目录搜索
ComposeAbout versions and upgrading (Compose)ASP.NET Core + SQL Server on Linux (Compose)CLI environment variables (Compose)Command-line completion (Compose)Compose(组成)Compose command-line reference(组合命令行参考)Control startup order (Compose)Django and PostgreSQL (Compose)Docker stacks and distributed application bundles (Compose)docker-compose build(docker-compose构建)docker-compose bundledocker-compose configdocker-compose createdocker-compose downdocker-compose eventsdocker-compose execdocker-compose helpdocker-compose imagesdocker-compose killdocker-compose logsdocker-compose pausedocker-compose portdocker-compose psdocker-compose pulldocker-compose pushdocker-compose restartdocker-compose rmdocker-compose rundocker-compose scaledocker-compose startdocker-compose stopdocker-compose topdocker-compose unpausedocker-compose upEnvironment file (Compose)Environment variables in ComposeExtend services in ComposeFrequently asked questions (Compose)Getting started (Compose)Install ComposeLink environment variables (deprecated) (Compose)Networking in ComposeOverview of Docker ComposeOverview of docker-compose CLIQuickstart: Compose and WordPressRails and PostgreSQL (Compose)Sample apps with ComposeUsing Compose in productionUsing Compose with SwarmEngine.NET Core application (Engine)About images, containers, and storage drivers (Engine)Add nodes to the swarm (Engine)Apply custom metadata (Engine)Apply rolling updates (Engine)apt-cacher-ngBest practices for writing Dockerfiles (Engine)Binaries (Engine)Bind container ports to the host (Engine)Breaking changes (Engine)Build your own bridge (Engine)Configure container DNS (Engine)Configure container DNS in user-defined networks (Engine)CouchDB (Engine)Create a base image (Engine)Create a swarm (Engine)Customize the docker0 bridge (Engine)Debian (Engine)Default bridge networkDelete the service (Engine)Deploy a service (Engine)Deploy services to a swarm (Engine)Deprecated Engine featuresDocker container networking (Engine)Docker overview (Engine)Docker run reference (Engine)Dockerfile reference (Engine)Dockerize an applicationDrain a node (Engine)EngineFAQ (Engine)Fedora (Engine)Get started (Engine)Get started with macvlan network driver (Engine)Get started with multi-host networking (Engine)How nodes work (Engine)How services work (Engine)Image management (Engine)Inspect the service (Engine)Install Docker (Engine)IPv6 with Docker (Engine)Join nodes to a swarm (Engine)Legacy container links (Engine)Lock your swarm (Engine)Manage nodes in a swarm (Engine)Manage sensitive data with Docker secrets (Engine)Manage swarm security with PKI (Engine)Manage swarm service networks (Engine)Migrate to Engine 1.10Optional Linux post-installation steps (Engine)Overview (Engine)PostgreSQL (Engine)Raft consensus in swarm mode (Engine)Riak (Engine)Run Docker Engine in swarm modeScale the service (Engine)SDKs (Engine)Select a storage driver (Engine)Set up for the tutorial (Engine)SSHd (Engine)Storage driver overview (Engine)Store service configuration data (Engine)Swarm administration guide (Engine)Swarm mode key concepts (Engine)Swarm mode overlay network security model (Engine)Swarm mode overview (Engine)Understand container communication (Engine)Use multi-stage builds (Engine)Use swarm mode routing mesh (Engine)Use the AUFS storage driver (Engine)Use the Btrfs storage driver (Engine)Use the Device mapper storage driver (Engine)Use the OverlayFS storage driver (Engine)Use the VFS storage driver (Engine)Use the ZFS storage driver (Engine)Engine: Admin GuideAmazon CloudWatch logs logging driver (Engine)Bind mounts (Engine)Collect Docker metrics with Prometheus (Engine)Configuring and running Docker (Engine)Configuring logging drivers (Engine)Control and configure Docker with systemd (Engine)ETW logging driver (Engine)Fluentd logging driver (Engine)Format command and log output (Engine)Google Cloud logging driver (Engine)Graylog Extended Format (GELF) logging driver (Engine)Journald logging driver (Engine)JSON File logging driver (Engine)Keep containers alive during daemon downtime (Engine)Limit a container's resources (Engine)Link via an ambassador container (Engine)Log tags for logging driver (Engine)Logentries logging driver (Engine)PowerShell DSC usage (Engine)Prune unused Docker objects (Engine)Run multiple services in a container (Engine)Runtime metrics (Engine)Splunk logging driver (Engine)Start containers automatically (Engine)Storage overview (Engine)Syslog logging driver (Engine)tmpfs mountsTroubleshoot volume problems (Engine)Use a logging driver plugin (Engine)Using Ansible (Engine)Using Chef (Engine)Using Puppet (Engine)View a container's logs (Engine)Volumes (Engine)Engine: CLIDaemon CLI reference (dockerd) (Engine)dockerdocker attachdocker builddocker checkpointdocker checkpoint createdocker checkpoint lsdocker checkpoint rmdocker commitdocker configdocker config createdocker config