wiki:docker:docker_network_management
Table of Contents
Gerenciando Redes no Docker
Gerenciar portas
Lista de redes disponíveis no Docker:
docker network ls NETWORK ID NAME DRIVER SCOPE f433177986a9 bridge bridge local fabe1ed5913a host host local 0ec6bbe294fe none null local
Mapeando a porta 80 do contêiner no host local:
docker container run -d --name web --network bridge -p 80:80 nginx
docker container port web 80/tcp -> 0.0.0.0:80 80/tcp -> [::]:80
docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES a4415558550a nginx "/docker-entrypoint.…" About a minute ago Up About a minute 0.0.0.0:80->80/tcp, :::80->80/tcp web
docker container ls CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES a4415558550a nginx "/docker-entrypoint.…" About a minute ago Up About a minute 0.0.0.0:80->80/tcp, :::80->80/tcp web
curl 127.0.0.1 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>
docker container rm -f web web
Mapeando uma porta de forma aleatória:
docker container run -d --name web -P nginx 1167ea9a9a278dde7613a6fb590cb282eb2ec741ecafbbe4ef51b3bb18461588
docker container port web 80/tcp -> 0.0.0.0:32768 80/tcp -> [::]:32768
$ curl 127.0.0.1:32768 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>
docker container rm -f web web
Gerenciar links
Execute um contêiner com o nome de server:
docker container run -di --name=server -h server busybox
Execute o segundo contêiner criando um link para o primeiro:
docker container run --detach --interactive --name=client --link server:server --hostname client busybox ebf775e910e3a5ca6047a53cc9c0cb8ff83ba878577c901d990c7890f7b7b2c6
O Link no Docker, permite que um contêiner se comunique com outros contêineres
pelo hostname.
Verifique se no arquivo /etc/hosts do segundo contêiner consta o nome e IP do primeiro:
docker container exec --interactive --tty client cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.17.0.2 server server 172.17.0.3 client
Faça um teste de conectividade do cliente ao servidor:
docker container exec --interactive --tty client ping -c3 server PING server (172.17.0.2): 56 data bytes 64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.272 ms 64 bytes from 172.17.0.2: seq=1 ttl=64 time=0.118 ms 64 bytes from 172.17.0.2: seq=2 ttl=64 time=0.116 ms --- server ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.116/0.168/0.272 ms
docker container exec --interactive --tty client ping -c3 server PING server (172.17.0.2): 56 data bytes 64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.272 ms 64 bytes from 172.17.0.2: seq=1 ttl=64 time=0.118 ms 64 bytes from 172.17.0.2: seq=2 ttl=64 time=0.116 ms --- server ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.116/0.168/0.272 ms
Já o arquivo /etc/hosts do primeiro contêiner não consta o nome e IP do segundo:
docker container exec -it server ping -c3 client ping: bad address 'client'
docker container exec -it server cat /etc/hosts 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 172.17.0.2 server
docker container rm -f server client server client
Gerenciar DNS
Execute um contêiner com o nome de server apontando para um servidor de DNS público:
docker container run --interactive --detach --name=server --hostname server --dns=1.1.1.1 busybox ad59adca03b68d573e6f47715a3c636bb55a05220105073fa13c337545913647
docker container exec -it server cat /etc/resolv.conf # Generated by Docker Engine. # This file can be edited; Docker Engine will not make further changes once it # has been modified. nameserver 1.1.1.1 search . # Based on host file: '/run/systemd/resolve/resolv.conf' (legacy) # Overrides: [nameservers]
Faça um teste no contêiner através do comando nslookup:
docker container exec -it server nslookup -querytype=A geanmartins.com.br Server: 1.1.1.1 Address: 1.1.1.1:53 Non-authoritative answer: Name: geanmartins.com.br Address: 191.101.70.134
docker rm -f server server
Para fixar a configuração do servidor DNS no Docker, edite ou crie o arquivo daemon.json:
cat /etc/docker/daemon.json
{
"log-driver": "syslog",
"dns": ["1.1.1.1"]
}
Reinicie o Docker para aplicar as alterações:
sudo systemctl restart docker
Execute novamente um contêiner sem apontar um servidor de DNS:
docker exec -ti server nslookup -querytype=A geanmartins.com.br Server: 1.1.1.1 Address: 1.1.1.1:53 Non-authoritative answer: Name: geanmartins.com.br Address: 191.101.70.134
docker rm -f server server
Rede bridge
Para executar um contêiner utilizando a rede bridge, execute o contêiner com a flag –network:
docker container run -d --name web --network bridge -p 80:80 nginx b8803a34cef78c3232806e55c391e9a2f38b72f1987c8b51837cba396e8ef0de
sudo ss -nltp | grep 80 LISTEN 0 4096 0.0.0.0:80 0.0.0.0:* users:(("docker-proxy",pid=3609,fd=4)) LISTEN 0 4096 [::]:80 [::]:* users:(("docker-proxy",pid=3615,fd=4))
O Docker cria uma regra de Firewall que permite o acesso interno e externo da porta 80.
