50f38cd","MacAddress": "02:42:ac:11:00:03","IPv4Address": "172.17.0.3/16","IPv6Address": ""},"da33b7aa74b0bf3bda3ebd502d404320ca112a268aafe05b4851d1e3312ed168": {"Name": "alpine1","EndpointID": "46c044a645d6afc42ddd7857d19e9dcfb89ad790afb5c239a35ac0af5e8a5bc5","MacAddress": "02:42:ac:11:00:02","IPv4Address": "172.17.0.2/16","IPv6Address": ""}},"Options": {"com.docker.network.bridge.default_bridge": "true","com.docker.network.bridge.enable_icc": "true","com.docker.network.bridge.enable_ip_masquerade": "true","com.docker.network.bridge.host_binding_ipv4": "0.0.0.0","com.docker.network.bridge.name": "docker0","com.docker.network.driver.mtu": "1500"},"Labels": {}}
]

在顶部，列出了关于桥接网络的信息，包括Docker主机和桥接网络之间网关的IP地址(172.17.0.1)。在Containers键下，列出了每个连接的容器及其IP地址信息(alpine1为172.17.0.2,alpine2为172.17.0.3)。

4、容器在后台运行。使用docker attach命令连接到alpine1。

$ docker attach alpine1/ #

提示符变为#，表示您是容器中的根用户。使用ip addr show命令来显示alpine1的网络接口，因为他们从容器内查看:

# ip addr show1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
27: eth0@if28: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UPlink/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ffinet 172.17.0.2/16 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::42:acff:fe11:2/64 scope linkvalid_lft forever preferred_lft forever

第一个接口是环回设备。现在先忽略它。注意，第二个接口的IP地址是172.17.0.2，这与前面步骤中显示的alpine1的地址相同。

5、在alpine1内部，确保你可以通过点击google.com连接到互联网。- c2标志将该命令限制为两次ping尝试。

# ping -c 2 google.comPING google.com (172.217.3.174): 56 data bytes
64 bytes from 172.217.3.174: seq=0 ttl=41 time=9.841 ms
64 bytes from 172.217.3.174: seq=1 ttl=41 time=9.897 ms--- google.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 9.841/9.869/9.897 ms

6、现在尝试ping第二个容器。首先，通过它的IP地址ping它，172.17.0.3:

# ping -c 2 172.17.0.3PING 172.17.0.3 (172.17.0.3): 56 data bytes
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.086 ms
64 bytes from 172.17.0.3: seq=1 ttl=64 time=0.094 ms--- 172.17.0.3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.086/0.090/0.094 ms

这成功。接下来，尝试按容器名称ping alpine2容器。这将会失败。

# ping -c 2 alpine2ping: bad address 'alpine2'

7、使用分离序列，CTRL + p CTRL + q(按住CTRL并键入p后面跟q)从alpine1上分离，如果你愿意，连接到alpine2上，重复步骤4、5、 6，用alpine1替换alpine2。

8、停止并移除两个容器。

$ docker container stop alpine1 alpine2
$ docker container rm alpine1 alpine2

请记住，不建议在生产环境中使用缺省网桥网络。要了解用户定义的桥接网络，请继续学习下一教程。

二、使用自定义的网桥网络

在本例中，我们再次启动两个alpine容器，但将它们附加到一个名为alpine-net的用户定义网络，我们已经创建了这个网络。这些容器根本没有连接到默认的bridge网络。然后，我们开始第三个alpine 集装箱连接到bridge网络，但没有连接到alpine-net网络，和第四个alpine 集装箱连接到这两个网络。

1、创建alpine-net网络。您不需要 --driver bridge 标志，因为它是默认的，但是这个例子展示了如何指定它。

$ docker network create --driver bridge alpine-net

2、列出docker 的网络

$ docker network lsNETWORK ID          NAME                DRIVER              SCOPE
e9261a8c9a19        alpine-net          bridge              local
17e324f45964        bridge              bridge              local
6ed54d316334        host                host                local
7092879f2cc8        none                null                local

检查alpine-net网络。这显示了它的IP地址和没有容器连接到它的事实:

$ docker network inspect alpine-net[{"Name": "alpine-net","Id": "e9261a8c9a19eabf2bf1488bf5f208b99b1608f330cff585c273d39481c9b0ec","Created": "2017-09-25T21:38:12.620046142Z","Scope": "local","Driver": "bridge","EnableIPv6": false,"IPAM": {"Driver": "default","Options": {},"Config": [{"Subnet": "172.18.0.0/16","Gateway": "172.18.0.1"}]},"Internal": false,"Attachable": false,"Containers": {},"Options": {},"Labels": {}}
]