inspectdocker config lsdocker config rmdocker containerdocker container attachdocker container commitdocker container cpdocker container createdocker container diffdocker container execdocker container exportdocker container inspectdocker container killdocker container logsdocker container lsdocker container pausedocker container portdocker container prunedocker container renamedocker container restartdocker container rmdocker container rundocker container startdocker container statsdocker container stopdocker container topdocker container unpausedocker container updatedocker container waitdocker cpdocker createdocker deploydocker diffdocker eventsdocker execdocker exportdocker historydocker imagedocker image builddocker image historydocker image importdocker image inspectdocker image loaddocker image lsdocker image prunedocker image pulldocker image pushdocker image rmdocker image savedocker image tagdocker imagesdocker importdocker infodocker inspectdocker killdocker loaddocker logindocker logoutdocker logsdocker networkdocker network connectdocker network createdocker network disconnectdocker network inspectdocker network lsdocker network prunedocker network rmdocker nodedocker node demotedocker node inspectdocker node lsdocker node promotedocker node psdocker node rmdocker node updatedocker pausedocker plugindocker plugin createdocker plugin disabledocker plugin enabledocker plugin inspectdocker plugin installdocker plugin lsdocker plugin pushdocker plugin rmdocker plugin setdocker plugin upgradedocker portdocker psdocker pulldocker pushdocker renamedocker restartdocker rmdocker rmidocker rundocker savedocker searchdocker secretdocker secret createdocker secret inspectdocker secret lsdocker secret rmdocker servicedocker service createdocker service inspectdocker service logsdocker service lsdocker service psdocker service rmdocker service scaledocker service updatedocker stackdocker stack deploydocker stack lsdocker stack psdocker stack rmdocker stack servicesdocker startdocker statsdocker stopdocker swarmdocker swarm cadocker swarm initdocker swarm joindocker swarm join-tokendocker swarm leavedocker swarm unlockdocker swarm unlock-keydocker swarm updatedocker systemdocker system dfdocker system eventsdocker system infodocker system prunedocker tagdocker topdocker unpausedocker updatedocker versiondocker volumedocker volume createdocker volume inspectdocker volume lsdocker volume prunedocker volume rmdocker waitUse the Docker command line (Engine)Engine: ExtendAccess authorization plugin (Engine)Docker log driver pluginsDocker network driver plugins (Engine)Extending Engine with pluginsManaged plugin system (Engine)Plugin configuration (Engine)Plugins API (Engine)Volume plugins (Engine)Engine: SecurityAppArmor security profiles for Docker (Engine)Automation with content trust (Engine)Content trust in Docker (Engine)Delegations for content trust (Engine)Deploying Notary (Engine)Docker security (Engine)Docker security non-events (Engine)Isolate containers with a user namespace (Engine)Manage keys for content trust (Engine)Play in a content trust sandbox (Engine)Protect the Docker daemon socket (Engine)Seccomp security profiles for Docker (Engine)Secure EngineUse trusted imagesUsing certificates for repository client verification (Engine)Engine: TutorialsEngine tutorialsNetwork containers (Engine)Get StartedPart 1: OrientationPart 2: ContainersPart 3: ServicesPart 4: SwarmsPart 5: StacksPart 6: Deploy your appMachineAmazon Web Services (Machine)Digital Ocean (Machine)docker-machine activedocker-machine configdocker-machine createdocker-machine envdocker-machine helpdocker-machine inspectdocker-machine ipdocker-machine killdocker-machine lsdocker-machine provisiondocker-machine regenerate-certsdocker-machine restartdocker-machine rmdocker-machine scpdocker-machine sshdocker-machine startdocker-machine statusdocker-machine stopdocker-machine upgradedocker-machine urlDriver options and operating system defaults (Machine)Drivers overview (Machine)Exoscale (Machine)Generic (Machine)Get started with a local VM (Machine)Google Compute Engine (Machine)IBM Softlayer (Machine)Install MachineMachineMachine CLI overviewMachine command-line completionMachine concepts and helpMachine overviewMicrosoft Azure (Machine)Microsoft Hyper-V (Machine)Migrate from Boot2Docker to MachineOpenStack (Machine)Oracle VirtualBox (Machine)Provision AWS EC2 instances (Machine)Provision Digital Ocean Droplets (Machine)Provision hosts in the cloud (Machine)Rackspace (Machine)VMware Fusion (Machine)VMware vCloud Air (Machine)VMware vSphere (Machine)NotaryClient configuration (Notary)Common Server and signer configurations (Notary)Getting started with NotaryNotary changelogNotary configuration filesRunning a Notary serviceServer configuration (Notary)Signer configuration (Notary)Understand the service architecture (Notary)Use the Notary client
文字

