docker网络docker安装时会创建一个名为 docker0 的Linux bridge新建的容器会自动桥接到这个接口[rootdocker mnt]# ip link show type bridge 3: docker0: NO-CARRIER,BROADCAST,MULTICAST,UP mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default link/ether 02:42:5f:e2:34:6c brd ff:ff:ff:ff:ff:ffdocker原生bridge网路docker安装时会创建一个名为 docker0 的Linux bridge新建的容器会自动桥接到这个接口[rootDocker-node1 ~]# ip link show type bridge 3: docker0: NO-CARRIER,BROADCAST,MULTICAST,UP mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default link/ether 12:e3:9f:e1:e6:e8 brd ff:ff:ff:ff:ff:ff 64: br-ac76f47bd847: NO-CARRIER,BROADCAST,MULTICAST,UP mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default link/ether 8a:4d:c7:da:0f:dc brd ff:ff:ff:ff:ff:ffbridge模式下容器没有一个公有ip只有宿主机可以直接访问外部主机是不可见的。容器通过宿主机的NAT规则后可以访问外网[rootDocker-node1 ~]# ifconfig br-ac76f47bd847: flags4099UP,BROADCAST,MULTICAST mtu 1500 inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255 inet6 fe80::884d:c7ff:feda:fdc prefixlen 64 scopeid 0x20link ether 8a:4d:c7:da:0f:dc txqueuelen 0 (Ethernet) RX packets 13 bytes 364 (364.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13 bytes 1406 (1.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 docker0: flags4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255 inet6 fe80::10e3:9fff:fee1:e6e8 prefixlen 64 scopeid 0x20link ether 12:e3:9f:e1:e6:e8 txqueuelen 0 (Ethernet) RX packets 13 bytes 364 (364.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13 bytes 1406 (1.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth0: flags4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet 172.25.254.10 netmask 255.255.255.0 broadcast 172.25.254.255 inet6 fe80::20c:29ff:fede:d3af prefixlen 64 scopeid 0x20link ether 00:0c:29:de:d3:af txqueuelen 1000 (Ethernet) RX packets 682915 bytes 961945293 (917.3 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 88032 bytes 14491692 (13.8 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags73UP,LOOPBACK,RUNNING mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10host loop txqueuelen 1000 (Local Loopback) RX packets 9720 bytes 1029221 (1005.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9720 bytes 1029221 (1005.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 veth832a365: flags4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet6 fe80::4479:afff:fe5b:4fcc prefixlen 64 scopeid 0x20link ether 46:79:af:5b:4f:cc txqueuelen 0 (Ethernet) RX packets 3 bytes 126 (126.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9 bytes 806 (806.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0docker原生host网路host网络模式需要在容器创建时指定 --networkhosthost模式可以让容器共享宿主机网络栈这样的好处是外部主机与容器直接通信但是容器的网络缺少隔离性[rootDocker-node1 ~]# docker run -it --name busybox --network host busybox:latest / # ifconfig br-ac76f47bd847 Link encap:Ethernet HWaddr 8A:4D:C7:DA:0F:DC inet addr:172.18.0.1 Bcast:172.18.255.255 Mask:255.255.0.0 inet6 addr: fe80::884d:c7ff:feda:fdc/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:3916 errors:0 dropped:0 overruns:0 frame:0 TX packets:4735 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:5097716 (4.8 MiB) TX bytes:3235479 (3.0 MiB) docker0 Link encap:Ethernet HWaddr 12:E3:9F:E1:E6:E8 inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0 inet6 addr: fe80::10e3:9fff:fee1:e6e8/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:13 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:364 (364.0 B) TX bytes:1406 (1.3 KiB) eth0 Link encap:Ethernet HWaddr 00:0C:29:DE:D3:AF inet addr:172.25.254.10 Bcast:172.25.254.