一般来说,我们在自定义Docker与外部网络通信的网络,除了NAT,还有Linux Bridge、Open vSwitch、MacVLAN几种选择。MacVLAN相对于前两者,拥有更好的性能。
MacVLAN有4种模式,参考这里。 VEPA需要接入交换机支持hairpin mode。相对而言,Bridge mode更加常用。
环境
yy1: 172.16.213.128 yy2: 172.16.213.129
我们在yy2上启动容器
#docker run -d --net="none" --name=test1 dbyin/centos
# docker inspect --format="" test1
2084
创建MACVLAN设备
# ip link add eth0.1 link eth0 type macvlan mode bridge
# ip link list
8: eth0.1@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
link/ether 6e:e2:9c:e3:15:c6 brd ff:ff:ff:ff:ff:ff
将MACVLAN设备加入到容器的network space:
# ip link set netns 2084 eth0.1
# nsenter --target=2084 --net --mount --uts --pid
-bash-4.2# ip link list
8: eth0.1@if2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT
link/ether 6e:e2:9c:e3:15:c6 brd ff:ff:ff:ff:ff:ff
-bash-4.2# ip link set eth0.1 up
-bash-4.2# ifconfig
eth0.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::6ce2:9cff:fee3:15c6 prefixlen 64 scopeid 0x20<link>
ether 6e:e2:9c:e3:15:c6 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6 bytes 468 (468.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
设置ip和网关:
-bash-4.2# ip addr add 172.16.213.180/16 dev eth0.1
-bash-4.2# ip route add default via 172.16.213.2 dev eth0.1
对于MACVLAN,Host是无法访问的,
[root@yy2 ~]# ping 172.16.213.180
PING 172.16.213.180 (172.16.213.180) 56(84) bytes of data.
From 172.16.213.129 icmp_seq=2 Destination Host Unreachable
可以在另外的Host上访问:
[root@yy1 ~]# ssh root@172.16.213.180
root@172.16.213.180's password:
Last login: Tue Nov 11 07:49:27 2014 from 172.16.213.128
-bash-4.2#
注意:如果你是在虚拟机VMWare上测试,需要把Host的网卡设置为promisc模式:
[root@yy2 ~]# ip link set eth0 promisc on
否则,其它Host也无法访问容器的网络。原因参考 WMware 82545EM不支持unicast filtering
主要参考