sudo iptables -nL --line-number | grep 80 -B2 Chain DOCKER (1 references) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:80
docker rm -f web web
Rede host
Para executar um contêiner utilizando a rede host, execute o contêiner com a flag –net:
docker container run -d --name server --net=host nginx 23cda1464463fc8861d8e29201a56f4cf8a938bbe5ad0dec82332d2159ab95f1
Veja se o contêiner não possui porta mapeada, pois o Nginx está utilizando a porta diretamente no host local:
docker container port server
sudo ss -nltp | grep 80 LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=3921,fd=6),("nginx",pid=3920,fd=6),("nginx",pid=3884,fd=6)) LISTEN 0 511 [::]:80 [::]:* users:(("nginx",pid=3921,fd=7),("nginx",pid=3920,fd=7),("nginx",pid=3884,fd=7))
Quando utilizamos a flag –net=host, estamos iniciando um contêiner que se liga
diretamente a porta no host do Docker. Do ponto de vista da rede, esse é o mesmo
nível de isolamento, como se o processo nginx estivesse sendo executado diretamente
no host do Docker e não em um contêiner.
No entanto, em todas as outras formas, como armazenamento, namespace de processo
e namespace de usuário, o processo nginx é isolado do host.
curl localhost <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>
docker container rm -f server
Comandos de gerenciamento de redes no Docker
Utilizar Rede Padrão
Opções do comando docker network:
docker network --help Usage: docker network COMMAND Manage networks Commands: connect Connect a container to a network create Create a network disconnect Disconnect a container from a network inspect Display detailed information on one or more networks ls List networks prune Remove all unused networks rm Remove one or more networks Run 'docker network COMMAND --help' for more information on a command.
Para exibir informações detalhadas sobre a rede bridge, execute o seguinte comando:
docker network ls NETWORK ID NAME DRIVER SCOPE 6a188ccecd57 bridge bridge local fabe1ed5913a host host local 0ec6bbe294fe none null local
docker network inspect bridge [ { "Name": "bridge", "Id": "6a188ccecd5730893b2664ac8d5d5fe139b673ab2c10180a45671db6f76aa055", "Created": "2024-10-06T00:57:04.432027758Z", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16", "Gateway": "172.17.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": {}, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ]
Vamos testar o uso da rede padrão com dois contêineres:
docker container run -di --name=c1 -h server busybox f21bcd2cb75b4fa5579df2eaa9e515577d7bdc3f44129212e5c13617cebee375
docker container run -di --name=c2 -h client busybox 8f7c39b5ae7ee073ca60819a55bcbb210a11b26ab42d36483f5343af2a48b83f
Verifique o endereço IP de cada contêiner:
docker container exec c1 ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 22: eth0@if23: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 valid_lft forever preferred_lft forever
docker container exec c2 ifconfig eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03 inet addr:172.17.0.3 Bcast:172.17.255.255 Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:866 (866.0 B) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Teste de conectividade entre os contêineres:
docker container exec c1 ping -c2 172.17.0.3 PING 172.17.0.3 (172.17.0.3): 56 data bytes 64 bytes from 172.17.0.3: seq=0 ttl=64 time=1.090 ms 64 bytes from 172.17.0.3: seq=1 ttl=64 time=0.176 ms --- 172.17.0.3 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.176/0.633/1.090 ms
docker container exec c2 ping -c2 172.17.0.2 PING 172.17.0.2 (172.17.0.2): 56 data bytes 64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.041 ms 64 bytes from 172.17.0.2: seq=1 ttl=64 time=0.106 ms --- 172.17.0.2 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.041/0.073/0.106 ms
docker rm -f c1 c2 c1 c2
Criar Redes Personalizadas
Ciando uma nova rede:
