Dockerネットワークを触ってみる(2)

Docker1.9において表題の通り。前回の続きである。

■ 環境

  • Docker 1.9
  • Docker Machine 0.5.0
  • Mac OSX (10.10.5)

■ ネットワークを分ける

コンテナが接続するネットワークを指定して分けられるということは、ネットワークセグメントを分けて、それぞれのネットワーク内でのみアクセス可能ということが設定できるのか、と。

下記を試す。

  1. ネットワークを作成する(front/back)
  2. コンテナを起動(front/back)
  3. 通信を確認

■ ネットワーク作成

front“/”back“の2つのネットワークを作成する。

$ docker network create --driver bridge front
1e7dfe98a9a4eeb72bb978a536c54f1f12f67b29118f50397afedc21077a3668
$
$ docker network create --driver bridge back
f08c8dcbca6182bf479ff17987d94863e3d4539e5e174f8447e9a9210d40a51e
$
$ docker network ls
NETWORK ID          NAME                DRIVER
1e7dfe98a9a4        front               bridge
f08c8dcbca61        back                bridge
47a46ac1b84b        bridge              bridge
f6fb9124ae7f        none                null
d806cfeaef35        host                host
$

■ コンテナ起動

front“ネットワークにコンテナを2つ起動する。

$ docker run -ti --rm --net front --name host1 --hostname host1 busybox
/ #
$ docker run -ti --rm --net front --name host2 --hostname host2 busybox
/ #

それぞれ、`Control-P`、`Control-Q`でコンテナから抜けている。

この状態でいくつか確認する。まずはネットワークの状態。

$ docker network inspect front
[
    {
        "Name": "front",
        "Id": "1e7dfe98a9a4......",
        "Scope": "local",
        "Driver": "bridge",
        "IPAM": {
            "Driver": "default",
            "Config": [
                {}
            ]
        },
        "Containers": {
            "25938b944067......": {
                "EndpointID": "b947f49c3404......",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            },
            "b2758d5b423a......": {
                "EndpointID": "f6ca946d5312......",
                "MacAddress": "02:42:ac:12:00:03",
                "IPv4Address": "172.18.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {}
    }
]
$

コンテナに`attach`して確認してみる。

$ docker attach host1
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:12:00:02
          inet addr:172.18.0.2  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:acff:fe12:2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1944 (1.8 KiB)  TX bytes:648 (648.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
/ #
/ # cat /etc/hosts
172.18.0.2    host1
127.0.0.1    localhost
::1    localhost ip6-localhost ip6-loopback
fe00::0    ip6-localnet
ff00::0    ip6-mcastprefix
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
172.18.0.3    host2
172.18.0.3    host2.front
/ #

host1“では、”/etc/hosts“で”host2“、”host2.front“での名前解決がされている。

続いて”back“ネットワークにコンテナを1つ起動する。

$ docker run -ti --rm --net back --name host3 --hostname host3 busybox
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:13:00:02
          inet addr:172.19.0.2  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:acff:fe13:2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1296 (1.2 KiB)  TX bytes:648 (648.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

/ #
/ # cat /etc/hosts
172.19.0.2    host3
127.0.0.1    localhost
::1    localhost ip6-localhost ip6-loopback
fe00::0    ip6-localnet
ff00::0    ip6-mcastprefix
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
/ #

名前解決は不可。”back“ネットワークを確認。

$ docker network inspect back
[
    {
        "Name": "back",
        "Id": "f08c8dcbca61......",
        "Scope": "local",
        "Driver": "bridge",
        "IPAM": {
            "Driver": "default",
            "Config": [
                {}
            ]
        },
        "Containers": {
            "c929fdcd5f0a......": {
                "EndpointID": "2964bbab7b24......",
                "MacAddress": "02:42:ac:13:00:02",
                "IPv4Address": "172.19.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {}
    }
]
$

front“ネットワークには”172.18.0.0/16“のアドレスが、”back“ネットワークには”172.19.0.0/16“のアドレスがそれぞれ振られているようである。となるとそれぞれのネットワーク間での通信も不可であろう。

$ docker attach host3
/ # ping host1
ping: bad address 'host1'
/ # ping host1.front
ping: bad address 'host1.front'
/ #

結果は当然となろう。

■ 複数のネットワーク

ここで疑問。

コンテナは複数のネットワークに接続可能なのか?

