Docker installation method and detailed explanation of Docker's four network modes

1. Install Docker

yum -y install docker-io

The "complete" message appears, indicating that the installation is complete.

2. Start the Docker service

service docker start

3. Set up Docker startup

chkconfig docker on

4. Basic information view

docker version
docker info
docker images view image
docker ps to view the running containers
docker rmi delete image
docker save -o imageName:tag > path/name.tar saves the image
docker load < name.tar load image
Docker pull pulls the image

5. If you want to uninstall, the command is as follows:

sudo yum remove docker-ce
sudo rm -rf /var/lib/docker

When we use docker run to create a Docker container, we can use the --net option to specify the network mode of the container. Docker has the following four network modes:

Host mode, specified using --net=host.
Container mode, specified using --net=container:NAME_or_ID.
None mode, specified using --net=none.
Bridge mode, specified using --net=bridge, the default setting.
There is also a user-defined mode

The following introduces each network mode of Docker.

1 Host mode

Format:

docker run -it --name myubuntu --net=host ubuntu /bin/bash

As we all know, Docker uses Linux's Namespaces technology to isolate resources, such as PID Namespace to isolate processes, Mount Namespace to isolate file systems, and Network Namespace to isolate networks. A Network Namespace provides an independent network environment, including network cards, routing, Iptable rules, etc., which are isolated from other Network Namespaces. A Docker container is generally assigned an independent Network Namespace. However, if the host mode is used when starting the container, the container will not obtain an independent Network Namespace, but will share a Network Namespace with the host. The container will not virtualize its own network card, configure its own IP, etc., but will use the host's IP and port.
For example, we start a Docker container containing a web application in host mode on the machine 10.10.101.105/24, listening on port tcp80. When we execute any command like ifconfig in the container to view the network environment, we see the information on the host machine. When the outside world accesses the application in the container, you can directly use 10.10.101.105:80 without any NAT conversion, just like running directly in the host machine. However, other aspects of the container, such as the file system and process list, are still isolated from the host machine.

2 Container Mode

Format:

docker run -it --name myubuntu --net=container:NAME_OR_ID ubuntu /bin/bash

After understanding the host mode, this mode is also easy to understand. This mode specifies that the newly created container shares a Network Namespace with an existing container instead of sharing it with the host. The newly created container will not create its own network card, configure its own IP, but share the IP, port range, etc. with a specified container. Similarly, except for the network, other aspects of the two containers, such as the file system and process list, are still isolated. The processes of the two containers can communicate through the lo network card device.

3 None mode

Format:

docker run -it --name myubuntu --net=none ubuntu /bin/bash

This mode is different from the previous two. In this mode, the Docker container has its own Network Namespace, but no network configuration is performed for the Docker container. In other words, this Docker container has no network card, IP, routing and other information. We need to add network cards and configure IP for the Docker container ourselves.

4 bridge mode

Bridge mode is the default network setting for Docker. This mode allocates a Network Namespace, sets an IP address, etc. for each container, and connects a Docker container on a host to a virtual bridge. The following focuses on this mode.

4.1 Bridge mode topology

When the Docker server is started, a virtual bridge named docker0 is created on the host, and the Docker containers started on this host are connected to this virtual bridge. The virtual bridge works similarly to a physical switch, so that all containers on the host are connected to a Layer 2 network through the switch. The next step is to assign an IP to the container. Docker will select an IP address and subnet different from the host machine from the private IP segment defined in RFC1918 and assign it to docker0. The container connected to docker0 will select an unoccupied IP from this subnet. For example, Docker generally uses the network segment 172.17.0.0/16 and assigns 172.17.42.1/16 to the docker0 bridge (docker0 can be seen using the ifconfig command on the host. It can be considered as the management interface of the bridge and is used as a virtual network card on the host). The network topology in a single-machine environment is as follows, and the host address is 10.10.101.105/24.

The process of Docker completing the above network configuration is roughly as follows:

1. Create a pair of virtual network card veth pair devices on the host. Veth devices always appear in pairs. They form a data channel. Data enters from one device and comes out from another device. Therefore, veth devices are often used to connect two network devices.

2. Docker places one end of the veth pair device in the newly created container and names it eth0. The other end is placed in the host, named something like veth65f9, and this network device is added to the docker0 bridge, which can be viewed through the brctl show command.

3. Assign an IP from the docker0 subnet to the container and set the docker0 IP address as the default gateway for the container.
After introducing the network topology, let's talk about how containers communicate in bridge mode.

4.2 Communication between containers in bridge mode

In bridge mode, containers connected to the same bridge can communicate with each other (for security reasons, you can also prohibit communication between them by setting --icc=false in the DOCKER_OPTS variable, so that only --link can enable two containers to communicate).
The container can also communicate with the outside world. Let's take a look at the Iptable rules on the host and see the following line:

-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE

This rule will convert the source address of packets with a source address of 172.17.0.0/16 (that is, packets generated from the Docker container) that are not sent from the docker0 network card into the address of the host network card. This may not be easy to understand, so let me give you an example. Assume that the host has a network card named eth0, the IP address is 10.10.101.105/24, and the gateway is 10.10.101.254. Ping Baidu (180.76.3.151) from a container on the host with IP 172.17.0.1/16. The IP packet is first sent from the container to its default gateway docker0. After the packet reaches docker0, it also reaches the host. Then the host's routing table will be queried and it will be found that the packet should be sent from the host's eth0 to the host's gateway 10.10.105.254/24. The packet will then be forwarded to eth0 and sent out from eth0 (the host's ip_forward forwarding should have been turned on). At this time, the above Iptable rules will take effect, perform SNAT conversion on the packet, and change the source address to the address of eth0. In this way, from the outside world's perspective, this packet is sent from 10.10.101.105, and the Docker container is invisible to the outside world.
So, how do external machines access the services of Docker containers? We first use the following command to create a container containing a web application and map port 80 of the container to port 80 of the host.

docker run -d --name web -p 80:80 fmzhen/simpleweb

Then check the changes in Iptable rules and find an additional rule:

-A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.5:80

This rule performs DNAT conversion on the TCP traffic with destination port 80 received by the host eth0, and sends the traffic to 172.17.0.5:80, which is the Docker container we created above. Therefore, the outside world only needs to access 10.10.101.105:80 to access the services in the container.
In addition, we can also customize the IP address, DNS and other information used by Docker, and even use our own defined bridge, but the working method is still the same.

User defined mode

Users can customize the network through Docker network drivers or other network drivers. You can connect many containers to the same network. Once connected to a custom network, containers can communicate with each other through each other's IP addresses and host names.
If the container is connected to a user-defined network, the container's /etc/hosts file will be added with the IP addresses of all other containers in the same network.
Since the container may change the /etc/hosts file at any time, the program in the container may read an incomplete or even empty /etc/hosts file. Usually re-reading can solve this problem.

Summarize

The above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. Thank you for your support of 123WORDPRESS.COM. If you want to learn more about this, please check out the following links