2016年3月16日 星期三

[ 文章收集 ] Setting up a Docker Bridge

Source From Here 
Introduction 
The default behaviour of Docker is to assign IP addresses from its pool based on the order of containers being started. This means that you have a pool of IP addresses a bit like DNS that get randomly assigned, which in most cases is more than adequate. Sometimes you want to be clear on what container has what address and ensure everyone can talk to pass information on. The --link flag can achieve some of this but its not bi-directional, so we are going to build our own bridge. This will enable us to use a fixed IP address, avoiding the need to have linked containers. Now in Docker 1.7 they have a new experiment feature call 'SWARM' for clustering that will enable bi-directional linking, as its still in the testing phase its not something you might want in most situations. 

How-To 
First stop the Docker daemon and 'docker0' interface: 
# yum install bridge-utils
# service docker stop
Stopping docker (via systemctl): [ OK ]
# ip link set dev docker0 down
// -F, --flush [chain]: Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
# iptables -t nat -F POSTROUTING

Then before the docker service is restarted we need to create our own bridge and set-up the configuration we need for our containers. 
# brctl addbr br0
# ip addr add 192.19.0.10/24 dev br0
# ip link set dev br0 up
# ip addr show br0
19: br0: mtu 1500 qdisc noqueue state UNKNOWN
link/ether da:b2:69:23:ed:79 brd ff:ff:ff:ff:ff:ff
inet 192.19.0.10/24 scope global br0
valid_lft forever preferred_lft forever
inet6 fe80::d8b2:69ff:fe23:ed79/64 scope link
valid_lft forever preferred_lft forever

Make sure that the config is saved so that its applied at reboot: 
# vi /etc/sysconfig/network-scripts/ifcfg-br0
  1. TYPE=Bridge  
  2. DEVICE=br0  
  3. NETMASK=255.255.255.0  
  4. IPADDR=192.19.0.10  
  5. ONBOOT=yes  
  6. BOOTPROTO=none  
  7. NM_CONTROLLED=no  
  8. DELAY=0  

Tell Docker about it and restart (Docker 1.7): 
# vi /usr/lib/systemd/docker.service
  1. /usr/bin/docker -d -b=br0 --insecure-registry issatf-registry:8080 -H fd://  

If you are using CentOS7 and docker 1.9x, then edit another configuration file: 
# vi /etc/systemd/system/docker.service.d/docker.conf
  1. [Service]  
  2. ExecStart=  
  3. ExecStart=/usr/bin/docker daemon -D -b=br0 --insecure-registry issatf-registry:8080  

Then reload and start docker: 
# systemctl daemon-reload
# service docker start
# ps aux | grep docker
root 23608 0.2 0.4 350372 23316 ? Ssl 06:41 0:00 /usr/bin/docker daemon -D -b=br0 --insecure-registry issatf-registry:8080

Confirming new outgoing NAT masquerade is set up: 
# iptables -t nat -L -n | grep 192
MASQUERADE all -- 192.19.0.0/24 0.0.0.0/0


Start/Create Your Containers: 
Now you can create new containers using the bridge or start existing ones. Start the containers: 
# docker images // Check the images we have
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
johnklee/hadoop_centos_base v1 2650daf94945 6 days ago 732.6 MB
...

# d run -it 2650daf94945 bash // Run a container with container id
[root@848b4fcab77e /]# ip addr show // Check the IP we have now
...
22: eth0: mtu 1500 qdisc noqueue state UP
link/ether 02:42:c0:13:00:01 brd ff:ff:ff:ff:ff:ff
inet 192.19.0.1/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:c0ff:fe13:1/64 scope link
valid_lft forever preferred_lft forever

// Enter Ctrl+p , Ctrl+q to detach the container and back to host
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
848b4fcab77e 2650daf94945 "bash" 25 seconds ago Up 23 seconds mad_easley

Check the containers have been mapped up to the new range and bridge: 
# docker inspect --format '{{ .NetworkSettings.IPAddress }}' 848b4fcab77e // '848b4fcab77e' is the container id
192.19.0.1

Pipework: 
Now we need to install 'pipework' to manually set the system containers static address, so install pipework on the docker host: 
# mkdir git_repo
# cd git_repo/
# git clone https://github.com/jpetazzo/pipework
Cloning into 'pipework'...
remote: Counting objects: 413, done.
remote: Total 413 (delta 0), reused 0 (delta 0), pack-reused 413
Receiving objects: 100% (413/413), 132.98 KiB | 86.00 KiB/s, done.
Resolving deltas: 100% (211/211), done.

# cp pipework/pipework /usr/bin/
# yum install -y arptables // Install arptables as we need arping :

Once this is complete you can assign the address you want to the relevant containers. 
# pipework
Syntax:
pipework [-i containerinterface] [-l localinterfacename] /[@default_gateway] [macaddr][@vlan]
pipework [-i containerinterface] [-l localinterfacename] dhcp [macaddr][@vlan]
pipework --wait [-i containerinterface]

# pipework br0 848b4fcab77e 192.19.1.11/24@192.19.0.1
# docker exec 848b4fcab77e ip addr show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
32: eth0: mtu 1500 qdisc noqueue state UP
link/ether 02:42:c0:13:00:01 brd ff:ff:ff:ff:ff:ff
inet 192.19.0.1/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:c0ff:fe13:1/64 scope link
valid_lft forever preferred_lft forever
34: eth1:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether de:5e:36:df:56:2b brd ff:ff:ff:ff:ff:ff
inet 192.19.1.11/24 brd 192.19.1.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::dc5e:36ff:fedf:562b/64 scope link
valid_lft forever preferred_lft forever

Add route entry for host to be able to connect container: 
# ip route add 192.19.1.0/24 via 192.19.0.10
# ip route list
...
192.19.1.0/24 via 192.19.0.10 dev br0

Finally a little test: 
# ping -c 4 192.19.1.11
PING 192.19.1.11 (192.19.1.11) 56(84) bytes of data.
64 bytes from 192.19.1.11: icmp_seq=1 ttl=64 time=0.064 ms
64 bytes from 192.19.1.11: icmp_seq=2 ttl=64 time=0.076 ms
64 bytes from 192.19.1.11: icmp_seq=3 ttl=64 time=0.078 ms
64 bytes from 192.19.1.11: icmp_seq=4 ttl=64 time=0.042 ms

Supplement 
Docker Doc - Configuring and running Docker on various distributions 
[Linux 文章收集] Linux 上的基礎網絡設備詳解 
[ 常見問題 ] Add link between container and bridge

沒有留言:

張貼留言

[Git 常見問題] error: The following untracked working tree files would be overwritten by merge

  Source From  Here 方案1: // x -----删除忽略文件已经对 git 来说不识别的文件 // d -----删除未被添加到 git 的路径中的文件 // f -----强制运行 #   git clean -d -fx 方案2: 今天在服务器上  gi...