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fede:d3af/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:683296 errors:0 dropped:0 overruns:0 frame:0 TX packets:88301 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:961975757 (917.4 MiB) TX bytes:14517302 (13.8 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:9720 errors:0 dropped:0 overruns:0 frame:0 TX packets:9720 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1029221 (1005.0 KiB) TX bytes:1029221 (1005.0 KiB) / #如果公用一个网络那么所有的网络资源都是公用的比如启动了nginx容器那么真实主机的80端口被占用在启动第二个nginx容器就会失败docker原生none网路none模式是指禁用网络功能只有lo接口在容器创建时使用--networknone指定。[rootDocker-node1 ~]# docker run -it --name busybox --rm --network none busybox:latest / # ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) / #docker的自定义网络自定义网络模式docker提供了三种自定义网络驱动bridgeoverlaymacvlanbridge驱动类似默认的bridge网络模式但增加了一些新的功能overlay和macvlan是用于创建跨主机网络建议使用自定义的网络来控制哪些容器可以相互通信还可以自动DNS解析容器名称到IP地址。自定义桥接网络在建立自定以网络时默认使用桥接模式[rootDocker-node1 ~]# docker network create hjw fd12cf744b32872354ccc0d9af695f0a691ac278506e9a198ee4addfc9a37880 [rootDocker-node1 ~]# docker network ls NETWORK ID NAME DRIVER SCOPE a766dc23b8ee bridge bridge local ac76f47bd847 harbor_harbor bridge local fd12cf744b32 hjw bridge local 594110fe0e71 host host local ccd1739b6d24 none null local桥接默认是单调递增[rootDocker-node1 ~]# ifconfig br-ac76f47bd847: flags4099UP,BROADCAST,MULTICAST mtu 1500 inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255 inet6 fe80::884d:c7ff:feda:fdc prefixlen 64 scopeid 0x20link ether 8a:4d:c7:da:0f:dc txqueuelen 0 (Ethernet) RX packets 13 bytes 364 (364.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13 bytes 1406 (1.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 br-fd12cf744b32: flags4099UP,BROADCAST,MULTICAST mtu 1500 inet 172.19.0.1 netmask 255.255.0.0 broadcast 172.19.255.255 ether 22:15:99:c5:a6:77 txqueuelen 0 (Ethernet) RX packets 13 bytes 364 (364.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13 bytes 1406 (1.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 docker0: flags4099UP,BROADCAST,MULTICAST mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255 inet6 fe80::10e3:9fff:fee1:e6e8 prefixlen 64 scopeid 0x20link ether 12:e3:9f:e1:e6:e8 txqueuelen 0 (Ethernet) RX packets 13 bytes 364 (364.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13 bytes 1406 (1.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0桥接也支持自定义子网和网关[rootDocker-node1 ~]# docker network create my_net2 --subnet 192.168.0.0/24 --gateway 192.168.0.100 7e77cd2e44c64ff3121a1f1e0395849453f8d524d24b915672da265615e0e4f9 [rootdocker ~]# docker network inspect my_net2 [ { Name: my_net2, Id: 7e77cd2e44c64ff3121a1f1e0395849453f8d524d24b915672da265615e0e4f9, Created: 2024-08-17T17:05:19.16780834208:00, Scope: local, Driver: bridge, EnableIPv6: false, IPAM: { Driver: default, Options: {}, Config: [ { Subnet: 192.168.0.0/24, Gateway: 192.168.0.100 } ] }, Internal: false, Attachable: false, Ingress: false, ConfigFrom: { Network: }, ConfigOnly: false, Containers: {}, Options: {}, Labels: {} } ]为什么要自定义桥接多容器之间如何互访通过ip可以但是有什么问题[rootDocker-node1 ~]# docker run -d --name web1 nginx:1.23 7f295913518c992265fd304e1a0bea9b98168afed92f23ea4ef4d19a30cb676e [rootDocker-node1 ~]# docker run -d --name web2 nginx:1.23 fd1b2c3e13a0eddc569a1138858bd7b421f97bcc02d644412622a5761eb24be0 [rootDocker-node1 ~]# docker inspect web1 | grep IPAddress SecondaryIPAddresses: null, IPAddress: 172.17.0.2, IPAddress: 172.17.0.2, [rootDocker-node1 ~]# docker inspect web2 | grep IPAddress SecondaryIPAddresses: null, IPAddress: 172.17.0.3, IPAddress: 172.17.0.3, #关闭容器后重启容器启动顺序调换 [rootDocker-node1 ~]# docker stop web1 web2 web1 web2 [rootDocker-node1 ~]# docker start web2 web2 [rootDocker-node1 ~]# docker start web1 web1 [rootDocker-node1 ~]# docker inspect web1 | grep IPAddress SecondaryIPAddresses: null, IPAddress: 172.17.0.3, IPAddress: 172.17.0.3, [rootDocker-node1 ~]# docker inspect web2 | grep IPAddress SecondaryIPAddresses: null, IPAddress: 172.17.0.2, IPAddress: 