前面给大家项目的介绍了Docker的基础内容Docker基础篇接下来给大家系统的介绍下Docker高级篇的内容:网络核心、Docker实战、DockerCompose、Harbor以及Swarm。欢迎关注收藏哦
Docker网络介绍
Docker是基于LinuxKernel的namespace,CGroups,UnionFileSystem等技术封装成的一种自定义容器格式,从而提供了一套虚拟运行环境。
namespace:用来做隔离的,比如pid、net、mnt
CGroups:ControllerGroups用来做资源限制,比如内存和CPU等
UnionFileSystems:用来做Image和Container分层
1.计算机网络模型
Docker网络官网:https://docs.docker.com/network/。
OSI:开放系统互联参考模型(OpenSystemInterconnect)
TCP/IP:传输控制协议/网际协议(TransmissionControl/InternetProtocol),是指能够在多个不同网络间实现信息传输的协议簇。TCP/IP协议不仅仅指的是TCP和IP两个协议,而是指一个由FTP、SMTP、TCP、UDP、IP等协议构成的协议簇,只是因为在TCP/IP协议中TCP协议和IP协议最具代表性,所以被称为TCP/IP协议。
分层思想:分层的基本想法是每一层都在它的下层提供的服务基础上提供更高级的增值服务,而最高层提供能运行分布式应用程序的服务
在这里插入图片描述客户端发送请求:在这里插入图片描述
服务端接受请求:
在这里插入图片描述
2Liunx中网卡
2.1查看网卡信息
查看网卡的命令:ipa
$ipa1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scopehostlovalid_lftforeverpreferred_lftforeverinet6::1/128scopehostvalid_lftforeverpreferred_lftforever2:eth0:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether52:54:00:4d:77:d3brdff:ff:ff:ff:ff:ffinet10.0.2.15/24brd10.0.2.255scopeglobalnoprefixroutedynamiceth0valid_lft85987secpreferred_lft85987secinet6fe80::5054:ff:fe4d:77d3/64scopelinkvalid_lftforeverpreferred_lftforever3:eth1:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether08:00:27:6e:31:45brdff:ff:ff:ff:ff:ffinet192.168.56.10/24brd192.168.56.255scopeglobalnoprefixrouteeth1valid_lftforeverpreferred_lftforeverinet6fe80::a00:27ff:fe6e:3145/64scopelinkvalid_lftforeverpreferred_lftforever4:docker0:<NO-CARRIER,BROADCAST,MULTICAST,UP>mtu1500qdiscnoqueuestateDOWNgroupdefaultlink/ether02:42:bf:79:9f:debrdff:ff:ff:ff:ff:ffinet172.17.0.1/16brd172.17.255.255scopeglobaldocker0valid_lftforeverpreferred_lftforever
“Fake_Phishing138590 ”地址将300ETH转入 TornadoCash:金色财经报道,据CertiK监测,被Etherscan标注为Fake_Phishing138590 地址(0x04C64)已收到300ETH(约522000美元)并存入 TornadoCash。CertiK提醒如果已经授权该钱包,请及时撤销权限。[2023/3/23 13:22:00]
通过ipa可以看到当前的centos中有的4个网卡信息作用分别是
名称作用lo本地网卡eth0连接网络的网卡eth1和宿主机通信的网卡docker0docker的网卡
iplinksjtqohow:
$iplinksjtqohow1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNmodeDEFAULTgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:002:eth0:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPmodeDEFAULTgroupdefaultqlen1000link/ether52:54:00:4d:77:d3brdff:ff:ff:ff:ff:ff3:eth1:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPmodeDEFAULTgroupdefaultqlen1000link/ether08:00:27:6e:31:45brdff:ff:ff:ff:ff:ff4:docker0:<NO-CARRIER,BROADCAST,MULTICAST,UP>mtu1500qdiscnoqueuestateDOWNmodeDEFAULTgroupdefaultlink/ether02:42:bf:79:9f:debrdff:ff:ff:ff:ff:ff
以文件的形式查看网卡:ls/sys/class/net
$ls/sys/class/netdocker0eth0eth1lo
2.2配置文件
在Linux中网卡对应的其实就是文件,所以找到对应的网卡文件即可,存放的路径
