所以我正在尝试创建一个网络(docker network create(,以便其流量通过特定的物理网络接口(NIC(;我有两个:<iface1>(内部(和<iface2>(外部(。
我需要将两个NIC的流量物理分离。
方法1:
我认为macvlan是创建这样的网络的驱动程序。对于我在互联网上发现的大多数内容,解决方案都引用了Pipework(现在已弃用(和临时docker插件(也已弃用(。对我帮助最大的是这个
docker network create -d macvlan
--subnet 192.168.0.0/16
--ip-range 192.168.2.0/24
-o parent=wlp8s0.1
-o macvlan_mode=bridge
macvlan0
然后,为了使容器从主机上可见,我需要在主机中执行以下操作:
sudo ip link add macvlan0 link wlp8s0.1 type macvlan mode bridge
sudo ip addr add 192.168.2.10/16 dev macvlan0
sudo ifconfig macvlan0 up
现在容器和主机可以互相看到:(但是容器无法访问本地网络。这个想法是,容器可以访问互联网。
方法2:
由于我将手动使用<iface2>,如果默认情况下流量通过<iface1>,我也可以。但无论我以何种顺序启动NIC(我也尝试暂时删除<iface2>的LKM(;整个业务总是被外部NIC<iface2>所超越。我发现,之所以会发生这种情况,是因为路由表会在某个"随机"时间自动更新。为了强制流量通过<iface1>,我必须(在主机中(:
sudo route del -net <net> gw 0.0.0.0 netmask 255.0.0.0 dev <iface2>
sudo route del default <iface2>
现在,我可以(通过几种方式(验证流量只是通过<iface1>。但当路由表(自动(更新时,所有流量都转移到<iface2>。该死我确信有一种方法可以使路由表"静态"或"持久"。
EDIT(2018年7月18日(:主要思想是能够通过docker容器访问互联网,使用两个可用物理网络接口中的一个。
我的环境:
在为ip地址为192.168.122.1的vm virbr0桥创建的主机上,以及为接口为ens3、ip地址为192192.168.122.152的up vm实例上。
192.168.122.1-是192.168.122.0/24网络的网关。
进入vm:
创建网络:
# docker network create --subnet 192.168.122.0/24 --gateway 192.168.122.1 --driver macvlan -o parent=ens3 vmnet
创建docker容器:
# docker run -ti --network vmnet alpine ash
检查:
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
12: eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:c0:a8:7a:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.2/24 brd 192.168.122.255 scope global eth0
valid_lft forever preferred_lft forever
/ # ping 192.168.122.152
PING 192.168.122.152 (192.168.122.152): 56 data bytes
^C
--- 192.168.122.152 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
/ # ping 192.168.122.1
PING 192.168.122.1 (192.168.122.1): 56 data bytes
64 bytes from 192.168.122.1: seq=0 ttl=64 time=0.471 ms
^C
--- 192.168.122.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.471/0.471/0.471 ms
好的,我建立了另一个ip地址为192.168.122.73的vm,并从docker检查:
/ # ping 192.168.122.73 -c2
PING 192.168.122.73 (192.168.122.73): 56 data bytes
64 bytes from 192.168.122.73: seq=0 ttl=64 time=1.630 ms
64 bytes from 192.168.122.73: seq=1 ttl=64 time=0.984 ms
--- 192.168.122.73 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.984/1.307/1.630 ms
从docker实例来看,我无法在vm上ping接口,但我可以访问本地网络。
/ # ip n|grep 192.168.122.152
192.168.122.152 dev eth0 used 0/0/0 probes 6 FAILED
在vm上,我添加了macvlan0 nic:
# ip link add macvlan0 link ens3 type macvlan mode bridge
# ip addr add 192.168.122.100/24 dev macvlan0
# ip l set macvlan0 up
从docker我可以ping 192.168.122.100:
/ # ping 192.168.122.100 -c2
PING 192.168.122.100 (192.168.122.100): 56 data bytes
64 bytes from 192.168.122.100: seq=0 ttl=64 time=0.087 ms
64 bytes from 192.168.122.100: seq=1 ttl=64 time=0.132 ms
--- 192.168.122.100 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.087/0.109/0.132 ms