docker network create --driver bridge --subnet 172.32.0.0/16 dca a70591ccd650dd52481ac4898a00b6b72626d421bb583276a2e06ce1fbbd56fb
docker network ls NETWORK ID NAME DRIVER SCOPE 6a188ccecd57 bridge bridge local a70591ccd650 dca bridge local fabe1ed5913a host host local 0ec6bbe294fe none null local
docker network ls NETWORK ID NAME DRIVER SCOPE 6a188ccecd57 bridge bridge local a70591ccd650 dca bridge local fabe1ed5913a host host local 0ec6bbe294fe none null local
Exibindo informações detalhadas sobre a rede dca:
docker network inspect dca [ { "Name": "dca", "Id": "a70591ccd650dd52481ac4898a00b6b72626d421bb583276a2e06ce1fbbd56fb", "Created": "2024-10-06T12:27:06.95645443Z", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": {}, "Config": [ { "Subnet": "172.32.0.0/16" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": {}, "Options": {}, "Labels": {} } ]
Utilizando IP Fixo:
docker container run -di --name=c1 -h server --network dca --ip 172.32.0.100 --add-host=client:172.32.0.113 busybox 5e87f7778ae08afcb5eca8f5c86b20310120669c5f25a9a51658d274a0d37f95
docker container run -di –name=c1 -h server –network dca –ip 172.32.0.100 –add-host=client:docker container run -di –name=c2 –link c1:server -h client –net dca –ip 172.32.0.113 busybox b6c8112cad38aaae3b84dcefdd7b24a53eaad24d8ead36507035a4740e7a7e6f </code>
Teste de conectividade:
docker container exec -it c1 ping -c2 client PING client (172.32.0.113): 56 data bytes 64 bytes from 172.32.0.113: seq=0 ttl=64 time=0.369 ms 64 bytes from 172.32.0.113: seq=1 ttl=64 time=0.190 ms --- client ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.190/0.279/0.369 ms
docker container exec -it c1 ping -c2 172.32.0.113 PING 172.32.0.113 (172.32.0.113): 56 data bytes 64 bytes from 172.32.0.113: seq=0 ttl=64 time=0.147 ms 64 bytes from 172.32.0.113: seq=1 ttl=64 time=0.195 ms --- 172.32.0.113 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.147/0.171/0.195 ms
docker container exec -ti c2 ping -c2 server PING server (172.32.0.100): 56 data bytes 64 bytes from 172.32.0.100: seq=0 ttl=64 time=0.117 ms 64 bytes from 172.32.0.100: seq=1 ttl=64 time=0.151 ms --- server ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.117/0.134/0.151 ms
docker container exec --tty --interactive c2 ping -c2 172.32.0.100 PING 172.32.0.100 (172.32.0.100): 56 data bytes 64 bytes from 172.32.0.100: seq=0 ttl=64 time=0.139 ms 64 bytes from 172.32.0.100: seq=1 ttl=64 time=0.146 ms --- 172.32.0.100 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.139/0.142/0.146 ms
Desconectar contêiner de uma rede:
docker network disconnect dca c2
docker container exec -ti c1 ping -c2 client PING client (172.32.0.113): 56 data bytes ^C --- client ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss
Conectando um contêiner a uma rede:
docker network connect --ip 172.32.0.113 dca c2
docker container exec -ti c1 ping -c2 client PING client (172.32.0.113): 56 data bytes 64 bytes from 172.32.0.113: seq=0 ttl=64 time=0.208 ms 64 bytes from 172.32.0.113: seq=1 ttl=64 time=0.126 ms --- client ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.126/0.167/0.208 ms
Remover Rede
docker container exec -ti c1 ping -c2 client PING client (172.32.0.113): 56 data bytes 64 bytes from 172.32.0.113: seq=0 ttl=64 time=0.208 ms 64 bytes from 172.32.0.113: seq=1 ttl=64 time=0.126 ms --- client ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.126/0.167/0.208 ms gean@dca-manager:~$ docker container rm -f c1 c2 c1 c2
docker network rm dca
dca
docker network ls NETWORK ID NAME DRIVER SCOPE 6a188ccecd57 bridge bridge local fabe1ed5913a host host local 0ec6bbe294fe none null local
Removendo redes que não estão sendo utilizadas:
docker network prune WARNING! This will remove all custom networks not used by at least one container. Are you sure you want to continue? [y/N] y
wiki/docker/docker_network_management.txt · Last modified: by Wiki Administrator