See through the phenomenon - docker's network mode, docker's custom network configuration while troubleshooting (bridge mode)

Posted by nickk on Sat, 18 Apr 2020 19:13:36 +0200

See Essentials Through Phenomena - docker's four network modes, configuring docker's custom network while troubleshooting

Preface

The last article described resource control for docker, mainly in three areas: CPU, memory, and IO.This article describes the network mode in docker 4.

1. Brief description of three network modes in VMware

Perhaps, for many friends who are exposed to the Linux operating system, the first step is to learn in depth through virtual machine software.For one of these software, the network connection of VMware software may be a difficult problem for beginners.The principles and significance of the three network modes provided may not have been understood at all.This subsection then briefly describes the three network modes of VMware: Bridged, NAT, and Host-Only.These three types correspond to VMnet0, VMnet1 (or newly created later), VMnet8 (NAT network card can only have one)

1.1 Bridge Mode

Concept: Bridge mode is the use of a virtual bridge to communicate between the network card of the host (like on your notebook) and the network card of the virtual machine.

Principle Understanding: The understanding of this mode can be thought of as a virtual switch in which all bridged virtual machines are connected to one interface of the switch. Of course, the physical machines also need to be connected to this switch, that is, all network cards in bridged mode are switching mode, accessible to each other and do not interfere with each other.

Typical features: The IP address of the virtual machine needs to be on the same network segment as the host, and if networking is required, the gateway and DNS need to be consistent with the host network card.

This can be explained in the following illustrations:

1.2 Network Address Translation Mode

NAT mode should be relatively familiar.Network address translation, since there is address translation, must have changed.NAT mode is better suited for situations where IP resources are scarce and virtual machines are expected to be networked.

NAT mode relies on virtual NAT devices and virtual DHCP servers, enabling virtual machines to connect to the network.As shown in the following figure:

1.3 Host only mode

Host-only mode, in fact, is a network mode without NAT devices. It only uses VMnet1 virtual network card to connect with virtual switches to communicate with virtual machines. This mode achieves the isolation of virtual machines from external networks, that is, a single server that communicates with each other only.As shown in the following figure:

Okay, now you have a general idea of the three network modes in VMware. Now let's continue to talk about the network modes in docker.

2. Network mode of docker

2.1 docker network implementation principle

Doker uses Linux bridging, which means that the host machine virtual a docker container bridge (docker0), and when the docker starts a container, it assigns the container an IP address based on the segment of the docker bridge, which is the container ip, and the docker is the default gateway for each container.Therefore, containers within the same host can communicate directly through the container IP address.

Normally, after installing and starting the docker service, we can use the ifconfig command to view the virtual bridge device for this docker0:

[root@localhost ~]# ifconfig | head -7
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:58:71:c9:ba  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

From the results shown above, the default container gateway address is 172.17.0.1/16ha!Of course, loopback network cards are loopback network cards, test validation (TCP/IP connections), and virtual bridges are virtual bridges (think KVM [Native Cloud]

(Of course, docker bridges are virtual hosts, not real network devices. External networks cannot be directly addressed through IP addresses. This means that we need to make the external network accessible to the container in other ways, typically by accessing the ports of the host ip-bound container (and ports are typically mapped, which will be described later).Access to row containers.

4 network modes of 2.2 docker

The following table directly distinguishes the four docker network modes

docker network mode To configure Explain
host Container and host share Network namespace
container mode Container shares Network namespace with another container
none mode Containers have separate network namespaces but do not have any network settings for them, such as assigning Veth pairs and bridge connections, configuring IP, etc.
bridge mode Default mode

Actually, after starting the docker service, you can use the docker network related commands to control the management network. Here's a list of the networks: (there are three by default). Here's a step-by-step description (combining the contents of the first section to understand the network principles in docker).

[root@localhost ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
3763f78eb404        bridge              bridge              local
3bb2f50eb211        host                host                local
e12cd7b98c54        none                null                local

2.2.1 host mode

The host mode is understood in conjunction with host-only mode in VMware, as illustrated in the following diagram:

From the diagram above, you can see that if the host mode is used after starting the container, the container will not get a separate Network Namespace (network namespace), but will share a Network Namespace with the host system.And that means the container will not dummy out its own network card, configure its own ip, etc. but will use the host's IP and port.However, it is isolated from other aspects, such as the file system.

