一、单个物理机中docker网络

1.1 Docker默认网桥

        安装Docker 服务默认会创建一个 docker0 网桥（其上有一个 docker0 内部接口），它在内核层连通了其他的物理或虚拟网卡，这就将所有容器和本地主机都放到同一个物理网络。

使用 docker network ls 命令查看：

Docker 安装时会自动在 host 上创建三个网络：none，host，和bridge。

接下来我们查看一下docker0 网桥：(brctl可以通过yum install bridge-utils安装)

使用docker network inspect指令查看bridge网络：其Gateway就是网卡/接口docker0的IP地址：172.17.0.1。  【里面包含了bridge的配置信息和容器信息】

[root@192 keepmoving]# docker network inspect bridge
[{"Name": "bridge","Id": "581adbbf78d32412c411c274bb65c339f496b24e9cef5ad69f8d038bcc371c1b","Created": "2023-02-24T23:41:35.720677409+08:00","Scope": "local","Driver": "bridge","EnableIPv6": false,"IPAM": {"Driver": "default","Options": null,"Config": [{"Subnet": "172.17.0.0/16"}]},"Internal": false,"Attachable": false,"Ingress": false,"ConfigFrom": {"Network": ""},"ConfigOnly": false,"Containers": {"56657ecbb6763ce60e33232ba09b7f1ae68d9856b85ad61b52c581a47a896464": {"Name": "test_db","EndpointID": "e66a48ecc3be4a0a1f8fce53035181d5ac3de64953c6d0bc4bc705c4b63d11f7","MacAddress": "02:42:ac:11:00:02","IPv4Address": "172.17.0.2/16","IPv6Address": ""},"73a026235a47df3d0733429181406f9b2f58faa5f674b4aefef9811f82274395": {"Name": "web","EndpointID": "36d59702812b5bc3fb716fc4dccbcb141fd07e3a56706f681881cd489ec86dec","MacAddress": "02:42:ac:11:00:03","IPv4Address": "172.17.0.3/16","IPv6Address": ""}},"Options": {"com.docker.network.bridge.default_bridge": "true","com.docker.network.bridge.enable_icc": "true","com.docker.network.bridge.enable_ip_masquerade": "true","com.docker.network.bridge.host_binding_ipv4": "0.0.0.0","com.docker.network.bridge.name": "docker0","com.docker.network.driver.mtu": "1500"},"Labels": {}}
]

1.2 容器创建时IP的分配

        为了理解容器创建时的IP分配，这里需要清理所有已经启动的环境，然后再启动容器，看前后对比。

1.2.1 首先清理掉docker中安装的所有容器：

1.2.2 查看docker中的网络配置：

[root@192 keepmoving]# docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
581adbbf78d3   bridge    bridge    local
869c7c8ca191   host      host      local
6c29ce5e0291   none      null      local
[root@192 keepmoving]# docker network inspect bridge
[{"Name": "bridge","Id": "581adbbf78d32412c411c274bb65c339f496b24e9cef5ad69f8d038bcc371c1b","Created": "2023-02-24T23:41:35.720677409+08:00","Scope": "local","Driver": "bridge","EnableIPv6": false,"IPAM": {"Driver": "default","Options": null,"Config": [{"Subnet": "172.17.0.0/16"}]},"Internal": false,"Attachable": false,"Ingress": false,"ConfigFrom": {"Network": ""},"ConfigOnly": false,"Containers": {},"Options": {"com.docker.network.bridge.default_bridge": "true","com.docker.network.bridge.enable_icc": "true","com.docker.network.bridge.enable_ip_masquerade": "true","com.docker.network.bridge.host_binding_ipv4": "0.0.0.0","com.docker.network.bridge.name": "docker0","com.docker.network.driver.mtu": "1500"},"Labels": {}}
]
[root@192 keepmoving]# ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: ens33:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000link/ether 00:0c:29:83:f9:57 brd ff:ff:ff:ff:ff:ffinet 192.168.124.49/24 brd 192.168.124.255 scope global noprefixroute dynamic ens33valid_lft 82491sec preferred_lft 82491secinet6 fe80::c890:8da3:b20c:a830/64 scope link noprefixroute valid_lft forever preferred_lft forever
3: docker0:  mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:4c:33:99:1a brd ff:ff:ff:ff:ff:ffinet 172.17.0.1/16 brd 172.17.255.255 scope global docker0valid_lft forever preferred_lft foreverinet6 fe80::42:4cff:fe33:991a/64 scope link valid_lft forever preferred_lft forever
[root@192 keepmoving]# brctl show
bridge name     bridge id               STP enabled     interfaces
docker0         8000.02424c33991a       no              