本节中的信息解释了 Docker 默认网桥的 IPv6。这是一个在安装 Docker 时自动创建名称为bridgebridge网络。

由于 IPv4 地址耗尽, IETF 已经在 RFC 2460中标准化了 IPv4后继,Internet 协议版本6。这两种协议(IPv4和 IPv6)都驻留在 OSI模型的第3层。

IPv6 如何在 Docker 上运行

默认情况下,Docker 守护程序(daemon)仅为IPv4配置容器网络。您可以通过运行带有--ipv6标志的Docker 守护程序(daemon)来启用 IPv4 / IPv6 双栈支持。Docker 将docker0使用 IPv6 链接本地地址fe80::1设置网桥。

默认情况下,创建的容器只会获得链路本地 IPv6 地址。要将全局可路由的 IPv6 地址分配给您的容器,您必须指定一个 IPv6 子网来从中选择地址。启动 Docker 守护进程(daemon)时,通过--fixed-cidr-v6参数设置 IPv6子网:

您可以直接运行dockerd这些标志,但建议您将其设置在daemon.json配置文件中。以下示例daemon.json启用 IPv6并将 IPv6子网设置为2001:db8:1::/64

{  "ipv6": true,  "fixed-cid4-v6": "2001:db8:1::/64"}

Docker 容器的子网应该至少有一个大小/80,以便 IPv6地址可以以容器的 MAC 地址结束,并且可以防止 Docker 层中的 NDP 邻居缓存失效问题。

默认情况下,--fixed-cidr-v6参数使Docker为路由表添加一个新路由,方法是代表您运行以下三个命令。若要防止自动路由,请设置ip-forwardfalsedaemon.json文件或启动Docker守护进程--ip-forward=false旗子。然后,要获得Docker将自动为您创建的相同的路由表,请发出以下命令:

$ ip -6 route add 2001:db8:1::/64 dev docker0

$ sysctl net.ipv6.conf.default.forwarding=1$ sysctl net.ipv6.conf.all.forwarding=1

子网的所有通信量2001:db8:1::/64将通过docker0接口。

:IPv 6转发可能会干扰现有的IPv 6配置:如果使用路由器广告为主机接口获取IPv 6设置,请设置accept_ra2使用以下命令。否则,启用IPv 6的转发将导致拒绝路由器广告。 $sysctl net.ipv6.con.eth0.接受[医]Ra=2

二次

二次

每个新容器都将从定义的子网中获得一个IPv 6地址,并将添加一个默认路由。eth0通过守护进程选项指定的地址在容器中。--default-gateway-v6%28或default-gateway-v6daemon.json%29(如有)。默认网关默认为fe80::1...