172.17.0.2, #我们会发容器ip颠倒docker引擎在分配ip时时根据容器启动顺序分配到谁先启动谁用是动态变更的多容器互访用ip很显然不是很靠谱那么多容器访问一般使用容器的名字访问更加稳定docker原生网络是不支持dns解析的自定义网络中内嵌了dns[rootdocker ~]# docker run -d --network hjw_net1 --name web nginx d9ed01850f7aae35eb1ca3e2c73ff2f83d13c255d4f68416a39949ebb8ec699f [rootdocker ~]# docker run -it --network hjw_net1 --name test busybox / # ping web PING web (172.18.0.2): 56 data bytes 64 bytes from 172.18.0.2: seq0 ttl64 time0.197 ms 64 bytes from 172.18.0.2: seq1 ttl64 time0.096 ms 64 bytes from 172.18.0.2: seq2 ttl64 time0.087 ms注意不同的自定义网络是不能通讯的#在rhel7中使用的是iptables进行网络隔离在rhel9中使用nftpables [rootdocker ~]# nft list ruleset可以看到网络隔离策略如何让不同的自定义网络互通[rootDocker-node1 ~]# docker network create hjw_net1 b21e292c40af41696496d18d968fc002d5ea3df5fe717b3ae9c77910a9a34cba [rootDocker-node1 ~]# docker network create hjw_net2 ed83b02887d0ef07ab4973803312b2110e1be25939bb65263c23994a3b7a76fd [rootDocker-node1 ~]# docker run -d --name web1 --network hjw_net1 nginx:1.23 11a1c994e3d6e5df03c9145edf5bb56cef7fe3a4b84d9c593cd802650fdacc88 [rootDocker-node1 ~]# docker run -it --name busybox --network hjw_net2 busybox:latest / # ifconfig eth0 Link encap:Ethernet HWaddr 56:11:58:97:AF:D8 inet addr:172.21.0.2 Bcast:172.21.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11 errors:0 dropped:0 overruns:0 frame:0 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1042 (1.0 KiB) TX bytes:126 (126.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) / # ping 172.20.0.2 PING 172.20.0.2 (172.20.0.2): 56 data bytes ^C --- 172.20.0.2 ping statistics --- 6 packets transmitted, 0 packets received, 100% packet loss / # #在上面test容器中加入网络eth1 [rootDocker-node1 ~]# docker network connect hjw_net1 busybox [rootDocker-node1 ~]# docker exec -it busybox sh / # ip a 1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0if121: BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN mtu 1500 qdisc noqueue link/ether 56:11:58:97:af:d8 brd ff:ff:ff:ff:ff:ff inet 172.21.0.2/16 brd 172.21.255.255 scope global eth0 valid_lft forever preferred_lft forever 3: eth1if122: BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN mtu 1500 qdisc noqueue link/ether 0e:a3:f6:eb:87:c2 brd ff:ff:ff:ff:ff:ff inet 172.20.0.3/16 brd 172.20.255.255 scope global eth1 valid_lft forever preferred_lft forever / # ip route default via 172.20.0.1 dev eth1 172.20.0.0/16 dev eth1 scope link src 172.20.0.3 172.21.0.0/16 dev eth0 scope link src 172.21.0.2 / # ping 172.20.0.2 PING 172.20.0.2 (172.20.0.2): 56 data bytes 64 bytes from 172.20.0.2: seq0 ttl64 time0.174 ms 64 bytes from 172.20.0.2: seq1 ttl64 time0.571 ms 64 bytes from 172.20.0.2: seq2 ttl64 time0.190 ms ^C --- 172.20.0.2 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max 0.174/0.311/0.571 ms / #joined容器网络Joined容器一种较为特别的网络模式•在容器创建时使用--networkcontainer:vm1指定。vm1指定的是运行的容器名处于这个模式下的 Docker 容器会共享一个网络栈这样两个容器之间可以使用localhost高效快速Joined 模式的特点共享网络命名空间两个容器共用同一个网络栈通过 localhost 通信可以直接用 127.0.0.1 或 localhost 访问共享端口两个容器不能绑定同一个端口其他资源隔离文件系统、进程、用户等仍然是隔离的注意事项如果 web1 容器停止test 容器的网络也会受影响两个容器共享网络所以端口不能冲突如果 web1 已经绑定了 80 端口test 容器不能再绑定 80 端口通信。[rootDocker-node1 ~]# docker run -it --rm --network hjw --name test busyboxplus:latest / # ip a 1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0if123: BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN mtu 1500 qdisc noqueue link/ether b6:1e:df:44:b9:36 brd ff:ff:ff:ff:ff:ff inet 172.19.0.2/16 brd 172.19.255.255 scope global eth0 valid_lft forever preferred_lft forever / # curl localhost curl: (7) Failed to connect to localhost port 80: Connection refused / # [rootDocker-node1 ~]# docker start web1 web1 [rootDocker-node1 ~]# docker exec -it web1 sh # curl localhost !DOCTYPE html html head titleWelcome to nginx!/title style html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } /style /head body h1Welcome to nginx!