docker 学习笔记(五)
docker 容器运行
一般启动
[root@test ~]# docker run --name t1 -it --rm busybox:latest
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
Digest: sha256:bde48e1751173b709090c2539fdf12d6ba64e88ec7a4301591227ce925f3c678
Status: Downloaded newer image for busybox:latest
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42🇦🇨11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
指定网络模式
[root@test ~]# docker run --name t1 -it --network bridge --rm busybox:latest
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
38: eth0@if39: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42🇦🇨11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
[root@test ~]# docker run --name t1 -it --network none --rm busybox:latest
/ # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
/ #
启动时指定 hostname
[root@test ~]# docker run --name t1 -it --network bridge -h qiankunpingtai.cn --rm busybox:latest
/ # hostname
qiankunpingtai.cn
/ # nslookup -type=A www.baidu.com
Server: 202.106.46.151
Address: 202.106.46.151:53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com
Name: www.a.shifen.com
Address: 110.242.68.3
Name: www.a.shifen.com
Address: 110.242.68.4
启动时指定 DNS
[root@test ~]# docker run --name t1 -it --network bridge -h qiankunpingtai.cn --dns 114.114.114.114 --rm busybox:latest
/ # cat /etc/resolv.conf
nameserver 114.114.114.114
启动时指定搜索域
[root@test ~]# docker run --name t1 -it --network bridge -h qiankunpingtai.cn --dns 114.114.114.114 --dns-search qkpt --rm busybox:latest
/ # cat /etc/resolv.conf
search qkpt
nameserver 114.114.114.114
启动时添加主机名
[root@test ~]# docker run --name t1 -it --network bridge -h qiankunpingtai.cn --dns 114.114.114.114 --dns-search qkpt --add-host ds1:192.168.2.1 --rm busybox:latest
/ # cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.2.1 ds1
172.17.0.2 qiankunpingtai.cn qiankunpingtai
端口映射
- -p 将指定的容器端口映射至主机所有地址的一个动态端口
- -p : 将容器端口映射至指定的主机端口
- -p :: 将指定的容器端口映射至主机指定的动态端口
- -p :: 将指定的容器端口映射至主机指定的端口
动态端口指随机端口,具体的映射结果结果可以使用 docker port 命令查看
[root@test ~]# docker run --name t1 -it --network bridge -p 8080 --rm busybox:latest
/ #
查看端口映射
[root@test ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 60 DOCKER-INGRESS all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
82 4761 PREROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
82 4761 PREROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
82 4761 PREROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
1 60 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 161 packets, 10068 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-INGRESS all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
29888 1874K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 161 packets, 10068 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * docker_gwbridge 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCAL
1 59 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * !br-6dd2cc5f18b5 172.21.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * !br-5e09f0a7664c 172.20.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * !docker_gwbridge 172.19.0.0/16 0.0.0.0/0
29888 1874K POSTROUTING_direct all -- * * 0.0.0.0/0 0.0.0.0/0
29888 1874K POSTROUTING_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
29888 1874K POSTROUTING_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:8080
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- br-6dd2cc5f18b5 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- br-5e09f0a7664c * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- docker_gwbridge * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:32769 to:172.17.0.2:8080
Chain DOCKER-INGRESS (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432 to:172.19.0.2:5432
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2181 to:172.19.0.2:2181
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.19.0.2:80
1 60 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
29888 1874K POST_public all -- * enp0s3 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 POST_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto]
Chain POSTROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain POSTROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public (2 references)
pkts bytes target prot opt in out source destination
29888 1874K POST_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
29888 1874K POST_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
29888 1874K POST_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POST_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain POST_public_log (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
81 4702 PRE_public all -- enp0s3 * 0.0.0.0/0 0.0.0.0/0 [goto]
1 59 PRE_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
pkts bytes target prot opt in out source destination
Chain PREROUTING_direct (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public (2 references)
pkts bytes target prot opt in out source destination
82 4761 PRE_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
82 4761 PRE_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
82 4761 PRE_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PRE_public_allow (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_deny (1 references)
pkts bytes target prot opt in out source destination
Chain PRE_public_log (1 references)
pkts bytes target prot opt in out source destination
Joined containers
联盟式容器是指使用某个已经存在容器的网络接口的容器,接口被联盟内的各容器共享使用;因此,联盟式容器彼此间完全无隔离,例如
- 创建一个监听于 2222 端口的 http 服务容器
docker run --name b1 -it --rm busybox
docker run --name b2 --network container:b1 -it --rm busybox
- 创建一个联盟式容器,并查看其监听的端口
联盟式容器彼此间虽然共享同一个网络命名空间,但其它名称空间如 User、Mount 等还是隔离的。
联盟式容器彼此间存在端口冲突的可能性,因此,通常只会在多个容器上的程序需要程序 loopback 接口相互通信、或对某已存在的容器的网络属性进行监控时才使用此种模式的网络模型。