Docker1.9において表題の通り。前回の続きである。
■ 環境
- Docker 1.9
- Docker Machine 0.5.0
- Mac OSX (10.10.5)
■ ネットワークを分ける
コンテナが接続するネットワークを指定して分けられるということは、ネットワークセグメントを分けて、それぞれのネットワーク内でのみアクセス可能ということが設定できるのか、と。
下記を試す。
- ネットワークを作成する(front/back)
- コンテナを起動(front/back)
- 通信を確認
■ ネットワーク作成
“front“/”back“の2つのネットワークを作成する。
$ docker network create --driver bridge front
1e7dfe98a9a4eeb72bb978a536c54f1f12f67b29118f50397afedc21077a3668
$
$ docker network create --driver bridge back
f08c8dcbca6182bf479ff17987d94863e3d4539e5e174f8447e9a9210d40a51e
$
$ docker network ls
NETWORK ID NAME DRIVER
1e7dfe98a9a4 front bridge
f08c8dcbca61 back bridge
47a46ac1b84b bridge bridge
f6fb9124ae7f none null
d806cfeaef35 host host
$
■ コンテナ起動
“front“ネットワークにコンテナを2つ起動する。
$ docker run -ti --rm --net front --name host1 --hostname host1 busybox
/ #
$ docker run -ti --rm --net front --name host2 --hostname host2 busybox
/ #
それぞれ、`Control-P`、`Control-Q`でコンテナから抜けている。
この状態でいくつか確認する。まずはネットワークの状態。
$ docker network inspect front
[
{
"Name": "front",
"Id": "1e7dfe98a9a4......",
"Scope": "local",
"Driver": "bridge",
"IPAM": {
"Driver": "default",
"Config": [
{}
]
},
"Containers": {
"25938b944067......": {
"EndpointID": "b947f49c3404......",
"MacAddress": "02:42:ac:12:00:02",
"IPv4Address": "172.18.0.2/16",
"IPv6Address": ""
},
"b2758d5b423a......": {
"EndpointID": "f6ca946d5312......",
"MacAddress": "02:42:ac:12:00:03",
"IPv4Address": "172.18.0.3/16",
"IPv6Address": ""
}
},
"Options": {}
}
]
$
コンテナに`attach`して確認してみる。
$ docker attach host1
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:12:00:02
inet addr:172.18.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe12:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:24 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1944 (1.8 KiB) TX bytes:648 (648.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ #
/ # cat /etc/hosts
172.18.0.2 host1
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.0.3 host2
172.18.0.3 host2.front
/ #
“host1“では、”/etc/hosts“で”host2“、”host2.front“での名前解決がされている。
続いて”back“ネットワークにコンテナを1つ起動する。
$ docker run -ti --rm --net back --name host3 --hostname host3 busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:13:00:02
inet addr:172.19.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe13:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1296 (1.2 KiB) TX bytes:648 (648.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ #
/ # cat /etc/hosts
172.19.0.2 host3
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
/ #
名前解決は不可。”back“ネットワークを確認。
$ docker network inspect back
[
{
"Name": "back",
"Id": "f08c8dcbca61......",
"Scope": "local",
"Driver": "bridge",
"IPAM": {
"Driver": "default",
"Config": [
{}
]
},
"Containers": {
"c929fdcd5f0a......": {
"EndpointID": "2964bbab7b24......",
"MacAddress": "02:42:ac:13:00:02",
"IPv4Address": "172.19.0.2/16",
"IPv6Address": ""
}
},
"Options": {}
}
]
$
“front“ネットワークには”172.18.0.0/16“のアドレスが、”back“ネットワークには”172.19.0.0/16“のアドレスがそれぞれ振られているようである。となるとそれぞれのネットワーク間での通信も不可であろう。
$ docker attach host3
/ # ping host1
ping: bad address 'host1'
/ # ping host1.front
ping: bad address 'host1.front'
/ #
結果は当然となろう。
■ 複数のネットワーク
ここで疑問。
コンテナは複数のネットワークに接続可能なのか?