/h1 pIf you see this page, the nginx web server is successfully installed and working. Further configuration is required./p pFor online documentation and support please refer to a hrefhttp://nginx.org/nginx.org/a.br/ Commercial support is available at a hrefhttp://nginx.com/nginx.com/a./p pemThank you for using nginx./em/p /body /html # read escape sequence [rootDocker-node1 ~]# docker run -it --rm --network container:web1 --name test1 busyboxplus:latest / # curl localhost !DOCTYPE html html head titleWelcome to nginx!/title style html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } /style /head body h1Welcome to nginx!/h1 pIf you see this page, the nginx web server is successfully installed and working. Further configuration is required./p pFor online documentation and support please refer to a hrefhttp://nginx.org/nginx.org/a.br/ Commercial support is available at a hrefhttp://nginx.com/nginx.com/a./p pemThank you for using nginx./em/p /body /html / #容器访问外网在rhel7中docker访问外网是通过iptables添加地址伪装策略来完成容器网文外网在rhel7之后的版本中通过nftables添加地址伪装来访问外网[rootDocker-node1 ~]# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE 6 -- 172.17.0.2 172.17.0.2 tcp dpt:80 #内网访问外网策略 Chain DOCKER (0 references) target prot opt source destination DNAT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.17.0.2:80 外网访问docker容器端口映射 -p 本机端口:容器端口来暴漏端口从而达到访问效果#通过docker-proxy对数据包进行内转 [rootDocker-node1 ~]# docker run -d --name webserver -p 80:80 nginx [rootDocker-node1 ~]# ps ax 133986 ? Sl 0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 172.17.0.2 -container-port 80 133995 ? Sl 0:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 80 -container-ip 172.17.0.2 -container-port 80 134031 ? Sl 0:00 /usr/bin/containerd-shim-runc-v2 -namespace moby -id cae79497a01c0b8c488c7597b43de4a43f361f21a398ff423b4504c0905db143 -address /run/containerd/containerd.sock 134059 ? Ss 0:00 nginx: master process nginx -g daemon off; 134099 ? S 0:00 nginx: worker process 134100 ? S 0:00 nginx: worker process #通过dnat策略来完成浏览内转 [rootDocker-node1 ~]# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE 6 -- 172.17.0.2 172.17.0.2 tcp dpt:80 Chain DOCKER (0 references) target prot opt source destination DNAT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.17.0.2:80[!NOTE]docker-proxy和dnat在容器建立端口映射后都会开启那个传输速录高走那个docker跨主机网络在生产环境中我们的容器不可能都在同一个系统中所以需要容器具备跨主机通信的能力跨主机网络解决方案docker原生的overlay和macvlan第三方的flannel、weave、calico众多网络方案是如何与docker集成在一起的libnetwork docker容器网络库CNM Container Network Model这个模型对容器网络进行了抽象CNM Container Network ModelCNM分三类组件Sandbox容器网络栈包含容器接口、dns、路由表。namespace Endpoint作用是将sandbox接入network veth pair Network包含一组endpoint同一network的endpoint可以通信macvlan网络方式实现跨主机通信macvlan网络方式Linux kernel提供的一种网卡虚拟化技术。无需Linux bridge直接使用物理接口性能极好容器的接口直接与主机网卡连接无需NAT或端口映射。macvlan会独占主机网卡但可以使用vlan子接口实现多macvlan网络vlan可以将物理二层网络划分为4094个逻辑网络彼此隔离vlan id取值为1~4094macvlan网络间的隔离和连通macvlan网络在二层上是隔离的所以不同macvlan网络的容器是不能通信的可以在三层上通过网关将macvlan网络连通起来docker本身不做任何限制像传统vlan网络那样管理即可实现方法如下1.在两台docker主机上各添加一块网卡打开网卡混杂模式[rootDocker-node1 ~]# ip link set eth1 promisc on [rootDocker-node1 ~]# ip link set up eth1 [rootDocker-node1 ~]# ifconfig eth1 eth1: flags4419UP,BROADCAST,RUNNING,PROMISC,MULTICAST mtu 1500 ether 00:0c:29:ec:fc:dd txqueuelen 1000 (Ethernet) RX packets 83 bytes 8696 (8.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[!NOTE]eth1这款网卡在vmware中要设定为仅主机模式2.添加macvlan网路 [rootDocker-node1 ~]# docker network create \ -d macvlan \ --subnet 1.1.1.0/24 \ --gateway 1.1.1.1 \ -o parenteth1 macvlan1 #所有都需要 3.测试 #在docker-node1中 [rootDocker-node1 ~]# docker run -it --name busybox --network macvlan1 --ip 1.1.1.100 --rm busybox / # ping 1.1.1.200 [rootDocker-node1 ~]# docker run -it --name busybox --network macvlan1 --ip 1.1.1.200 --rm busybox / #
Docker网络