注意，这个网络的网关是172.18.0.1，而默认桥接网络的网关是172.17.0.1。确切的IP地址可能是不同的系统。

3、创建四个容器。注意 --network 标志。在 docker run 命令期间，您只能连接到一个网络，因此您需要在以后使用docker network connect 将alpine4连接到 bridge 网络。

$ docker run -dit --name alpine1 --network alpine-net alpine ash$ docker run -dit --name alpine2 --network alpine-net alpine ash$ docker run -dit --name alpine3 alpine ash$ docker run -dit --name alpine4 --network alpine-net alpine ash$ docker network connect bridge alpine4

确认所有容器都在运行:

$ docker container lsCONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS               NAMES
156849ccd902        alpine              "ash"               41 seconds ago       Up 41 seconds                           alpine4
fa1340b8d83e        alpine              "ash"               51 seconds ago       Up 51 seconds                           alpine3
a535d969081e        alpine              "ash"               About a minute ago   Up About a minute                       alpine2
0a02c449a6e9        alpine              "ash"               About a minute ago   Up About a minute

再次检查bridge 网络和 alpine-net 网络

$ docker network inspect bridge[{"Name": "bridge","Id": "17e324f459648a9baaea32b248d3884da102dde19396c25b30ec800068ce6b10","Created": "2017-06-22T20:27:43.826654485Z","Scope": "local","Driver": "bridge","EnableIPv6": false,"IPAM": {"Driver": "default","Options": null,"Config": [{"Subnet": "172.17.0.0/16","Gateway": "172.17.0.1"}]},"Internal": false,"Attachable": false,"Containers": {"156849ccd902b812b7d17f05d2d81532ccebe5bf788c9a79de63e12bb92fc621": {"Name": "alpine4","EndpointID": "7277c5183f0da5148b33d05f329371fce7befc5282d2619cfb23690b2adf467d","MacAddress": "02:42:ac:11:00:03","IPv4Address": "172.17.0.3/16","IPv6Address": ""},"fa1340b8d83eef5497166951184ad3691eb48678a3664608ec448a687b047c53": {"Name": "alpine3","EndpointID": "5ae767367dcbebc712c02d49556285e888819d4da6b69d88cd1b0d52a83af95f","MacAddress": "02:42:ac:11:00:02","IPv4Address": "172.17.0.2/16","IPv6Address": ""}},"Options": {"com.docker.network.bridge.default_bridge": "true","com.docker.network.bridge.enable_icc": "true","com.docker.network.bridge.enable_ip_masquerade": "true","com.docker.network.bridge.host_binding_ipv4": "0.0.0.0","com.docker.network.bridge.name": "docker0","com.docker.network.driver.mtu": "1500"},"Labels": {}}
]

Containers alpine3 and alpine4 are connected to the bridge network.

$ docker network inspect alpine-net[{"Name": "alpine-net","Id": "e9261a8c9a19eabf2bf1488bf5f208b99b1608f330cff585c273d39481c9b0ec","Created": "2017-09-25T21:38:12.620046142Z","Scope": "local","Driver": "bridge","EnableIPv6": false,"IPAM": {"Driver": "default","Options": {},"Config": [{"Subnet": "172.18.0.0/16","Gateway": "172.18.0.1"}]},"Internal": false,"Attachable": false,"Containers": {"0a02c449a6e9a15113c51ab2681d72749548fb9f78fae4493e3b2e4e74199c4a": {"Name": "alpine1","EndpointID": "c83621678eff9628f4e2d52baf82c49f974c36c05cba152db4c131e8e7a64673","MacAddress": "02:42:ac:12:00:02","IPv4Address": "172.18.0.2/16","IPv6Address": ""},"156849ccd902b812b7d17f05d2d81532ccebe5bf788c9a79de63e12bb92fc621": {"Name": "alpine4","EndpointID": "058bc6a5e9272b532ef9a6ea6d7f3db4c37527ae2625d1cd1421580fd0731954","MacAddress": "02:42:ac:12:00:04","IPv4Address": "172.18.0.4/16","IPv6Address": ""},"a535d969081e003a149be8917631215616d9401edcb4d35d53f00e75ea1db653": {"Name": "alpine2","EndpointID": "198f3141ccf2e7dba67bce358d7b71a07c5488e3867d8b7ad55a4c695ebb8740","MacAddress": "02:42:ac:12:00:03","IPv4Address": "172.18.0.3/16","IPv6Address": ""}},"Options": {},"Labels": {}}
]

容器 alpine1, alpine2, and alpine4 are 连接到 alpine-net 网络.