早速実験。
$ docker run -ti --rm --net front --net back --name host4 --hostname host4 busybox
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:13:00:03
inet addr:172.19.0.3 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe13:3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:258 (258.0 B) TX bytes:418 (418.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ #
/ # cat /etc/hosts
172.19.0.3 host4
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.19.0.2 host3.back
172.19.0.2 host3
/ #
/ # ping host1
ping: bad address 'host1'
/ # ping host1.front
ping: bad address 'host1.front'
/ # ping host3
PING host3 (172.19.0.2): 56 data bytes
64 bytes from 172.19.0.2: seq=0 ttl=64 time=0.106 ms
64 bytes from 172.19.0.2: seq=1 ttl=64 time=0.293 ms
^C
--- host3 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.106/0.199/0.293 ms
/ #
`docker run`の”–net“オプションはひとつしか指定できないようである。また後勝ちのようだ。
`docker network connect`で試してみる。
$ docker network connect front host3
$ docker network inspect front
[
{
"Name": "front",
"Id": "1e7dfe98a9a4......",
"Scope": "local",
"Driver": "bridge",
"IPAM": {
"Driver": "default",
"Config": [
{}
]
},
"Containers": {
"25938b944067......": {
"EndpointID": "b947f49c3404......",
"MacAddress": "02:42:ac:12:00:02",
"IPv4Address": "172.18.0.2/16",
"IPv6Address": ""
},
"b2758d5b423a......": {
"EndpointID": "f6ca946d5312......",
"MacAddress": "02:42:ac:12:00:03",
"IPv4Address": "172.18.0.3/16",
"IPv6Address": ""
},
"c929fdcd5f0a......": {
"EndpointID": "9e6d2130dc63......",
"MacAddress": "02:42:ac:12:00:04",
"IPv4Address": "172.18.0.4/16",
"IPv6Address": ""
}
},
"Options": {}
}
]
$
$ docker network inspect back
[
{
"Name": "back",
"Id": "f08c8dcbca61......",
"Scope": "local",
"Driver": "bridge",
"IPAM": {
"Driver": "default",
"Config": [
{}
]
},
"Containers": {
"c929fdcd5f0a......": {
"EndpointID": "2964bbab7b24......",
"MacAddress": "02:42:ac:13:00:02",
"IPv4Address": "172.19.0.2/16",
"IPv6Address": ""
}
},
"Options": {}
}
]
$
この結果を見る限り、どちらのネットワークにも接続できたようである。`attach`して確認。
$ docker attach host3
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:13:00:02
inet addr:172.19.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe13:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:35 errors:0 dropped:0 overruns:0 frame:0
TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2922 (2.8 KiB) TX bytes:1284 (1.2 KiB)
eth1 Link encap:Ethernet HWaddr 02:42:AC:12:00:04
inet addr:172.18.0.4 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe12:4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:648 (648.0 B) TX bytes:648 (648.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
/ #
/ # cat /etc/hosts
172.19.0.2 host3
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.0.3 host2.front
172.18.0.2 host1
172.18.0.2 host1.front
172.18.0.3 host2
/ #
/ # ping -c 3 host1
PING host1 (172.18.0.2): 56 data bytes
64 bytes from 172.18.0.2: seq=0 ttl=64 time=0.159 ms
64 bytes from 172.18.0.2: seq=1 ttl=64 time=0.259 ms
64 bytes from 172.18.0.2: seq=2 ttl=64 time=0.091 ms
--- host1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.091/0.169/0.259 ms
/ #
/ # ping -c 3 host2
PING host2 (172.18.0.3): 56 data bytes
64 bytes from 172.18.0.3: seq=0 ttl=64 time=0.000 ms
64 bytes from 172.18.0.3: seq=1 ttl=64 time=0.297 ms
64 bytes from 172.18.0.3: seq=2 ttl=64 time=0.137 ms
--- host2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.000/0.144/0.297 ms
/ #
納得の結果となった。DockerHost内でネットワークを構築できそうである。
以上。