$cd/etc/sysconfig/network-scripts/$lsifcfg-eth0ifdown-ethifdown-pppifdown-tunnelifup-ipppifup-postifup-TeamPortnetwork-functions-ipv6ifcfg-eth1ifdown-ipppifdown-routesifupifup-ipv6ifup-pppifup-tunnelifcfg-loifdown-ipv6ifdown-sitifup-aliasesifup-isdnifup-routesifup-wirelessifdownifdown-isdnifdown-Teamifup-bnepifup-plipifup-sitinit.ipv6-globalifdown-bnepifdown-postifdown-TeamPortifup-ethifup-plusbifup-Teamnetwork-functions
2.3网卡操作
网卡中增加ip地址
Billions项目组ipa1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scopehostlovalid_lftforeverpreferred_lftforeverinet6::1/128scopehostvalid_lftforeverpreferred_lftforever2:eth0:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether52:54:00:4d:77:d3brdff:ff:ff:ff:ff:ffinet10.0.2.15/24brd10.0.2.255scopeglobalnoprefixroutedynamiceth0valid_lft84918secpreferred_lft84918secinet192.168.100.120/24scopeglobaleth0Billions项目组Billions项目组增加了一个IP地址valid_lftforeverpreferred_lftforeverinet6fe80::5054:ff:fe4d:77d3/64scopelinkvalid_lftforeverpreferred_lftforever3:eth1:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether08:00:27:6e:31:45brdff:ff:ff:ff:ff:ffinet192.168.56.10/24brd192.168.56.255scopeglobalnoprefixrouteeth1valid_lftforeverpreferred_lftforeverinet6fe80::a00:27ff:fe6e:3145/64scopelinkvalid_lftforeverpreferred_lftforever4:docker0:<NO-CARRIER,BROADCAST,MULTICAST,UP>mtu1500qdiscnoqueuestateDOWNgroupdefaultlink/ether02:42:bf:79:9f:debrdff:ff:ff:ff:ff:ffinet172.17.0.1/16brd172.17.255.255scopeglobaldocker0valid_lftforeverpreferred_lftforever
日本电信运营商NTT Docomo与Astar Network达成合作,启动社会问题解决项目:10月31日消息,日本电信运营商NTT Docomo与波卡平行链Astar Network签署了一项基本合作协议,将启动一个社会问题解决项目,利用Web3技术解决现代社会面临的各种问题,包括区域振兴和环境问题。[2022/10/31 12:00:25]
删除IP地址:ipaddrdelete192.168.100.120/24deveth0
Billions项目组ipa1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scopehostlovalid_lftforeverpreferred_lftforeverinet6::1/128scopehostvalid_lftforeverpreferred_lftforever2:eth0:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether52:54:00:4d:77:d3brdff:ff:ff:ff:ff:ffinet10.0.2.15/24brd10.0.2.255scopeglobalnoprefixroutedynamiceth0valid_lft84847secpreferred_lft84847secinet6fe80::5054:ff:fe4d:77d3/64scopelinkvalid_lftforeverpreferred_lftforever3:eth1:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether08:00:27:6e:31:45brdff:ff:ff:ff:ff:ffinet192.168.56.10/24brd192.168.56.255scopeglobalnoprefixrouteeth1valid_lftforeverpreferred_lftforeverinet6fe80::a00:27ff:fe6e:3145/64scopelinkvalid_lftforeverpreferred_lftforever4:docker0:<NO-CARRIER,BROADCAST,MULTICAST,UP>mtu1500qdiscnoqueuestateDOWNgroupdefaultlik/ether02:42:bf:79:9f:debrdff:ff:ff:ff:ff:ffinet172.17.0.1/16brd172.17.255.255scopeglobaldocker0valid_lftforeverpreferred_lftforever
2.4网卡信息解析
状态:UP/DOWN/UNKOWN等
link/ether:MAC地址
inet:绑定的IP地址
3NetworkNamespace
NetworkNamespace是实现网络虚拟化的重要功能,它能创建多个隔离的网络空间,它们有独自的网络栈信息。不管是虚拟机还是容器,运行的时候仿佛自己就在独立的网络中。
