docker的端口映射原理

启动docker守护进程会多出一块网卡

如下图所示,当我们启动docker后,不难发现会多出来一块名为"docker0"的网卡。

ip -br a
lo               UNKNOWN        127.0.0.1/8 ::1/128
eth0             UP             10.0.0.201/24 fe80::216:3eff:fe20:69b9/64
docker0          UP             172.17.0.1/16 fe80::42:d3ff:fef7:aff8/64

启动容器后宿主机会多一块虚拟网卡设备

如下图所示,当我们启动一个容器时,虚拟机会多出来一块网卡

ip -br a
lo               UNKNOWN        127.0.0.1/8 ::1/128
eth0             UP             10.0.0.201/24 fe80::216:3eff:fe20:69b9/64
docker0          UP             172.17.0.1/16 fe80::42:d3ff:fef7:aff8/64
veth633cb05@if10 UP             fe80::14f5:59ff:fe87:d255/64

docker容器的网络架构图

img

启动容器时指定端口映射(背后会自动生成相应的iptables规则)

docker run -itd -p 8080:80 --name nginx nginx
Unable to find image 'nginx:latest' locally
latest: Pulling from library/nginx
c29f5b76f736: Pull complete
e19db8451adb: Pull complete
24ff42a0d907: Pull complete
c558df217949: Pull complete
976e8f6b25dd: Pull complete
6c78b0ba1a32: Pull complete
84cade77a831: Pull complete
Digest: sha256:91734281c0ebfc6f1aea979cffeed5079cfe786228a71cc6f1f46a228cde6e34
Status: Downloaded newer image for nginx:latest
94baa8582555091dded99622c1a02d5c31c7bb3a920db38f5d8960e7c0755e7d

iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0
MASQUERADE  tcp  --  172.17.0.3           172.17.0.3           tcp dpt:80

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 to:172.17.0.3:80

指定端口的常用写法

绑定服务器的所有网卡

docker run -itd -p 80:80  --name nginx nginx
10a7f72e03ba1ae4a3e1b42b2e96ff12c99d8a931371964889e6bcab7ca46e9e

使用udp协议作为随机端口映射

docker run -itd -p 80:80/udp  --name nginx nginx
748d6c08a22919ed7e3abe8a75c30f8f625002a1fa10c323969ac71b386451b5
我们在映射端口时可以指定协议,若不指定默认基于tcp协议进行映射的。

暴露容器的多端口

docker run -itd -p 80:80 -p 8080:8080 --name nginx nginx
3692777a2365f64796e478b10d46ebac65727234be0dd9b0417becc9ac020538
我们可以给容器同时暴露多个端口

自动随机端口映射

docker run -itd -p 80  --name nginx nginx
1f08814fc528643c5eb9e754fef8b5b8a0e79bad0267605134b42531fc23fc79

results matching ""

    No results matching ""