容器使用的相關(guān)技術(shù)有cgroup(資源使用限制包括cpu內(nèi)存的調(diào)用),namespace(名稱空間)以及aufs(文件系統(tǒng)的聯(lián)合掛載)
namespaces在內(nèi)核上創(chuàng)建獨立的名稱空間隔離以下6項內(nèi)容
- UTS:主機名和域名冶忱,系統(tǒng)調(diào)用參數(shù)CLONE_NEWUTS
- Mount:掛載點康吵,文件系統(tǒng)席覆,系統(tǒng)調(diào)用參數(shù)CLONE_NEWNS
- IPC:信號量销睁,消息隊列和共享內(nèi)存幌陕,系統(tǒng)調(diào)用參數(shù)CLONE_NEWIPC
- PID:進程編號诵姜,系統(tǒng)調(diào)用參數(shù)CLONE_NEWPID
- User:用戶用戶組信息,系統(tǒng)調(diào)用參數(shù)CLONE_NEWUSER
- Network:網(wǎng)絡(luò)設(shè)備搏熄,網(wǎng)絡(luò)棧棚唆,端口等,系統(tǒng)調(diào)用參數(shù)CLONE_NEWNET
備注:namespaces需要內(nèi)核版本3.10以上搬卒,centos6系統(tǒng)內(nèi)核為2.8,因此docker至少需要centos7版本以上的系統(tǒng)
管理網(wǎng)絡(luò)名稱空間使用的軟件包iproute
[root@localhost ~]# rpm -q iproute
iproute-3.10.0-54.el7.x86_64
[root@localhost ~]# ip
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
ip [ -force ] -batch filename
where OBJECT := { link | addr | addrlabel | route | rule | neigh | ntable |
tunnel | tuntap | maddr | mroute | mrule | monitor | xfrm |
netns | l2tp | tcp_metrics | token }
OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
-h[uman-readable] | -iec |
-f[amily] { inet | inet6 | ipx | dnet | bridge | link } |
-4 | -6 | -I | -D | -B | -0 |
-l[oops] { maximum-addr-flush-attempts } |
-o[neline] | -t[imestamp] | -b[atch] [filename] |
-rc[vbuf] [size] | -n[etns] name | -a[ll] }
[root@localhost ~]# ip netns help
Usage: ip netns list
ip netns add NAME
ip netns set NAME NETNSID
ip [-all] netns delete [NAME]
ip netns identify [PID]
ip netns pids NAME
ip [-all] netns exec [NAME] cmd ...
ip netns monitor
ip netns list-id
主要使用參數(shù)netns對網(wǎng)絡(luò)名稱空間進行相應(yīng)的操作
#創(chuàng)建獨立的網(wǎng)絡(luò)名稱空間r1
[root@localhost ~]# ip netns add r1
[root@localhost ~]# ip netns list
r1
#默認只有內(nèi)部的回環(huán)地址lo
[root@localhost ~]# ip netns exec r1 ifconfig -a
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#創(chuàng)建一對虛擬網(wǎng)卡veth1.1和veth1.2
[root@localhost ~]# ip link add name veth1.1 type veth peer name veth1.2
[root@localhost ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 00:0c:29:8f:11:87 brd ff:ff:ff:ff:ff:ff
3: veth1.2@veth1.1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether fe:79:4d:1c:7b:fc brd ff:ff:ff:ff:ff:ff
4: veth1.1@veth1.2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether ba:21:2b:61:82:b9 brd ff:ff:ff:ff:ff:ff
#正常情況下創(chuàng)建的虛擬網(wǎng)卡都在宿主機上瑟俭,手動把其中一塊網(wǎng)卡移動到指定的名稱空間中
[root@localhost ~]# ip link set dev veth1.2 netns r1
[root@localhost ~]# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 00:0c:29:8f:11:87 brd ff:ff:ff:ff:ff:ff
4: veth1.1@if6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether ba:21:2b:61:82:b9 brd ff:ff:ff:ff:ff:ff link-netnsid 1
#原先排在第3的veth1.2已經(jīng)不可見了,被移動到名稱空間r1中,驗證下
[root@localhost ~]# ip netns exec r1 ifconfig -a
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth1.2: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether fe:79:4d:1c:7b:fc txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#手動將veth1.2改名為eth0
[root@localhost ~]# ip netns exec r1 ip link set dev veth1.2 name eth0
[root@localhost ~]# ip netns exec r1 ifconfig -a
eth0: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether fe:79:4d:1c:7b:fc txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#分別激活宿主機上的veth1.1以及r1空間中的eth0實現(xiàn)通信
#激活veth1.1
[root@localhost ~]# ifconfig veth1.1 10.1.0.1/24 up
[root@localhost ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.15.135 netmask 255.255.255.0 broadcast 192.168.15.255
inet6 fe80::20c:29ff:fe8f:1187 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:8f:11:87 txqueuelen 1000 (Ethernet)
RX packets 30723 bytes 7800725 (7.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5369 bytes 529758 (517.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth1.1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 10.1.0.1 netmask 255.255.255.0 broadcast 10.1.0.255
ether ba:21:2b:61:82:b9 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#激活r1空間中的eth0即原來的veth1.2
[root@localhost ~]# ip netns exec r1 ifconfig eth0 10.1.0.2/24 up
[root@localhost ~]# ip netns exec r1 ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.0.2 netmask 255.255.255.0 broadcast 10.1.0.255
inet6 fe80::fc79:4dff:fe1c:7bfc prefixlen 64 scopeid 0x20<link>
ether fe:79:4d:1c:7b:fc txqueuelen 1000 (Ethernet)
RX packets 8 bytes 648 (648.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 648 (648.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#宿主機上ping測試
[root@localhost ~]# ping 10.1.0.2
PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data.
