Detailed explanation of docker network command

Let’s first take a look at all the subcommands of network:

(Recommended tutorial: docker tutorial)

docker network create
docker network connect
docker network ls
docker network rm
docker network disconnect
docker network inspect

一, Create a network

When installing Docker Engine, a default bridge network docker0 will be automatically created. In addition, you can also create your own bridge network or overlay network.

The bridge network is attached to a single host running Docker Engine, while the overlay network can cover multiple host environments running their respective Docker Engines.

Creating a bridge network is relatively simple as follows:

 # 不指定网络驱动时默认创建的bridge网络
 docker network create simple-network
 # 查看网络内部信息
 docker network inspect simple-network
 # 应用到容器时，可进入容器内部使用ifconfig查看容器的网络详情

But creating an overlay network requires some prerequisites (for specific operations, please refer to the related content of Docker container network):

- key-value store（Engine支持Consul、Etcd和ZooKeeper等分布式存储的key-value store） 
- 集群中所有主机已经连接到key-value store 
- swarm集群中每个主机都配置了下面的daemon参数 
- –cluster-store 
- –cluster-store-opt 
- –cluster-advertise

Then Create an overlay network:

# 创建网络时，使用参数`-d`指定驱动类型为overlay
docker network create -d overlay my-multihost-network

In terms of using the --subnet option to create a subnet, the bridge network can only specify one subnet, while the overlay network supports multiple subnets.

Networks created under the bridge and overlay network drivers can specify different parameters.

2. Connect the container

Create three containers. The first two use the default network to start the container, and the third one uses the custom bridge network to start the container. Then add the second container to the custom network. The network conditions of these three containers are as follows:

The first container: only the default docker0

The second container: belongs to two networks-docker0, custom network

The third container: only belongs to the custom network

Note: Starting the specified network through the container will overwrite the default bridge network docker0.

# 创建三个容器 conTainer1,container2,container3
docker run -itd --name=container1 busybox
docker run -itd --name=container2 busybox
# 创建网络mynet
docker network create -d bridge --subnet 172.25.0.0/16 mynet
# 将容器containerr2连接到新建网络mynet
docker network connect mynet container2
# 使用mynet网络来容器container3
docker run --net=mynet --ip=172.25.3.3 -itd --name=container3 busybox
 
# 查看这三个容器的网络情况
docker network inspect container1 # docker0
docker network inspect container2 # docker0, mynet
docker network inspect container3 # mynet

3. The difference between the default network and the custom bridge network

Default network docker0: All hosts in the network can only access each other using IP. Containers created with the --link option can directly access the linked container name (container-name) as hostname.

Customized network (bridge): In addition to IP access, all hosts in the network can also directly access each other using the container name (container-name) as hostname.

# 进入container2内部
docker attach container2
ping -w 4 container3 # 可访问
ping -w 4 container1 # 不可访问
ping -w 4 172.17.0.2 # 可访问container1的IP
# Ctrl+P+Q退出容器，让container2以守护进程运行

4. The difference between the default network and the custom bridge network in container connection

Using link (legency link) in the default network has the following functions:

- 使用容器名作为hostname 
- link容器时指定alias: --link=<Container-Name>:<Alias> 
- 配合--icc=false隔离性，实现容器间的安全连接 
- 环境变量注入

Auto Using docker net in the defined network provides the following functions:

- 使用DNS实现自动化的名称解析 
- 一个网络提供容器的安全隔离环境 
- 动态地attach与detach到多个网络 
- 支持与--link选项一起使用，为链接的容器提供别名（可以是尚不存在链接容器，与默认容器中–link使用的最大差别）

The link in the default network is static and does not allow the link container to be restarted, while the link in the custom network is dynamic and supports the link container to restart. (And IP changes)
Therefore, the container linked when using --link must be created in advance in the default network, but does not need to be pre-built in the custom network.

When using docker network connectct to connect the container to a new network, when using the parameter --link to link the same container, you can specify different aliases, which are for different networks.

# 运行容器使用自定义网络，同时使用--link链接尚不存在的container5容器
docker run --net=mynet -itd --name=container4 --link container5:c5 busybox
# 创建容器container5
docker run --net=mynet -itd --name=container5 --link container4:c4 busybox
# 虽然是相同容器，但是在不同的网络环境连接中可以不同的alias链接
docker network connect --link container5:foo local_alias container4
docker network connect --link container4:bar local_alias container5

5. Specify the network-scoped alias of the container (Network-scoped alias)

Network-scoped alias is the alias of the specified container that can be accessed by other containers within the same network range.

Different from link aliases, link aliases are provided by the user of the link container and can only be used by itself; while aliases within the specified network range are provided by the container for use by other containers in the network.

Network-scoped alias: Multiple containers in the same network can specify the same alias. Of course, only the first container with the specified alias will take effect.
Only when the first container is closed , the alias of the second container that specifies the same alias will take effect.

docker run --net=mynet -itd --name=container6 --net-alias app busybox
docker network connect --alias scoped-app local_alias container6
docker run --net=isolated_nw -itd --name=container7 --net-alias app busybox
docker network connect --alias scoped-app local_alias container7
# 在container4中
docker attach container4
ping app # 访问container6的IP
# 从container4中以守护进程运行退出：Ctrl+P+Q
docker stop container6
docker attach container4
ping app # 访问的container7的IP

6. Disconnect and remove the network

# 容器从mynet网络中断开（它将无法再网络中的容器container3通讯）
docker network disconnect mynet container2
# 测试与容器container3失败
docker attach container2
ping contianer3 # 访问失败

In a multi-host network environment, container already will appear when connecting a container to the network with a removed container name. Connected to network error,
At this time, you need to forcefully remove the new container docker rm -f, re-run and connect to the network.

Removing a network requires that all containers in the network be closed or disconnected from this network before the removal command can be used:

# 断开最后一个连接到mynet网络的容器
docker network disconnet mynet container3
# 移除网络
docker network rm mynet

The above is the detailed content of Detailed explanation of docker network command. For more information, please follow other related articles on the PHP Chinese website!