1.2.3 创建容器

Docker 在创建一个容器的时候，会执行如下操作：

• 创建一对虚拟接口/网卡，也就是veth pair，分别放到本地主机和新容器中；
• 本地主机一端桥接到默认的 docker0 或指定网桥上，并具有一个唯一的名字，如 vethxxxxx；
• 容器一端放到新容器中，并修改名字作为 eth0，这个网卡/接口只在容器的名字空间可见；
• 从网桥可用地址段中（也就是与该bridge对应的network）获取一个空闲地址分配给容器的 eth0，并配置默认路由到桥接网卡 vethxxxx。

[root@192 keepmoving]# docker run -d --name test_db training/postgres
92fa2114c8b74f739064e2b79d669ca8484686b471a1ea237d34b32c4316b50b
[root@192 keepmoving]# brctl show
bridge name     bridge id               STP enabled     interfaces
docker0         8000.02424c33991a       no              veth6f6298f
[root@192 keepmoving]# ip a | grep veth6f6298f
17: veth6f6298f@if16:  mtu 1500 qdisc noqueue master docker0 state UP group default 
[root@192 keepmoving]# docker network inspect bridge
[{"Name": "bridge","Id": "581adbbf78d32412c411c274bb65c339f496b24e9cef5ad69f8d038bcc371c1b","Created": "2023-02-24T23:41:35.720677409+08:00","Scope": "local","Driver": "bridge","EnableIPv6": false,"IPAM": {"Driver": "default","Options": null,"Config": [{"Subnet": "172.17.0.0/16"}]},"Internal": false,"Attachable": false,"Ingress": false,"ConfigFrom": {"Network": ""},"ConfigOnly": false,"Containers": {"92fa2114c8b74f739064e2b79d669ca8484686b471a1ea237d34b32c4316b50b": {"Name": "test_db","EndpointID": "98395df29096ab53f63bb6d44c1c28d0b949c992e9dcc3774e1826e6282e2d57","MacAddress": "02:42:ac:11:00:02","IPv4Address": "172.17.0.2/16","IPv6Address": ""}},"Options": {"com.docker.network.bridge.default_bridge": "true","com.docker.network.bridge.enable_icc": "true","com.docker.network.bridge.enable_ip_masquerade": "true","com.docker.network.bridge.host_binding_ipv4": "0.0.0.0","com.docker.network.bridge.name": "docker0","com.docker.network.driver.mtu": "1500"},"Labels": {}}
]

如果不指定--network，创建的容器默认都会挂到 docker0 上，使用本地主机上 docker0 接口的 IP 作为所有容器的默认网关。

当有多个容器创建后，容器网络拓扑结构如下：

1.3 容器和docker0的虚拟网卡的配对

        接下来来探究容器中的eth0是怎么和host中的虚拟网络进行配对的。

        可以看到host上17: veth6f6298f@if16对应着容器中16: eth0@if17; 即host中index=17的接口/网卡veth6f6298f的peer inferface index是16, container中index=16的网卡eth0的peer interface index是17。
注：host上17: veth6f6298f是创建容器时生成的(ip a)。

可以利用ethtool来确认这种对应关系：分别在host和container中运行指令ethtool -S :

ethtool -S veth6f6298f

docker exec -it 92fa2114c8b7 /bin/bash
ip a | grep 16

二、多个物理机中docker网络

        在公司内部或者使用多个物理机搭建集群时，需要将多个物理机的容器组到一个物理网络中来，这个时候需要将这个网桥桥接到指定的网卡上。

2.1 拓扑图

        主机 A 和主机 B 的物理网卡一都连接着物理交换机的同一个 vlan 101中，这样网桥一和网桥三就相当于在同一个物理网络中了，而容器一、容器三、容器四也在同一物理网络中了，他们之间可以相互通信，而且可以跟同一 vlan 中的其他物理机器互联。

2.2 Centos实例

        未完待续。。。

参考博文：

Docker基础 - Docker网络使用和配置 | Java 全栈知识体系