64 bytes from 10.1.0.2: icmp_seq=1 ttl=64 time=0.111 ms
64 bytes from 10.1.0.2: icmp_seq=2 ttl=64 time=0.045 ms
64 bytes from 10.1.0.2: icmp_seq=3 ttl=64 time=0.045 ms
結(jié)合上述情況可以在宿主機上創(chuàng)建一對虛擬網(wǎng)卡,然后分別指定給兩個不同的名稱空間r1,r2契邀,接著分別激活兩個網(wǎng)卡,就能實現(xiàn)兩個不同名稱空間之間的通信,即兩個容器之間的通信
Docker容器的四種網(wǎng)絡(luò)通信模式
1摆寄、封閉式容器:容器內(nèi)只有本地回還lo接口,無法與外部通信
2坯门、橋接式容器:創(chuàng)建一對虛擬網(wǎng)卡,一半在容器內(nèi)微饥,一半橋接在宿主機的docker0網(wǎng)橋上
3、聯(lián)盟式容器:兩個容器A和B共享一個網(wǎng)絡(luò)名稱空間,這樣容器A和B之間的進程可以通過本地回還lo進行通信
4古戴、共享宿主機名稱空間的容器:是3模式的延伸
在虛擬機上實現(xiàn)4中通信模式,利用busybox鏡像啟動容器
#默認為第2中橋接模式有eth0以及本地回還lo
[root@localhost ~]# docker container run --name b1 -it --rm busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03
inet addr:172.17.0.3 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:508 (508.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ # exit
#啟動容器時候指定網(wǎng)絡(luò)模式為none欠橘,就是第一種封閉式容器,指定模式為bridge就是第2中橋接式容器,指定模式為host就是第4種共享主機名稱空間的容器
創(chuàng)建封閉式容器同時在創(chuàng)建時注入主機名
[root@localhost ~]# docker container run --name b1 -h hx.edu.com -it --network none --rm busybox
/ # ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ # hostname
hx.edu.com
/ # cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
創(chuàng)建bridge橋接式容器
[root@localhost ~]# docker container run --name b1 -h hx.edu.com -it --network bridge --rm busybo
/ # cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 114.114.114.114
# No nameservers found; try putting DNS servers into your
# ifcfg files in /etc/sysconfig/network-scripts like so:
#
# DNS1=xxx.xxx.xxx.xxx
# DNS2=xxx.xxx.xxx.xxx
# DOMAIN=lab.foo.com bar.foo.com
/ # nslookup -type=A www.baidu.com
Server: 114.114.114.114
Address: 114.114.114.114:53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com
Name: www.a.shifen.com
Address: 180.97.33.108
Name: www.a.shifen.com
Address: 180.97.33.107
#容器直接掛載宿主機的/etc/resolv.conf 文件,連接DNS服務(wù)器做域名解析
創(chuàng)建聯(lián)盟式容器,兩個容器共享一個網(wǎng)絡(luò)名稱空間
#利用busybox鏡像創(chuàng)建容器b1
[root@localhost ~]# docker container run --name b1 -h hx.edu.com -it --rm busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03
inet addr:172.17.0.3 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:508 (508.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
#創(chuàng)建容器b2指定使用容器b1的網(wǎng)絡(luò)名稱空間
[root@localhost ~]# docker container run --name b2 --network container:b1 -it --rm busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03
inet addr:172.17.0.3 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:648 (648.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ # hostname
hx.edu.com
可以看到聯(lián)盟式的容器b1和b2的eth0的網(wǎng)卡地址是一致的现恼,而且由于創(chuàng)建b1的時候已經(jīng)通過參數(shù)h注入了主機名,b2就不能再注入主機名,否則創(chuàng)建容器時報錯信息如下:
[root@localhost ~]# docker container run --name b2 --network container:b1 -h hx.edu.com -it --rm busybox
docker: Error response from daemon: conflicting options: hostname and the network mode.
See 'docker run --help'.
聯(lián)盟式容器共享的僅僅是網(wǎng)絡(luò)名稱空間肃续,其他所有的都是相互隔離的
同理創(chuàng)建容器時候指定參數(shù)--network host就可以共享宿主機的網(wǎng)絡(luò)名稱空間
修改docker默認的docker0網(wǎng)橋需要修改對應(yīng)的配置文件/etc/docker/daemon.json
,這也是安裝docker服務(wù)時定義國內(nèi)鏡像加速的文件叉袍,添加如下的key-value鍵值對
[root@localhost ~]# cat /etc/docker/daemon.json
{
"registry-mirrors": [ "https://4mii0w1b.mirror.aliyuncs.com","https://hub-mirror.c.163.com","https://registry.docker-cn.com" ],
"bip":"10.0.0.1/16",
"dns":["114.114.114.114","221.228.255.1"]
}
#bip定義了docker橋的網(wǎng)段,dns定義了域名服務(wù)器最多3個始锚,加速器定義了國內(nèi)多個加速網(wǎng)址
[root@localhost ~]# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 255.255.0.0 broadcast 10.0.255.255
inet6 fe80::42:10ff:feb2:4ed2 prefixlen 64 scopeid 0x20<link>
ether 02:42:10:b2:4e:d2 txqueuelen 0 (Ethernet)
RX packets 10 bytes 516 (516.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18 bytes 1565 (1.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Docker服務(wù)的遠程控制
一般docker服務(wù)通過連接本地的/var/run/docker.sock文件實現(xiàn)和容器的通信,當需要使用其他服務(wù)器訪問本地的容器需改/etc/docker/daemon.json 文件添加如下字段
"hosts" : ["tcp://0.0.0.0:2375","unix:///var/run/docker.sock"]
這樣可以監(jiān)聽遠程服務(wù)器的端口
在其他主機上顯示docker相關(guān)的命令
docker container -H 172.168.1.11:2375 ps -a
創(chuàng)建自定義網(wǎng)橋
[root@localhost ~]# docker network create -d bridge --subnet "172.16.0.0/16" --gateway "172.16.0.1" mybr0
21f8eb3af218fabb9e10b3e1cef6cb3f81e7e60cd08c0f8501652f36e16c832f
[root@localhost ~]# docker network ls
NETWORK ID NAME DRIVER SCOPE
ee23b9572a17 bridge bridge local
604ecd04c910 host host local
21f8eb3af218 mybr0 bridge local
4ae3bb4d9a74 none null local
[root@localhost ~]# ifconfig
br-21f8eb3af218: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.16.0.1 netmask 255.255.0.0 broadcast 172.16.255.255
ether 02:42:38:51:e6:7f txqueuelen 0 (Ethernet)
RX packets 13 bytes 1026 (1.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13 bytes 1026 (1.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
安裝工具包查看容器的網(wǎng)絡(luò)橋接情況
[root@localhost ~]# yum install bridge-utils -y
[root@localhost ~]# ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:10ff:feb2:4ed2 prefixlen 64 scopeid 0x20<link>
ether 02:42:10:b2:4e:d2 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 648 (648.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.15.135 netmask 255.255.255.0 broadcast 192.168.15.255
inet6 fe80::20c:29ff:fe8f:1187 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:8f:11:87 txqueuelen 1000 (Ethernet)
RX packets 23415 bytes 7302710 (6.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4507 bytes 438926 (428.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vethb4339ef: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::8491:9cff:fea7:2f27 prefixlen 64 scopeid 0x20<link>
ether 86:91:9c:a7:2f:27 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16 bytes 1296 (1.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@localhost ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.024210b24ed2 no vethb4339ef