此示例提供了一种检查运行容器中IPv 6网络设置的方法。

docker run -it alpine ash -c "ip -6 addr show dev eth0; ip -6 route show"15: eth0: <BROADCAST,UP,LOWER_UP> mtu 1500
   inet6 2001:db8:1:0:0:242:ac11:3/64 scope global
      valid_lft forever preferred_lft forever
   inet6 fe80::42:acff:fe11:3/64 scope link
      valid_lft forever preferred_lft forever2001:db8:1::/64 dev eth0  proto kernel  metric 256fe80::/64 dev eth0  proto kernel  metric 256default via fe80::1 dev eth0  metric 1024

在这个例子中,容器被分配一个带有子网的链接本地地址。/64%28fe80::42:acff:fe11:3/64%29和全球可路由IPv 6地址%282001:db8:1:0:0:242:ac11:3/6429%。容器将创建与2001:db8:1::/64通过链路本地网关连接fe80::1eth0...

服务器或虚拟机通常会获得/64IPv 6子网分配%28例如。2001:db8:23:42::/6429%。在这种情况下,您可以进一步拆分它,并提供Docker a/80使用单独的子网。/80主机上其他应用程序的子网:

二次

二次

在此设置中,子网2001:db8:23:42::/642001:db8:23:42:0:0:0:02001:db8:23:42:ffff:ffff:ffff:ffff附在eth0,主人正在收听2001:db8:23:42::1.子网2001:db8:23:42:1::/80的地址范围为2001:db8:23:42:1:0:0:02001:db8:23:42:1:ffff:ffff:ffff附在docker0并将用于集装箱。

使用NDP代理

如果您的Docker主机是IPv 6子网的唯一部分,但没有分配IPv 6子网,则可以使用NDP代理通过IPv 6将容器连接到Internet。如果具有IPv 6地址的主机2001:db8::c001是子网的一部分。2001:db8::/64IaaS提供商允许您配置IPv 6地址2001:db8::c0002001:db8::c00f,您的网络配置可能如下所示:

$ ip -6 addr show1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 2001:db8::c001/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::601:3fff:fea1:9c01/64 scope link
       valid_lft forever preferred_lft forever

将可配置地址范围划分为两个子网2001:db8::c000/1252001:db8::c008/125,使用以下方法daemon.json设置。第一个子网将由主机上的非码头进程使用,第二个子网将由Docker使用。

{  "ipv6": true,  "fixed-cidr-v6": "2001:db8::c008/125"}

Docker子网位于由路由器管理并连接到eth0所有由Docker分配地址的容器都将在路由器子网中找到,路由器可以直接与这些容器通信。

二次

二次

当路由器希望向第一个容器发送IPv 6数据包时,它将发送一个邻居请求问“谁有2001:db8::c009“但是,子网上没有一个主机有地址;带有地址的容器隐藏在Docker主机后面。因此,Docker主机必须侦听邻居的请求,并响应它是具有地址的设备。此功能称为NDP代理并由主机上的内核处理。要启用NDP代理,请执行以下命令:

$ sysctl net.ipv6.conf.eth0.proxy_ndp=1

接下来,将容器的IPv 6地址添加到NDP代理表中:

$ ip -6 neigh add proxy 2001:db8::c009 dev eth0

从现在开始,内核在设备上回答邻居请求地址。eth0.到此IPv 6地址的所有通信都通过Docker主机路由,Docker主机将根据其路由表通过docker0装置:

$ ip -6 route show2001:db8::c008/125 dev docker0  metric 12001:db8::/64 dev eth0  proto kernel  metric 256

您必须执行ip -6 neigh add proxy ...命令对您的Docker子网中的每个IPv 6地址执行命令。不幸的是,没有通过执行一个命令来添加整个子网的功能。另一种方法是使用ndp代理守护进程,如ndppd...