3.1NetworkNamespce实战
添加一个namespace
ipnetnsaddns1
查看当前具有的namespace
ipnetnslistBillions项目组ipnetnslistns1
删除namespace
ipnetnsdeletens1Billions项目组ipnetnslistns1Billions项目组ipnetnslistBillions项目组ipnetnsexecns1ipa1:lo:<LOOPBACK>mtu65536qdiscnoopstateDOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00在这里插入图片描述启动网络状态
派盾:NFT项目Rare Bears攻击者已将213枚ETH转入TornadoCash:3月17日消息,派盾预警显示,NFT 项目 Rare Bears 攻击者已经将 213 枚 ETH(约 59 万美元)转入 TornadoCash。此前 Rare Bears 的官方 Discord 曾遭遇攻击,部分用资产因钓鱼链接失窃。[2022/3/17 14:02:31]
ipnetnsexecns1ifuploBillions项目组ipnetnsexecns1ifuploBillions项目组
关掉网络状态
Billions项目组ipnetnsexecns1ipa1:lo:<LOOPBACK>mtu65536qdiscnoqueuestateDOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00
还可以通过link来设置状态
Billions项目组ipnetnsexecns1ipa1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scopehostlovalid_lftforeverpreferred_lftforeverinet6::1/128scopehostvalid_lftforeverpreferred_lftforeverBillions项目组ipnetnsexecns1ipa1:lo:<LOOPBACK>mtu65536qdiscnoqueuestateDOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scopehostlovalid_lftforeverpreferred_lftforeverBillions项目组ipnetnsaddns2Billions项目组ipnetnsexecns1iplink1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNmodeDEFAULTgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:006:veth-ns1@if5:<BROADCAST,MULTICAST>mtu1500qdiscnoopstateDOWNmodeDEFAULTgroupdefaultqlen1000link/ether7e:bb:ee:13:a2:9abrdff:ff:ff:ff:ff:fflink-netnsid1Billions项目组ipnetnsexecns1iplinksjtqoetveth-ns1upBillions项目组ipa1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWNgroupdefaultqlen1000link/loopback00:00:00:00:00:00brd00:00:00:00:00:00inet127.0.0.1/8scopehostlovalid_lftforeverpreferred_lftforeverinet6::1/128scopehostvalid_lftforeverpreferred_lftforever2:eth0:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether52:54:00:4d:77:d3brdff:ff:ff:ff:ff:ffinet10.0.2.15/24brd10.0.2.255scopeglobalnoprefixroutedynamiceth0valid_lft66199secpreferred_lft66199secinet6fe80::5054:ff:fe4d:77d3/64scopelinkvalid_lftforeverpreferred_lftforever3:eth1:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPgroupdefaultqlen1000link/ether08:00:27:6e:31:45brdff:ff:ff:ff:ff:ffinet192.168.56.10/24brd192.168.56.255scopeglobalnoprefixrouteeth1valid_lftforeverpreferred_lftforeverinet6fe80::a00:27ff:fe6e:3145/64scopelinkvalid_lftforeverpreferred_lftforever4:docker0:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscnoqueuestateUPgroupdefaultlink/ether02:42:52:d4:0a:9fbrdff:ff:ff:ff:ff:ffinet172.17.0.1/16brd172.17.255.255scopeglobaldocker0valid_lftforeverpreferred_lftforeverinet6fe80::42:52ff:fed4:a9f/64scopelinkvalid_lftforeverpreferred_lftforever24:veth78a90d0@if23:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscnoqueuemasterdocker0stateUPgroupdefaultlink/ether7e:6b:8c:bf:7e:30brdff:ff:ff:ff:ff:fflink-netnsid2inet6fe80::7c6b:8cff:febf:7e30/64scopelinkvalid_lftforeverpreferred_lftforever26:vetha2bfbf4@if25:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscnoqueuemasterdocker0stateUPgroupdefaultlink/etherce:2f:ed:e5:61:32brdff:ff:ff:ff:ff:fflink-netnsid3inet6fe80::cc2f:edff:fee5:6132/64scopelinkvalid_lftforeverpreferred_lftforever