docker网络docker安装时会创建一个名为 docker0 的Linux bridge新建的容器会自动桥接到这个接口[rootdocker mnt]# ip link show type bridge 3: docker0: NO-CARRIER,BROADCAST,MULTICAST,UP mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default link/ether 02:42:5f:e2:34:6c brd ff:ff:ff:ff:ff:ffdocker原生bridge网路docker安装时会创建一个名为 docker0 的Linux bridge新建的容器会自动桥接到这个接口[rootDocker-node1 ~]# ip link show type bridge 3: docker0: NO-CARRIER,BROADCAST,MULTICAST,UP mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default link/ether 12:e3:9f:e1:e6:e8 brd ff:ff:ff:ff:ff:ff 64: br-ac76f47bd847: NO-CARRIER,BROADCAST,MULTICAST,UP mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default link/ether 8a:4d:c7:da:0f:dc brd ff:ff:ff:ff:ff:ffbridge模式下容器没有一个公有ip只有宿主机可以直接访问外部主机是不可见的。容器通过宿主机的NAT规则后可以访问外网[rootDocker-node1 ~]# ifconfig br-ac76f47bd847: flags4099UP,BROADCAST,MULTICAST mtu 1500 inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255 inet6 fe80::884d:c7ff:feda:fdc prefixlen 64 scopeid 0x20link ether 8a:4d:c7:da:0f:dc txqueuelen 0 (Ethernet) RX packets 13 bytes 364 (364.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13 bytes 1406 (1.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 docker0: flags4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255 inet6 fe80::10e3:9fff:fee1:e6e8 prefixlen 64 scopeid 0x20link ether 12:e3:9f:e1:e6:e8 txqueuelen 0 (Ethernet) RX packets 13 bytes 364 (364.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13 bytes 1406 (1.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth0: flags4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet 172.25.254.10 netmask 255.255.255.0 broadcast 172.25.254.255 inet6 fe80::20c:29ff:fede:d3af prefixlen 64 scopeid 0x20link ether 00:0c:29:de:d3:af txqueuelen 1000 (Ethernet) RX packets 682915 bytes 961945293 (917.3 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 88032 bytes 14491692 (13.8 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags73UP,LOOPBACK,RUNNING mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10host loop txqueuelen 1000 (Local Loopback) RX packets 9720 bytes 1029221 (1005.0 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9720 bytes 1029221 (1005.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 veth832a365: flags4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet6 fe80::4479:afff:fe5b:4fcc prefixlen 64 scopeid 0x20link ether 46:79:af:5b:4f:cc txqueuelen 0 (Ethernet) RX packets 3 bytes 126 (126.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9 bytes 806 (806.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0docker原生host网路host网络模式需要在容器创建时指定 --networkhosthost模式可以让容器共享宿主机网络栈这样的好处是外部主机与容器直接通信但是容器的网络缺少隔离性[rootDocker-node1 ~]# docker run -it --name busybox --network host busybox:latest / # ifconfig br-ac76f47bd847 Link encap:Ethernet HWaddr 8A:4D:C7:DA:0F:DC inet addr:172.18.0.1 Bcast:172.18.255.255 Mask:255.255.0.0 inet6 addr: fe80::884d:c7ff:feda:fdc/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:3916 errors:0 dropped:0 overruns:0 frame:0 TX packets:4735 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:5097716 (4.8 MiB) TX bytes:3235479 (3.0 MiB) docker0 Link encap:Ethernet HWaddr 12:E3:9F:E1:E6:E8 inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0 inet6 addr: fe80::10e3:9fff:fee1:e6e8/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:13 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:364 (364.0 B) TX bytes:1406 (1.3 KiB) eth0 Link encap:Ethernet HWaddr 00:0C:29:DE:D3:AF inet addr:172.25.254.10 Bcast:172.25.254.