The biggest advantage of this method is that the network performance is good, but the disadvantage is also obvious - the network isolation is weak.

2.2.2 container mode

This pattern, as described in the table above, means that a Network Namespace is shared between the specified newly created container and an existing container.This also means that the new container will not create its own network card and other related operations, but will share these resources with the specified container.

This mode is also similar to the host s described above, except for the network, its file system, process list, and so on are all isolated.

Refer to the following figure:

2.2.3none mode

With none mode, the Docker container has its own Network Namespace, but no network configuration will be made to the Docker container.This means that this Docker container does not have network card, IP, routing, etc.We need to add network cards, configure IP, etc. for the Docker container ourselves.This way the network is most completely isolated, meaning that the network functionality of the container is turned off and that the container is inaccessible.

The diagram is as follows:

2.2.4 bridge mode

This mode is the default docker network mode after we start the docker service. It creates a virtual network bridge named docker0 on the host, and all the boot containers on this host are connected to this virtual network bridge.Combining the principle of bridge mode in VMware, it is easy to understand the principle of physical switch.

Assign an IP from the docker0 subnet to the container and set the IP address of the docker0 as the default gateway for the container.Create a pair of virtual network card veth pair devices on the host, Docker will VethThe pair device is placed in a newly created container (veth has seen us in OpenStack, and I think it can be understood as a bridge, a virtual device that establishes the relationship between the two sides of the bridge), named eth0 (the container's network card), and on the host, named vethxxx after something similar, and added this network device to docker0In the bridge.

When using the docker run-p command, docker actually makes DNA T rules in the firewall to implement port forwarding.

The following is an understanding of the server structure of a node:

Of course, none of these four modes need to be manually configured. What you really need to configure is a custom network.

3. Configuration of commands related to docker network control

The docker network command corresponding to the docker network control is given above. Here is a detailed description of the command:

docker network Command usage of:
Usage:  docker network COMMAND

Manage networks

Commands:
  connect     Connect a container to a network
  create      Create a network
  disconnect  Disconnect a container from a network
  inspect     Display detailed information on one or more networks
  ls          List networks
  prune       Remove all unused networks
  rm          Remove one or more networks

3.1 Bridge Command Settings

We configure the docker network by experimenting, troubleshooting, and validating.

The firewall needs to be turned on because NAT address translation is required, but the core protection is off.

[root@localhost ~]# systemctl start firewalld.service 
[root@localhost ~]# systemctl status firewalld.service 
‚óŹ firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since 2020-04-06 10:18:40 CST; 2s ago
     Docs: man:firewalld(1)
 Main PID: 65611 (firewalld)
...

Initialize the environment: (returns to this environment state later)

[root@localhost ~]# docker images 
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
[root@localhost ~]# docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

Let's try to set an ip address (custom) to a container by docker bridge (bridging). Here's a look at the results of the command execution:

[root@localhost ~]# docker run -itd --name test --network bridge --ip 172.17.0.10 centos:7 /bin/bash
Unable to find image 'centos:7' locally
7: Pulling from library/centos
ab5ef0e58194: Pull complete 
Digest: sha256:4a701376d03f6b39b8c2a8f4a8e499441b0d567f9ab9d58e4991de4472fb813c
Status: Downloaded newer image for centos:7
29f9e9cbb398085d7c89bed2982d626bfb7e564371a76a6cb693cffa68b917af
docker: Error response from daemon: user specified IP address is supported on user defined networks only.

First, since the mirror is not altered, the container is pulled out, created, and attempted to run, but an error is encountered because the user's own ip address is only appropriate for the network they define.However, this does not affect the acquisition and creation of the mirror. Let's try running to see the results:

[root@localhost ~]# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
centos              7                   5e35e350aded        4 months ago        203MB
[root@localhost ~]# docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS               NAMES
29f9e9cbb398        centos:7            "/bin/bash"         About a minute ago   Created                                 test
[root@localhost ~]# docker start 29f9e9cbb398
Error response from daemon: user specified IP address is supported on user defined networks only
Error: failed to start containers: 29f9e9cbb398

Obviously, the result tells us that this is still the cause of the problem, so you can only delete this container.Let's just revert to the initialization environment (actually, you can remove it--the network bridge won't make a mistake, but the set ip address won't work, so try it yourself). We won't specify an ip address to try, we'll check that we don't add this parameter, and we'll set the ip address in a custom way after reverting to the initialization state.

