The problem and solution of Docker can't bind to static external network
- 2020-06-03 08:59:36
- OfStack
Some time ago, I have been studying how to assign static ip to Docker, the main purpose of which is to let thrift come in and go out 1 ip, and the crawler can be independent of ip address, so as to achieve a good crawler multi-ES6en way... But with the addition of nginx tcp and the development of an ip polling access module based on Python socket, these two problems were solved... Of course, just because of these two problems doesn't mean that we should abandon the problem... .
In Docker run, we can add the -ES16en parameter to control its source source ip. The following command, speaking externally, opens port 192.168.1.200:9200... But we are more than that. docker ES20en-ES21en port is implemented by borrowing iptables... When we are iptables-ES24en nat-ES26en, we can see the nat relationship that docker makes for me... When docker does prerouting of iptables, a custom chain called docker is added... Almost beside the point again, if it's in bridge mode, then it makes it very complicated to change the port map if we have a large port change in the container, one iptables prerouting map for every change... However, if you choose HOST network mode, you will not be able to determine which ip address your app is bound to. Not all servers support bind ip address. Some lousy servers bind the first ip address by default... At this point, it becomes necessary to assign a separate static ip address to the docker container... Anyway, just one ip address, you can toss about... .
Python
docker run -it -p 192.168.1.200:9200:9200 redis_cluster 9200
Python
root@ubuntu:~#
iptables -t nat -L -n
ChainPREROUTING(policyACCEPT)
target protoptsource destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPEmatchdst-typeLOCAL
ChainINPUT(policyACCEPT)
target protoptsource destination
ChainOUTPUT(policyACCEPT)
target protoptsource destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPEmatchdst-typeLOCAL
ChainPOSTROUTING(policyACCEPT)
target protoptsource destination
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
MASQUERADE all -- 172.17.0.0/16 !172.17.0.0/16
MASQUERADE tcp -- 172.17.0.1 172.17.0.1 tcpdpt:9200
ChainDOCKER(2references)
target protoptsource destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcpdpt:9200to:172.17.0.1:9200
It should be noted that when docker run creates a container, 1 must change its network card mode to docker's none... When docker customizes the network, the container will have a network like net=none. .
Then, if I want to completely allocate an extranet ip to the container, or manage ip, just a static independent ip, how can I break it? This is possible with pipework. But it's a little more complicated, so let's start with ip netns... Through inspect we know his state pid.
Python
root@ubuntu:~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
232621e9e9fb redis_cluster "/app/manage.sh 9000 41 minutes ago Up 41 minutes agitated_blackwell
root@ubuntu:~# docker inspect -f "{{.State.Pid}}" 232621e9e9fb
4777
root@ubuntu:~# pid=4777
So let's start binding static ip addresses, but don't look at the principle, just do it for now...
Python
mkdir-p/var/run/netns
ln-s/proc/$pid/ns/net/var/run/netns/$pidiplinkaddAtypevethpeernameB
brctladdifdocker0A
iplinksetAup
iplinksetBnetns$pid
ipnetnsexec$pidiplinksetdevBnameeth0
ipnetnsexec$pidiplinkseteth0up
ipnetnsexec$pidipaddradd192.168.1.200/24deveth0
ipnetnsexec$pidiprouteadddefaultvia192.168.1.1
After all of these, we will find that there is an lo network card in the container and an eth0 network card. The ip address of the network card is exactly the 192.168.1.200 that we just bound
Python
bash-4.1#
ip a
1:lo:<LOOPBACK,UP,LOWER_UP>mtu65536qdiscnoqueuestateUNKNOWN
link/loopback00:00:00:00:00:00brd00:00:00:00:00:00
inet127.0.0.1/8scopehostlo
valid_lftforeverpreferred_lftforever
inet6::1/128scopehost
valid_lftforeverpreferred_lftforever
22:eth0:<BROADCAST,MULTICAST,UP,LOWER_UP>mtu1500qdiscpfifo_faststateUPqlen1000
link/etherca:aa:87:05:c9:5abrdff:ff:ff:ff:ff:ff
inet192.168.1.200/24scopeglobaleth0
valid_lftforeverpreferred_lftforever
inet6fe80::c8aa:87ff:fe05:c95a/64scopelink
valid_lftforeverpreferred_lftforever
bash-4.1#
So far, the method of docker binding to fixed static ip has been explained... After reading the article, you will find that docker binding ip is relatively simple.. The network of docker is not easy to understand. In the past two days, I have devoted myself to the whole process of docker's allocation of ip (docker iptables).