6、在用户定义的网络(如alpine-net)上，容器不仅可以通过IP地址进行通信，还可以将容器名称解析为IP地址。这种功能称为自动服务发现。让我们连接到alpine1并测试一下。alpine1应该能够解析alpine2和alpine4(以及alpine1本身)到IP地址。

$ docker container attach alpine1# ping -c 2 alpine2PING alpine2 (172.18.0.3): 56 data bytes
64 bytes from 172.18.0.3: seq=0 ttl=64 time=0.085 ms
64 bytes from 172.18.0.3: seq=1 ttl=64 time=0.090 ms--- alpine2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.085/0.087/0.090 ms# ping -c 2 alpine4PING alpine4 (172.18.0.4): 56 data bytes
64 bytes from 172.18.0.4: seq=0 ttl=64 time=0.076 ms
64 bytes from 172.18.0.4: seq=1 ttl=64 time=0.091 ms--- alpine4 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.076/0.083/0.091 ms# ping -c 2 alpine1PING alpine1 (172.18.0.2): 56 data bytes
64 bytes from 172.18.0.2: seq=0 ttl=64 time=0.026 ms
64 bytes from 172.18.0.2: seq=1 ttl=64 time=0.054 ms--- alpine1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.026/0.040/0.054 ms

从alpine1，您应该根本不能连接到alpine3，因为它不在alpine-net网络上。

# ping -c 2 alpine3ping: bad address 'alpine3'

不仅如此，你也不能通过它的IP地址从alpine1连接到alpine3。查看docker网络检查桥接网络的输出，找到alpine3的IP地址:172.17.0.2，尝试ping它。

# ping -c 2 172.17.0.2PING 172.17.0.2 (172.17.0.2): 56 data bytes--- 172.17.0.2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

使用分离序列从alpine1中分离，并按CTRL + p CTRL + q(按住CTRL并键入p和q)。

7、请记住，alpine4同时连接到默认桥接网络和alpine-net。它应该能够到达所有其他容器。但是，您需要通过它的IP地址来访问alpine3。附加到它并运行测试。

$ docker container attach alpine4# ping -c 2 alpine1PING alpine1 (172.18.0.2): 56 data bytes
64 bytes from 172.18.0.2: seq=0 ttl=64 time=0.074 ms
64 bytes from 172.18.0.2: seq=1 ttl=64 time=0.082 ms--- alpine1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.074/0.078/0.082 ms# ping -c 2 alpine2PING alpine2 (172.18.0.3): 56 data bytes
64 bytes from 172.18.0.3: seq=0 ttl=64 time=0.075 ms
64 bytes from 172.18.0.3: seq=1 ttl=64 time=0.080 ms--- alpine2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.075/0.077/0.080 ms# ping -c 2 alpine3
ping: bad address 'alpine3'# ping -c 2 172.17.0.2PING 172.17.0.2 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.089 ms
64 bytes from 172.17.0.2: seq=1 ttl=64 time=0.075 ms--- 172.17.0.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.075/0.082/0.089 ms# ping -c 2 alpine4PING alpine4 (172.18.0.4): 56 data bytes
64 bytes from 172.18.0.4: seq=0 ttl=64 time=0.033 ms
64 bytes from 172.18.0.4: seq=1 ttl=64 time=0.064 ms--- alpine4 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.033/0.048/0.064 ms

8、作为最后的测试，确保你的容器都能通过ping google.com连接到互联网。你已经连接到alpine4，所以从那里开始尝试。接下来，从alpine4断开并连接到alpine3(它只连接到桥接网络)，然后重试。最后，连接到alpine1(它只连接到alpine-net网络)，然后重试。

# ping -c 2 google.comPING google.com (172.217.3.174): 56 data bytes
64 bytes from 172.217.3.174: seq=0 ttl=41 time=9.778 ms
64 bytes from 172.217.3.174: seq=1 ttl=41 time=9.634 ms--- google.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 9.634/9.706/9.778 msCTRL+p CTRL+q$ docker container attach alpine3# ping -c 2 google.comPING google.com (172.217.3.174): 56 data bytes
64 bytes from 172.217.3.174: seq=0 ttl=41 time=9.706 ms
64 bytes from 172.217.3.174: seq=1 ttl=41 time=9.851 ms--- google.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 9.706/9.778/9.851 msCTRL+p CTRL+q$ docker container attach alpine1# ping -c 2 google.comPING google.com (172.217.3.174): 56 data bytes
64 bytes from 172.217.3.174: seq=0 ttl=41 time=9.606 ms
64 bytes from 172.217.3.174: seq=1 ttl=41 time=9.603 ms--- google.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 9.603/9.604/9.606 msCTRL+p CTRL+q

9、停止并移除所有容器和alpine-net网络。

$ docker container stop alpine1 alpine2 alpine3 alpine4$ docker container rm alpine1 alpine2 alpine3 alpine4$ docker network rm alpine-net