The other end is placed in the host and named after vethxxx. Docker puts one end of the Veth pair device in the newly created container and names it eth0 (network card of the container). Create a pair of virtual network card Veth pair devices on the host. The virtual bridge works like a physical switch, so that all containers on the host are connected to a layer-2 network through the switch.Īssign an IP address from the docker 0 subnet to the container, and set the docker 0 IP address as the default gateway of the container. When the docker process starts, a virtual bridge named docker0 will be created on the host, and the docker container started on this host will be connected to the virtual bridge. This type of network has no way to network, closed network can ensure the security of the container. The none mode can be specified by – network = none when the container is created. In this network mode, the container only has a lo loopback network and no other network card. We need to add network card and configure IP for docker container. In other words, the docker container does not have network card, IP, routing and other information. However, there is no network configuration for the docker container. Using the none mode, the docker container has its own network namespace. The processes of the two containers can communicate through the lo network card device.
Similarly, the two containers are isolated from each other, such as file system, process list, and so on. Instead, it will share IP and port range with a specified container. The newly created container will not create its own network card and configure its own IP. This pattern specifies that the newly created container shares a network namespace with an existing container, rather than with the host. The host mode is shown in the following figure: The biggest advantage of host is that the network performance is better, but the ports already used on docker host can’t be used again, and the network isolation is not good. The container using the host mode can use the host’s IP address to communicate with the outside world, and the service port inside the container can also use the host’s port without NAT. However, other aspects of the container, such as the file system, process list, and so on, are isolated from the host. The container will not virtual out its own network card, configure its own IP, etc., but use the host’s IP and port. If the container is started in host mode, the container will not get a separate network namespace, but share a network namespace with the host. The container has an independent network namespace, but it does not have any network settings for it, such as assigning the Veth pair and bridge connection, configuring IP, etc. The pod in kubernetes is that multiple containers share a network namespace. The container shares the network namespace with another container. The container and the host share the network namespace. If the container wants external access to be accessible, it can be accessed by mapping the container port to the host host (port mapping), that is, docker run enables the container through the – P or – P parameter when creating the container, and accesses the container through. The external network cannot be addressed, which also means that the external network cannot access the container through the container IP. The docker bridge is a virtual host, not a real network device. Because the containers in the same host are connected to the same bridge, the containers can communicate directly through the container IP of the container. At the same time, the docker bridge is the default gateway of each container.
Docker bridging using Linux (Ref Linux virtual network technology)When the host machine virtual a docker container bridge (docker 0), the docker will assign an IP address to the container according to the network segment of the docker bridge, which is called container IP.
0 kommentar(er)