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fede:d3af/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:683296 errors:0 dropped:0 overruns:0 frame:0 TX packets:88301 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:961975757 (917.4 MiB) TX bytes:14517302 (13.8 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:9720 errors:0 dropped:0 overruns:0 frame:0 TX packets:9720 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1029221 (1005.0 KiB) TX bytes:1029221 (1005.0 KiB) / #如果公用一个网络那么所有的网络资源都是公用的比如启动了nginx容器那么真实主机的80端口被占用在启动第二个nginx容器就会失败docker原生none网路none模式是指禁用网络功能只有lo接口在容器创建时使用--networknone指定。[rootDocker-node1 ~]# docker run -it --name busybox --rm --network none busybox:latest / # ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) / #docker的自定义网络自定义网络模式docker提供了三种自定义网络驱动bridgeoverlaymacvlanbridge驱动类似默认的bridge网络模式但增加了一些新的功能overlay和macvlan是用于创建跨主机网络建议使用自定义的网络来控制哪些容器可以相互通信还可以自动DNS解析容器名称到IP地址。自定义桥接网络在建立自定以网络时默认使用桥接模式[rootDocker-node1 ~]# docker network create hjw fd12cf744b32872354ccc0d9af695f0a691ac278506e9a198ee4addfc9a37880 [rootDocker-node1 ~]# docker network ls NETWORK ID NAME DRIVER SCOPE a766dc23b8ee bridge bridge local ac76f47bd847 harbor_harbor bridge local fd12cf744b32 hjw bridge local 594110fe0e71 host host local ccd1739b6d24 none null local桥接默认是单调递增[rootDocker-node1 ~]# ifconfig br-ac76f47bd847: flags4099UP,BROADCAST,MULTICAST mtu 1500 inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255 inet6 fe80::884d:c7ff:feda:fdc prefixlen 64 scopeid 0x20link ether 8a:4d:c7:da:0f:dc txqueuelen 0 (Ethernet) RX packets 13 bytes 364 (364.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13 bytes 1406 (1.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 br-fd12cf744b32: flags4099UP,BROADCAST,MULTICAST mtu 1500 inet 172.19.0.1 netmask 255.255.0.0 broadcast 172.19.255.255 ether 22:15:99:c5:a6:77 txqueuelen 0 (Ethernet) RX packets 13 bytes 364 (364.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13 bytes 1406 (1.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 docker0: flags4099UP,BROADCAST,MULTICAST mtu 1500 inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255 inet6 fe80::10e3:9fff:fee1:e6e8 prefixlen 64 scopeid 0x20link ether 12:e3:9f:e1:e6:e8 txqueuelen 0 (Ethernet) RX packets 13 bytes 364 (364.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 13 bytes 1406 (1.3 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0桥接也支持自定义子网和网关[rootDocker-node1 ~]# docker network create my_net2 --subnet 192.168.0.0/24 --gateway 192.168.0.100 7e77cd2e44c64ff3121a1f1e0395849453f8d524d24b915672da265615e0e4f9 [rootdocker ~]# docker network inspect my_net2 [ { Name: my_net2, Id: 7e77cd2e44c64ff3121a1f1e0395849453f8d524d24b915672da265615e0e4f9, Created: 2024-08-17T17:05:19.16780834208:00, Scope: local, Driver: bridge, EnableIPv6: false, IPAM: { Driver: default, Options: {}, Config: [ { Subnet: 192.168.0.0/24, Gateway: 192.168.0.100 } ] }, Internal: false, Attachable: false, Ingress: false, ConfigFrom: { Network: }, ConfigOnly: false, Containers: {}, Options: {}, Labels: {} } ]为什么要自定义桥接多容器之间如何互访通过ip可以但是有什么问题[rootDocker-node1 ~]# docker run -d --name web1 nginx:1.23 7f295913518c992265fd304e1a0bea9b98168afed92f23ea4ef4d19a30cb676e [rootDocker-node1 ~]# docker run -d --name web2 nginx:1.23 fd1b2c3e13a0eddc569a1138858bd7b421f97bcc02d644412622a5761eb24be0 [rootDocker-node1 ~]# docker inspect web1 | grep IPAddress SecondaryIPAddresses: null, IPAddress: 172.17.0.2, IPAddress: 172.17.0.2, [rootDocker-node1 ~]# docker inspect web2 | grep IPAddress SecondaryIPAddresses: null, IPAddress: 172.17.0.3, IPAddress: 172.17.0.3, #关闭容器后重启容器启动顺序调换 [rootDocker-node1 ~]# docker stop web1 web2 web1 web2 [rootDocker-node1 ~]# docker start web2 web2 [rootDocker-node1 ~]# docker start web1 web1 [rootDocker-node1 ~]# docker inspect web1 | grep IPAddress SecondaryIPAddresses: null, IPAddress: 172.17.0.3, IPAddress: 172.17.0.3, [rootDocker-node1 ~]# docker inspect web2 | grep IPAddress SecondaryIPAddresses: null, IPAddress: 172.17.0.2, IPAddress: 