Defi工具RugDoc、ETH Hole和vFats上线IoTeX公链:?官方消息,Defi工具RugDoc, ETH Hole和vFats已上线IoTeX公链,为即将上线的IoTeX 生态项目提供项目风险收益评估,行情追踪,链上分析等系列工具。
据悉,IoTeX生态发展迅速,即将上线新一批DeFi,NFT和元宇宙链游生态项目。此外,已有超过300个开发者团队申请开发基于IoTeX的MachineFi机器金融场景的Dapp项目。
?IoTeX作为硅谷开源项目成立于2017年,以链接现实世界和数字世界为发展目标,是与以太坊全兼容的高性能公有区块链。[2021/9/16 23:30:24]
然后查看tomcat01中的网络:dockerexec-ittomcat01ipa可以发现
Billions项目组ping172.17.0.2PING172.17.0.2(172.17.0.2)56(84)bytesofdata.64bytesfrom172.17.0.2:icmp_seq=1ttl=64time=0.038ms64bytesfrom172.17.0.2:icmp_seq=2ttl=64time=0.038ms^C---172.17.0.2pingstatistics---2packetstransmitted,2received,0%packetloss,time999msrttmin/avg/max/mdev=0.038/0.038/0.038/0.000ms
既然可以ping通,而且centos和tomcat01又属于两个不同的NetWorkNameSpace,他们是怎么连接的?看图
在这里插入图片描述其实在tomcat01中有一个eth0和centos的docker0中有一个veth是成对的,类似于之前实战中的veth-ns1和veth-ns2,要确认也很简单
yuminstallbridge-utilsbrctlshow
执行
Billions项目组dockernetworklsNETWORKIDNAMEDRIVERSCOPE92242fc0f805bridgebridgelocal96b999d7fcc2hosthostlocal17b86f9caa33nonenulllocal
不妨检查一下bridge:dockernetworkinspectbridge
"Containers":{"4b3500fed6b99c00b3ed1ae46bd6bc33040c77efdab343175363f32fbcf42e63":{"Name":"tomcat01","EndpointID":"40fc0925fcb59c9bb002779580107ab9601640188bf157fa57b1c2de9478053a","MacAddress":"02:42:ac:11:00:02","IPv4Address":"172.17.0.2/16","IPv6Address":""},"92d2ff3e9be523099ac4b45058c5bf4652a77a27b7053a9115ea565ab43f9ab0":{"Name":"tomcat02","EndpointID":"1d6c3bd73e3727dd368edf3cc74d2f01b5c458223f844d6188486cb26ea255bc","MacAddress":"02:42:ac:11:00:03","IPv4Address":"172.17.0.3/16","IPv6Address":""}}
在tomcat01容器中是可以访问互联网的,顺便把这张图画一下咯,NAT是通过iptables实现的
在这里插入图片描述
4.2自定义NetWork
创建一个network,类型为Bridge
dockernetworkcreatetomcat-net或者dockernetworkcreatetomcat-net--subnet=172.18.0.0/24tomcat-net
以太坊隐私协议TornadoCash资金池余额创历史新高:以太坊隐私协议TornadoCash多项数据创历史新高,上周存款额为970万美元,取款额为870万美元。TornadoCash中ETH池余额为28850,USD池余额849万。[2020/10/12]
查看已有的NetWork:dockernetworkls
Billions项目组dockernetworklsNETWORKIDNAMEDRIVERSCOPEb5c9cfbc0410bridgebridgelocal96b999d7fcc2hosthostlocal17b86f9caa33nonenulllocal43915cba1f92tomcat-netbridgelocal
查看tomcat-net详情信息:dockernetworkinspecttomcat-net
Billions项目组dockerrun-d--namecustom-net-tomcat--networktomcat-nettomcat-ip:1.0264b3901f8f12fd7f4cc69810be6a24de48f82402b1e5b0df364bd1ee72d8f0e
查看custom-net-tomcat的网络信息:截取了关键信息
12:br-43915cba1f92:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscnoqueuestateUPgroupdefaultlink/ether02:42:71:a6:67:c7brdff:ff:ff:ff:ff:ffinet172.18.0.1/16brd172.18.255.255scopeglobalbr-43915cba1f92valid_lftforeverpreferred_lftforeverinet6fe80::42:71ff:fea6:67c7/64scopelinkvalid_lftforeverpreferred_lftforever14:veth282a555@if13:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscnoqueuemasterbr-43915cba1f92stateUPgroupdefaultlink/ether3a:3d:83:15:3f:edbrdff:ff:ff:ff:ff:fflink-netnsid3inet6fe80::383d:83ff:fe15:3fed/64scopelinkvalid_lftforeverpreferred_lftforever
查看网卡接口信息
Billions项目组dockerexec-itcustom-net-tomcatping172.17.0.2PING172.17.0.2(172.17.0.2)56(84)bytesofdata.^C---172.17.0.2pingstatistics---3packetstransmitted,0received,100%packetloss,time2000ms
此时如果tomcat01容器能够连接上tomcat-net上应该就可以了
dockernetworkconnecttomcat-nettomcat01Billions项目组dockerexec-itcustom-net-tomcatpingtomcat01PINGtomcat01(172.18.0.3)56(84)bytesofdata.64bytesfromtomcat01.tomcat-net(172.18.0.3):icmp_seq=1ttl=64time=0.031ms
5深入分析Container网络-Host&None
5.1Host
Host模式下,容器将共享主机的网络堆栈,并且主机的所有接口都可供容器使用.容器的主机名将与主机系统上的主机名匹配
创建一个容器,并指定网络为host
dockerrun-d--namemy-tomcat-host--networkhosttomcat-ip:1.0
查看ip地址
dockerexec-itmy-tomcat-hostipa
检查host网络
dockernetworkinspecthost"Containers":{"f495a6892d422e61daab01e3fcfa4abb515753e5f9390af44c93cae376ca7464":{"Name":"my-tomcat-host","EndpointID":"77012b1ac5d15bde3105d2eb2fe0e58a5ef78fb44a88dc8b655d373d36cde5da","MacAddress":"","IPv4Address":"","IPv6Address":""}}
5.2None
None模式不会为容器配置任何IP,也不能访问外部网络以及其他容器.它具有环回地址,可用于运行批处理作业.
创建一个tomcat容器,并指定网络为none
dockerrun-d--namemy-tomcat-none--networknonetomcat-ip:1.0
查看ip地址
dockerexec-itmy-tomcat-none
检查none网络
dockernetworkinspectnone"Containers":{"c957b61dae93fbb9275acf73c370e5df1aaf44a986579ee43ab751f790220807":{"Name":"my-tomcat-none","EndpointID":"16bf30fb7328ceb433b55574dc071bf346efa58e2eb92b6f40d7a902ddc94293","MacAddress":"","IPv4Address":"","IPv6Address":""}}
6端口映射
创建一个tomcat容器,名称为port-tomcat
dockerrun-d--nameport-tomcattomcat-ip:1.0
思考如何访问tomcat的服务
dockerexec-itport-tomcatbashcurllocalhost:8080
如果要载centos7上访问呢
dockerexec-itport-tomcatipacurl172.17.0.4:8080
如果我们需要在centos中通过localhost来访问呢?这时我们就需要将port-tomcat中的8080端口映射到centos上了
dockerrm-fport-tomcatdockerrun-d--nameport-tomcat-p8090:8080tomcat-ip:1.0curllocalhost:8090
centos7是运行在win10上的虚拟机,如果想要在win10上通过ip:port方式访问呢?
Billions项目组这种方式等同于桥接网络。也可以给该网络指定使用物理机哪一块网卡,比如#config.vm.network"public_network",:bridge=>'en1:Wi-Fi(AirPort)'config.vm.network"public_network"centos7:ipa--->192.168.8.118win10:浏览器访问192.168.8.118:9080在这里插入图片描述
7多机之间通信
具体深入介绍会在DockerSwarm中详聊,本节简单介绍。
在同一台centos7机器上,发现无论怎么折腾,我们一定有办法让两个containerjtqo通信。那如果是在两台centos7机器上呢?画个图
在这里插入图片描述VXLAN技术实现:VirtualExtensibleLAN(虚拟可扩展局域网)。在这里插入图片描述
ps:掌握了Docker的网络,其实也就掌握整个技术的核心了,如果文章有帮助欢迎关注点赞收藏哦
https://www.ixiera.com
郑重声明: 本文版权归原作者所有, 转载文章仅为传播更多信息之目的, 如作者信息标记有误, 请第一时间联系我们修改或删除, 多谢。