為docker配置固定ip
首先�����,配置一個(gè)用于創(chuàng)建container interface的網(wǎng)橋����,可以使用ovs,也可以使用Linux bridge���,以Linux bridge為例:
br_name=docker
brctl addbr $br_name
ip addr add 192.168.33.2/24 dev $br_name
ip addr del 192.168.33.2/24 dev em1
ip link set $br_name up
brctl addif $br_name eth0
接著����,可以啟動(dòng)容器了���,注意用--net=none方式啟動(dòng):
# start new container
hostname='docker.test.com'
cid=$(docker run -d -i -h $hostname --net=none -t centos)
pid=$(docker inspect -f '{{.State.Pid}}' $cid)
下面�����,為該容器配置網(wǎng)絡(luò)namespace�,并設(shè)置固定ip:
# set up netns
mkdir -p /var/run/netns
ln -s /proc/$pid/ns/net /var/run/netns/$pid
# set up bridge
ip link add q$pid type veth peer name r$pid
brctl addif $br_name q$pid
ip link set q$pid up
# set up docker interface
fixed_ip='192.168.33.3/24'
gateway='192.168.33.1'
ip link set r$pid netns $pid
ip netns exec $pid ip link set dev r$pid name eth0
ip netns exec $pid ip link set eth0 up
ip netns exec $pid ip addr add $fixed_ip dev eth0
ip netns exec $pid ip route add default via 192.168.33.1
這樣,容器的網(wǎng)絡(luò)就配置好了�,如果容器內(nèi)部開啟了sshd服務(wù),通過192.168.33.3就可以直接ssh連接到容器�����,非常方便��。上面的步驟比較長(zhǎng)�,可以借助pipework來為容器設(shè)置固定ip(除了設(shè)置IP�����,還封裝了配置網(wǎng)關(guān)�、macvlan、vlan����、dhcp等功能):
pipework docker0 be8365e3b2834 10.88.88.8/24
那么�,當(dāng)容器需要?jiǎng)h除的時(shí)候�����,怎么清理網(wǎng)絡(luò)呢�����,其實(shí)也很簡(jiǎn)單:
# stop and delete container
docker stop $cid
docker rm $cid
# delete docker's net namespace (also delete veth pair)
ip netns delete $pid
使用weave管理docker網(wǎng)絡(luò)
weave簡(jiǎn)單使用
sudo wget -O /usr/local/bin/weave https://raw.githubusercontent.com/zettio/weave/master/weave
sudo chmod a+x /usr/local/bin/weave
啟動(dòng)weave路由器�����,這個(gè)路由器其實(shí)也是在docker中啟動(dòng)的:
[root@h-46mow360 ~]# weave launch
Unable to find image 'zettio/weave' locally
3b3a3db2c186fccb5203dcc269b3febbbbf126591a7ebd8117a8a5250683749f
[root@h-46mow360 ~]# brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.56847afe9799 no veth801050a
weave 8000.7afc2a03325e no vethwepl2146
[root@h-46mow360 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3b3a3db2c186 zettio/weave:git-a34e214201cb "/home/weave/weaver About a minute ago Up About a minute 0.0.0.0:6783->6783/tcp, 0.0.0.0:6783->6783/udp weave
在兩臺(tái)物理機(jī)上分別啟動(dòng)一個(gè)容器:
c1=$(weave run 10.0.3.3/24 -t -i -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v /tmp/$(mktemp -d):/run systemd:systemd /usr/lib/systemd/systemd)
c2=$(weave run 10.0.3.5/24 -t -i -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v /tmp/$(mktemp -d):/run systemd:systemd /usr/lib/systemd/systemd)
這個(gè)時(shí)候�����,兩個(gè)容器之間是不通的�����,需要在兩臺(tái)weave的路由器之間建立連接:( if there is a firewall between $HOST1 and $HOST2, you must open port 6783 for TCP and UDP)
weave connect 10.33.0.9
這樣��,兩臺(tái)容器之間通了:
# nsenter --mount --uts --ipc --net --pid --target $(docker inspect --format "{{.State.Pid}}" "$c2")
-bash-4.2# ping -c 3 10.0.3.3
PING 10.0.3.3 (10.0.3.3) 56(84) bytes of data.
64 bytes from 10.0.3.3: icmp_seq=1 ttl=64 time=2.34 ms
64 bytes from 10.0.3.3: icmp_seq=2 ttl=64 time=1.52 ms
64 bytes from 10.0.3.3: icmp_seq=3 ttl=64 time=1.13 ms
--- 10.0.3.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.131/1.667/2.345/0.505 ms
weave其他特性
•應(yīng)用隔離:不同子網(wǎng)容器之間默認(rèn)隔離的���,即便它們位于同一臺(tái)物理機(jī)上也相互不通�����;不同物理機(jī)之間的容器默認(rèn)也是隔離的
•物理機(jī)之間容器互通:weave connect $OTHER_HOST
•動(dòng)態(tài)添加網(wǎng)絡(luò):對(duì)于不是通過weave啟動(dòng)的容器�,可以通過weave attach 10.0.1.1/24 $id來添加網(wǎng)絡(luò)(detach刪除網(wǎng)絡(luò))
•安全性:可以通過weave launch -password wEaVe設(shè)置一個(gè)密碼用于weave peers之間加密通信
•與宿主機(jī)網(wǎng)絡(luò)通信:weave expose 10.0.1.102/24,這個(gè)IP會(huì)配在weave網(wǎng)橋上
•查看weave路由狀態(tài):weave ps
•通過NAT實(shí)現(xiàn)外網(wǎng)訪問docker容器