172.17.0.2, #我们会发容器ip颠倒docker引擎在分配ip时时根据容器启动顺序分配到谁先启动谁用是动态变更的多容器互访用ip很显然不是很靠谱那么多容器访问一般使用容器的名字访问更加稳定docker原生网络是不支持dns解析的自定义网络中内嵌了dns[rootdocker ~]# docker run -d --network hjw_net1 --name web nginx d9ed01850f7aae35eb1ca3e2c73ff2f83d13c255d4f68416a39949ebb8ec699f [rootdocker ~]# docker run -it --network hjw_net1 --name test busybox / # ping web PING web (172.18.0.2): 56 data bytes 64 bytes from 172.18.0.2: seq0 ttl64 time0.197 ms 64 bytes from 172.18.0.2: seq1 ttl64 time0.096 ms 64 bytes from 172.18.0.2: seq2 ttl64 time0.087 ms注意不同的自定义网络是不能通讯的#在rhel7中使用的是iptables进行网络隔离在rhel9中使用nftpables [rootdocker ~]# nft list ruleset可以看到网络隔离策略如何让不同的自定义网络互通[rootDocker-node1 ~]# docker network create hjw_net1 b21e292c40af41696496d18d968fc002d5ea3df5fe717b3ae9c77910a9a34cba [rootDocker-node1 ~]# docker network create hjw_net2 ed83b02887d0ef07ab4973803312b2110e1be25939bb65263c23994a3b7a76fd [rootDocker-node1 ~]# docker run -d --name web1 --network hjw_net1 nginx:1.23 11a1c994e3d6e5df03c9145edf5bb56cef7fe3a4b84d9c593cd802650fdacc88 [rootDocker-node1 ~]# docker run -it --name busybox --network hjw_net2 busybox:latest / # ifconfig eth0 Link encap:Ethernet HWaddr 56:11:58:97:AF:D8 inet addr:172.21.0.2 Bcast:172.21.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11 errors:0 dropped:0 overruns:0 frame:0 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1042 (1.0 KiB) TX bytes:126 (126.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) / # ping 172.20.0.2 PING 172.20.0.2 (172.20.0.2): 56 data bytes ^C --- 172.20.0.2 ping statistics --- 6 packets transmitted, 0 packets received, 100% packet loss / # #在上面test容器中加入网络eth1 [rootDocker-node1 ~]# docker network connect hjw_net1 busybox [rootDocker-node1 ~]# docker exec -it busybox sh / # ip a 1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0if121: BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN mtu 1500 qdisc noqueue link/ether 56:11:58:97:af:d8 brd ff:ff:ff:ff:ff:ff inet 172.21.0.2/16 brd 172.21.255.255 scope global eth0 valid_lft forever preferred_lft forever 3: eth1if122: BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN mtu 1500 qdisc noqueue link/ether 0e:a3:f6:eb:87:c2 brd ff:ff:ff:ff:ff:ff inet 172.20.0.3/16 brd 172.20.255.255 scope global eth1 valid_lft forever preferred_lft forever / # ip route default via 172.20.0.1 dev eth1 172.20.0.0/16 dev eth1 scope link src 172.20.0.3 172.21.0.0/16 dev eth0 scope link src 172.21.0.2 / # ping 172.20.0.2 PING 172.20.0.2 (172.20.0.2): 56 data bytes 64 bytes from 172.20.0.2: seq0 ttl64 time0.174 ms 64 bytes from 172.20.0.2: seq1 ttl64 time0.571 ms 64 bytes from 172.20.0.2: seq2 ttl64 time0.190 ms ^C --- 172.20.0.2 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max 0.174/0.311/0.571 ms / #joined容器网络Joined容器一种较为特别的网络模式•在容器创建时使用--networkcontainer:vm1指定。vm1指定的是运行的容器名处于这个模式下的 Docker 容器会共享一个网络栈这样两个容器之间可以使用localhost高效快速Joined 模式的特点共享网络命名空间两个容器共用同一个网络栈通过 localhost 通信可以直接用 127.0.0.1 或 localhost 访问共享端口两个容器不能绑定同一个端口其他资源隔离文件系统、进程、用户等仍然是隔离的注意事项如果 web1 容器停止test 容器的网络也会受影响两个容器共享网络所以端口不能冲突如果 web1 已经绑定了 80 端口test 容器不能再绑定 80 端口通信。[rootDocker-node1 ~]# docker run -it --rm --network hjw --name test busyboxplus:latest / # ip a 1: lo: LOOPBACK,UP,LOWER_UP mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0if123: BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN mtu 1500 qdisc noqueue link/ether b6:1e:df:44:b9:36 brd ff:ff:ff:ff:ff:ff inet 172.19.0.2/16 brd 172.19.255.255 scope global eth0 valid_lft forever preferred_lft forever / # curl localhost curl: (7) Failed to connect to localhost port 80: Connection refused / # [rootDocker-node1 ~]# docker start web1 web1 [rootDocker-node1 ~]# docker exec -it web1 sh # curl localhost !DOCTYPE html html head titleWelcome to nginx!/title style html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } /style /head body h1Welcome to nginx!/h1 pIf you see this page, the nginx web server is successfully installed and working. Further configuration is required./p pFor online documentation and support please refer to a hrefhttp://nginx.org/nginx.org/a.br/ Commercial support is available at a hrefhttp://nginx.com/nginx.com/a./p pemThank you for using nginx./em/p /body /html # read escape sequence [rootDocker-node1 ~]# docker run -it --rm --network container:web1 --name test1 busyboxplus:latest / # curl localhost !DOCTYPE html html head titleWelcome to nginx!/title style html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } /style /head body h1Welcome to nginx!/h1 pIf you see this page, the nginx web server is successfully installed and working. Further configuration is required./p pFor online documentation and support please refer to a hrefhttp://nginx.org/nginx.org/a.br/ Commercial support is available at a hrefhttp://nginx.com/nginx.com/a./p pemThank you for using nginx./em/p /body /html / #容器访问外网在rhel7中docker访问外网是通过iptables添加地址伪装策略来完成容器网文外网在rhel7之后的版本中通过nftables添加地址伪装来访问外网[rootDocker-node1 ~]# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE 6 -- 172.17.0.2 172.17.0.2 tcp dpt:80 #内网访问外网策略 Chain DOCKER (0 references) target prot opt source destination DNAT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.17.0.2:80 外网访问docker容器端口映射 -p 本机端口:容器端口来暴漏端口从而达到访问效果#通过docker-proxy对数据包进行内转 [rootDocker-node1 ~]# docker run -d --name webserver -p 80:80 nginx [rootDocker-node1 ~]# ps ax 133986 ? Sl 0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 172.17.0.2 -container-port 80 133995 ? Sl 0:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 80 -container-ip 172.17.0.2 -container-port 80 134031 ? Sl 0:00 /usr/bin/containerd-shim-runc-v2 -namespace moby -id cae79497a01c0b8c488c7597b43de4a43f361f21a398ff423b4504c0905db143 -address /run/containerd/containerd.sock 134059 ? Ss 0:00 nginx: master process nginx -g daemon off; 134099 ? S 0:00 nginx: worker process 134100 ? S 0:00 nginx: worker process #通过dnat策略来完成浏览内转 [rootDocker-node1 ~]# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE 6 -- 172.17.0.2 172.17.0.2 tcp dpt:80 Chain DOCKER (0 references) target prot opt source destination DNAT 6 -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.17.0.2:80[!NOTE]docker-proxy和dnat在容器建立端口映射后都会开启那个传输速录高走那个docker跨主机网络在生产环境中我们的容器不可能都在同一个系统中所以需要容器具备跨主机通信的能力跨主机网络解决方案docker原生的overlay和macvlan第三方的flannel、weave、calico众多网络方案是如何与docker集成在一起的libnetwork docker容器网络库CNM Container Network Model这个模型对容器网络进行了抽象CNM Container Network ModelCNM分三类组件Sandbox容器网络栈包含容器接口、dns、路由表。namespace Endpoint作用是将sandbox接入network veth pair Network包含一组endpoint同一network的endpoint可以通信macvlan网络方式实现跨主机通信macvlan网络方式Linux kernel提供的一种网卡虚拟化技术。无需Linux bridge直接使用物理接口性能极好容器的接口直接与主机网卡连接无需NAT或端口映射。macvlan会独占主机网卡但可以使用vlan子接口实现多macvlan网络vlan可以将物理二层网络划分为4094个逻辑网络彼此隔离vlan id取值为1~4094macvlan网络间的隔离和连通macvlan网络在二层上是隔离的所以不同macvlan网络的容器是不能通信的可以在三层上通过网关将macvlan网络连通起来docker本身不做任何限制像传统vlan网络那样管理即可实现方法如下1.在两台docker主机上各添加一块网卡打开网卡混杂模式[rootDocker-node1 ~]# ip link set eth1 promisc on [rootDocker-node1 ~]# ip link set up eth1 [rootDocker-node1 ~]# ifconfig eth1 eth1: flags4419UP,BROADCAST,RUNNING,PROMISC,MULTICAST mtu 1500 ether 00:0c:29:ec:fc:dd txqueuelen 1000 (Ethernet) RX packets 83 bytes 8696 (8.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0[!NOTE]eth1这款网卡在vmware中要设定为仅主机模式2.添加macvlan网路 [rootDocker-node1 ~]# docker network create \ -d macvlan \ --subnet 1.1.1.0/24 \ --gateway 1.1.1.1 \ -o parenteth1 macvlan1 #所有都需要 3.测试 #在docker-node1中 [rootDocker-node1 ~]# docker run -it --name busybox --network macvlan1 --ip 1.1.1.100 --rm busybox / # ping 1.1.1.200 [rootDocker-node1 ~]# docker run -it --name busybox --network macvlan1 --ip 1.1.1.200 --rm busybox / #