[root@localhost ~]# docker run -itd --name demo centos:7 /bin/bash
984545df8ebf2c30f4ccf3f5f4699ed67bd2a93cbc068f2ace4865a828b4a4d1
[root@localhost ~]# docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
984545df8ebf        centos:7            "/bin/bash"         8 seconds ago       Up 6 seconds                            demo

Enter the container to view the ip address

[root@localhost ~]# docker exec -it 984545df8ebf /bin/bash
[root@984545df8ebf /]# yum install -y net-tools
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
[root@984545df8ebf /]# ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.2  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:ac:11:00:02  txqueuelen 0  (Ethernet)
        RX packets 2201  bytes 15042254 (14.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1999  bytes 111171 (108.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

First, we need to create a custom subnet segment and give it a name by which to set a fixed ip address for the corresponding container.

[root@localhost ~]# docker network create --subnet=172.18.0.0/24 mynetwork
Error response from daemon: Failed to Setup IP tables: Unable to enable SKIP DNAT rule:  (iptables failed: iptables --wait -t nat -I DOCKER -i br-4cd28c051bec -j RETURN: iptables: No chain/target/match by that name.
 (exit status 1))

Unfortunately, error again, don't panic. Let's see what caused this error. It seems that the root cause of this error is the firewall, which means we can't skip the DNA T (Target Network Address Translation) rule. In fact, the cause of this problem is that we just opened the firewall, but did not restart the docker service, which is similar to changing the configuration file and not restarting the service.

[root@localhost ~]# systemctl restart docker
[root@localhost ~]# docker network create --subnet=172.18.0.0/24 mynetwork
723d0fd514eb219d57667f72c3eb75fc4864af0cd94c21b6c70e868fb8d520a1
[root@localhost ~]# docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
00008a1e778b        bridge              bridge              local
3bb2f50eb211        host                host                local
723d0fd514eb        mynetwork           bridge              local
e12cd7b98c54        none                null                local
[root@localhost ~]# 

A test to verify custom settings for a container's fixed IP address is performed at this time:

[root@localhost ~]# docker run -itd --name test2 --network mynetwork --ip 172.18.0.10 centos:7 /bin/bash
Unable to find image 'centos:7' locally
7: Pulling from library/centos
ab5ef0e58194: Pull complete 
Digest: sha256:4a701376d03f6b39b8c2a8f4a8e499441b0d567f9ab9d58e4991de4472fb813c
Status: Downloaded newer image for centos:7
683ad76f7789b5c16f251577047a288a3a4a00777128a216adfee15985b94c04

View the status of the container, enter the container to view the ip address

[root@localhost ~]# docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
683ad76f7789        centos:7            "/bin/bash"         23 seconds ago      Up 22 seconds                           test2
[root@localhost ~]# docker exec -it 683ad76f7789 /bin/bash
[root@683ad76f7789 /]# yum install -y net-tools
Loaded plugins: fastestmirror, ovl
...
[root@683ad76f7789 /]# ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.18.0.10  netmask 255.255.255.0  broadcast 172.18.0.255
        ether 02:42:ac:12:00:0a  txqueuelen 0  (Ethernet)
        RX packets 2302  bytes 15050471 (14.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2049  bytes 113777 (111.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 62  bytes 7019 (6.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 62  bytes 7019 (6.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

The custom network settings container ip address was found to be successful.

4. Summary

In this paper, the working principle of three network modes in VMware software is explained, docker's various network modes are explained step by step, and how docker bridge mode configures container ip address, default mode and customized mode are described in detail through a case combined with troubleshooting ideas.

Finally, it is important to note whether the commands need to be remembered, typed and practiced. Thank you for reading!

Topics: Linux network Docker CentOS Vmware