码头IPv 6集群

交换网络环境

使用可路由IPv 6地址可以实现不同主机上容器之间的通信。让我们看看一个简单的DockerIPv 6集群示例:

二次

二次

码头主机在2001:db8:0::/64子网。主机1被配置为从2001:db8:1::/64子网到它的容器。它配置了三条路由:

  • 将所有交通线路送至2001:db8:0::/64通孔eth0

  • 将所有交通线路送至2001:db8:1::/64通孔docker0

  • 将所有交通线路送至2001:db8:2::/64通过带有IP的主机22001:db8::2

Host 1还充当OSI第3层上的路由器。当其中一个网络客户端试图联系主机1的路由表中指定的目标时,Host 1将相应地转发通信量。它充当它所知道的所有网络的路由器:2001:db8::/64,,,2001:db8:1::/64,和2001:db8:2::/64...

在主机2上,我们的配置几乎相同。主机2的容器将从2001:db8:2::/64.2号旅馆配置了三条路线:

  • 将所有交通线路送至2001:db8:0::/64通孔eth0

  • 将所有交通线路送至2001:db8:2::/64通孔docker0

  • 将所有交通线路送至2001:db8:1::/64通过带有IP的主机12001:db8:0::1

主机1的不同之处在于网络2001:db8:2::/64通过其docker0接口而Host 2到达2001:db8:1::/64通过Host 1的IPv 6地址2001:db8::1...

这样,每个容器都能联系到其他的容器。集装箱Container1-*共享同一个子网,并直接联系对方。之间的交通Container1-*Container2-*将通过Host 1和Host 2路由,因为这些容器不共享相同的子网。

在切换环境中,每个主机都必须知道到每个子网的所有路由。在向群集添加或删除主机后,始终必须更新主机的路由表。

在虚线下面显示的图表中的每个配置都由Docker处理:docker0网桥IP地址配置、主机上到Docker子网的路由、容器IP地址和容器上的路由。线上的配置由用户决定,可以适应个人环境。

路由网络环境

在路由网络环境中,用第三层路由器替换第二层交换机。现在,主机只需知道它们的默认网关%28、路由器%29和到它们自己的容器的路由%28由Docker%29管理。路由器保存有关Docker子网的所有路由信息。当您在此环境中添加或移除主机时,您只需更新路由器中的路由表--而不是在每个主机上。

二次

二次

在这种情况下,同一主机的容器可以直接通信。不同主机上的容器之间的通信将通过它们的主机和路由器进行路由。例如,从Container1-1Container2-1将通过Host1,,,Router,和Host2直到它到达Container2-1...

若要使IPv 6地址在本例中保持较短,请使用/48网络分配给每个主机。主机使用/64它的子网用于它自己的服务,一个子网用于Docker。当添加第三个主机时,您将为子网添加一个路由。2001:db8:3::/48在路由器中并在主机3上配置Docker--fixed-cidr-v6=2001:db8:3:1::/64...

请记住,码头集装箱的子网至少应该有/80这样,IPv 6地址就可以以容器的MAC地址结束,从而防止了Docker层中NDP邻居缓存失效的问题。所以如果你有一个/64为您的整个环境使用/76主机和/80为了容器。这样您就可以使用4096主机和16主机。/80每个人都有。

在虚线下面可视化的图表中的每个配置都由Docker处理:docker0网桥IP地址配置、主机上到Docker子网的路由、容器IP地址和容器上的路由。线上的配置由用户决定,可以适应个人环境。

上一篇:下一篇: