一、Linux網橋和veth pair
1、Linux網橋,虛擬的交換機,工作在數據鏈路層,通過學習到MAC地址,將數據包轉發到網橋的不同端口上。
2、Veth pair,可以理解為一根虛擬的網線,創建veth pair后,會以兩張虛擬網卡的形式成對出現,在其中一個網卡發出的數據包,會直接出現在與它對應的另一張網卡上。
二、三種docker網絡驅動
Docker默認會創建三種網絡,分別為:none、host和bridge,可以通過命令docker network ls查看
# docker network ls NETWORK ID NAME DRIVER SCOPE 948cb107a456 bridge bridge local 59932afae000 host host local d16315c941e2 none null local
1、none網絡驅動
none,就是什么都沒有,在創建容器時,指定參數—network=none,使用ifconfig命令查看,可以看到只有lo的回環網卡。
# docker run -it --network=none busybox / # ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
2、host網絡驅動
共享宿主機的網絡棧,性能最佳,但是由於共享宿主機的網絡棧,也共享了宿主機的網絡端口資源。
在筆者的線上環境,為了網絡性能,我們使用的就是host模式來部署zabbix server監控。
# docker run -it --network=host busybox / # ifconfig docker0 Link encap:Ethernet HWaddr 02:42:44:C8:BF:47 inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:100 errors:0 dropped:0 overruns:0 frame:0 TX packets:100 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:7702 (7.5 KiB) TX bytes:11897 (11.6 KiB) eth0 Link encap:Ethernet HWaddr FA:16:3E:38:3C:A1 inet addr:10.30.20.87 Bcast:10.30.20.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1016565 errors:0 dropped:0 overruns:0 frame:0 TX packets:169554 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:289066541 (275.6 MiB) TX bytes:35157980 (33.5 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:4 errors:0 dropped:0 overruns:0 frame:0 TX packets:4 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:200 (200.0 B) TX bytes:200 (200.0 B)
3、bridge網絡驅動
Docker服務啟動后,默認有一個名為docker0的網卡,在宿主機上可以用ifconfig查看到,分配的IP地址是172.17.0.1
# ifconfig docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255 ether 02:42:44:c8:bf:47 txqueuelen 0 (Ethernet) RX packets 100 bytes 7702 (7.5 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 100 bytes 11897 (11.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
使用bridge創建容器,可以看到容器的eth0網卡分配的IP地址是172.17.0.2,網關是172.17.0.1
# docker run -it --network=bridge busybox / # ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02 inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) …… / # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.17.0.1 0.0.0.0 UG 0 0 0 eth0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
在宿主機上使用brctl show查看,網橋docker0上“插入”了網卡vethc79f4a4,這個就是我們上面提到的veth pair,一端是vethc79f4a4接入網橋docker0,另一端就是容器里的eth0網卡
# brctl show bridge name bridge id STP enabled interfaces docker0 8000.024244c8bf47 no vethc79f4a4 # ifconfig vethc79f4a4 vethc79f4a4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether 3e:d7:34:58:8b:ea txqueuelen 0 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
為什么docker0分配的IP地址是172.17.0.1?
# docker network inspect bridge …… "Config": [ { "Subnet": "172.17.0.0/16", "Gateway": "172.17.0.1" } ……
我們可以查看docker0分配的網段是172.17.0.0/16
最終使用網橋創建的容器的網絡架構圖如下
