networking.rst 4.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153
  1. :title: Configure Networking
  2. :description: Docker networking
  3. :keywords: network, networking, bridge, docker, documentation
  4. Configure Networking
  5. ====================
  6. Docker uses Linux bridge capabilities to provide network connectivity
  7. to containers. The ``docker0`` bridge interface is managed by Docker
  8. for this purpose. When the Docker daemon starts it :
  9. - creates the ``docker0`` bridge if not present
  10. - searches for an IP address range which doesn't overlap with an existing route
  11. - picks an IP in the selected range
  12. - assigns this IP to the ``docker0`` bridge
  13. .. code-block:: bash
  14. # List host bridges
  15. $ sudo brctl show
  16. bridge name bridge id STP enabled interfaces
  17. docker0 8000.000000000000 no
  18. # Show docker0 IP address
  19. $ sudo ifconfig docker0
  20. docker0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
  21. inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0
  22. At runtime, a :ref:`specific kind of virtual
  23. interface<vethxxxx-device>` is given to each container which is then
  24. bonded to the ``docker0`` bridge. Each container also receives a
  25. dedicated IP address from the same range as ``docker0``. The
  26. ``docker0`` IP address is used as the default gateway for the
  27. container.
  28. .. code-block:: bash
  29. # Run a container
  30. $ sudo docker run -t -i -d base /bin/bash
  31. 52f811c5d3d69edddefc75aff5a4525fc8ba8bcfa1818132f9dc7d4f7c7e78b4
  32. $ sudo brctl show
  33. bridge name bridge id STP enabled interfaces
  34. docker0 8000.fef213db5a66 no vethQCDY1N
  35. Above, ``docker0`` acts as a bridge for the ``vethQCDY1N`` interface
  36. which is dedicated to the 52f811c5d3d6 container.
  37. How to use a specific IP address range
  38. ---------------------------------------
  39. Docker will try hard to find an IP range that is not used by the
  40. host. Even though it works for most cases, it's not bullet-proof and
  41. sometimes you need to have more control over the IP addressing scheme.
  42. For this purpose, Docker allows you to manage the ``docker0`` bridge
  43. or your own one using the ``-b=<bridgename>`` parameter.
  44. In this scenario:
  45. - ensure Docker is stopped
  46. - create your own bridge (``bridge0`` for example)
  47. - assign a specific IP to this bridge
  48. - start Docker with the ``-b=bridge0`` parameter
  49. .. code-block:: bash
  50. # Stop Docker
  51. $ sudo service docker stop
  52. # Clean docker0 bridge and
  53. # add your very own bridge0
  54. $ sudo ifconfig docker0 down
  55. $ sudo brctl addbr bridge0
  56. $ sudo ifconfig bridge0 192.168.227.1 netmask 255.255.255.0
  57. # Edit your Docker startup file
  58. $ echo "DOCKER_OPTS=\"-b=bridge0\"" >> /etc/default/docker
  59. # Start Docker
  60. $ sudo service docker start
  61. # Ensure bridge0 IP is not changed by Docker
  62. $ sudo ifconfig bridge0
  63. bridge0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
  64. inet addr:192.168.227.1 Bcast:192.168.227.255 Mask:255.255.255.0
  65. # Run a container
  66. $ docker run -i -t base /bin/bash
  67. # Container IP in the 192.168.227/24 range
  68. root@261c272cd7d5:/# ifconfig eth0
  69. eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
  70. inet addr:192.168.227.5 Bcast:192.168.227.255 Mask:255.255.255.0
  71. # bridge0 IP as the default gateway
  72. root@261c272cd7d5:/# route -n
  73. Kernel IP routing table
  74. Destination Gateway Genmask Flags Metric Ref Use Iface
  75. 0.0.0.0 192.168.227.1 0.0.0.0 UG 0 0 0 eth0
  76. 192.168.227.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
  77. # hits CTRL+P then CTRL+Q to detach
  78. # Display bridge info
  79. $ sudo brctl show
  80. bridge name bridge id STP enabled interfaces
  81. bridge0 8000.fe7c2e0faebd no vethAQI2QT
  82. Container intercommunication
  83. -------------------------------
  84. The value of the Docker daemon's ``icc`` parameter determines whether
  85. containers can communicate with each other over the bridge network.
  86. - The default, ``-icc=true`` allows containers to communicate with each other.
  87. - ``-icc=false`` means containers are isolated from each other.
  88. Docker uses ``iptables`` under the hood to either accept or
  89. drop communication between containers.
  90. .. _vethxxxx-device:
  91. What is the vethXXXX device?
  92. -----------------------------------
  93. Well. Things get complicated here.
  94. The ``vethXXXX`` interface is the host side of a point-to-point link
  95. between the host and the corresponding container; the other side of
  96. the link is the container's ``eth0``
  97. interface. This pair (host ``vethXXX`` and container ``eth0``) are
  98. connected like a tube. Everything that comes in one side will come out
  99. the other side.
  100. All the plumbing is delegated to Linux network capabilities (check the
  101. ip link command) and the namespaces infrastructure.
  102. I want more
  103. ------------
  104. Jérôme Petazzoni has create ``pipework`` to connect together
  105. containers in arbitrarily complex scenarios :
  106. https://github.com/jpetazzo/pipework