早速実験。

$ docker run -ti --rm --net front --net back --name host4 --hostname host4 busybox
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:13:00:03
          inet addr:172.19.0.3  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:acff:fe13:3/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:258 (258.0 B)  TX bytes:418 (418.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

/ #
/ # cat /etc/hosts
172.19.0.3    host4
127.0.0.1    localhost
::1    localhost ip6-localhost ip6-loopback
fe00::0    ip6-localnet
ff00::0    ip6-mcastprefix
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
172.19.0.2    host3.back
172.19.0.2    host3
/ #
/ # ping host1
ping: bad address 'host1'
/ # ping host1.front
ping: bad address 'host1.front'
/ # ping host3
PING host3 (172.19.0.2): 56 data bytes
64 bytes from 172.19.0.2: seq=0 ttl=64 time=0.106 ms
64 bytes from 172.19.0.2: seq=1 ttl=64 time=0.293 ms
^C
--- host3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.106/0.199/0.293 ms
/ #

`docker run`の”–net“オプションはひとつしか指定できないようである。また後勝ちのようだ。

`docker network connect`で試してみる。

$ docker network connect front host3
$ docker network inspect front
[
    {
        "Name": "front",
        "Id": "1e7dfe98a9a4......",
        "Scope": "local",
        "Driver": "bridge",
        "IPAM": {
            "Driver": "default",
            "Config": [
                {}
            ]
        },
        "Containers": {
            "25938b944067......": {
                "EndpointID": "b947f49c3404......",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            },
            "b2758d5b423a......": {
                "EndpointID": "f6ca946d5312......",
                "MacAddress": "02:42:ac:12:00:03",
                "IPv4Address": "172.18.0.3/16",
                "IPv6Address": ""
            },
            "c929fdcd5f0a......": {
                "EndpointID": "9e6d2130dc63......",
                "MacAddress": "02:42:ac:12:00:04",
                "IPv4Address": "172.18.0.4/16",
                "IPv6Address": ""
            }
        },
        "Options": {}
    }
]
$
$ docker network inspect back
[
    {
        "Name": "back",
        "Id": "f08c8dcbca61......",
        "Scope": "local",
        "Driver": "bridge",
        "IPAM": {
            "Driver": "default",
            "Config": [
                {}
            ]
        },
        "Containers": {
            "c929fdcd5f0a......": {
                "EndpointID": "2964bbab7b24......",
                "MacAddress": "02:42:ac:13:00:02",
                "IPv4Address": "172.19.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {}
    }
]
$

この結果を見る限り、どちらのネットワークにも接続できたようである。`attach`して確認。

$ docker attach host3
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:13:00:02
          inet addr:172.19.0.2  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:acff:fe13:2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:35 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2922 (2.8 KiB)  TX bytes:1284 (1.2 KiB)

eth1      Link encap:Ethernet  HWaddr 02:42:AC:12:00:04
          inet addr:172.18.0.4  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:acff:fe12:4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:648 (648.0 B)  TX bytes:648 (648.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

/ #
/ # cat /etc/hosts
172.19.0.2    host3
127.0.0.1    localhost
::1    localhost ip6-localhost ip6-loopback
fe00::0    ip6-localnet
ff00::0    ip6-mcastprefix
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
172.18.0.3    host2.front
172.18.0.2    host1
172.18.0.2    host1.front
172.18.0.3    host2
/ #
/ # ping -c 3 host1
PING host1 (172.18.0.2): 56 data bytes
64 bytes from 172.18.0.2: seq=0 ttl=64 time=0.159 ms
64 bytes from 172.18.0.2: seq=1 ttl=64 time=0.259 ms
64 bytes from 172.18.0.2: seq=2 ttl=64 time=0.091 ms

--- host1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.091/0.169/0.259 ms
/ #
/ # ping -c 3 host2
PING host2 (172.18.0.3): 56 data bytes
64 bytes from 172.18.0.3: seq=0 ttl=64 time=0.000 ms
64 bytes from 172.18.0.3: seq=1 ttl=64 time=0.297 ms
64 bytes from 172.18.0.3: seq=2 ttl=64 time=0.137 ms

--- host2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.000/0.144/0.297 ms
/ #

納得の結果となった。DockerHost内でネットワークを構築できそうである。

以上。

■ 関連