Docker Network Operations: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
Line 134: Line 134:
1. Configure the Linux kernel on the Docker host [[IP Forwarding#Overview|to allow forwarding]].
1. Configure the Linux kernel on the Docker host [[IP Forwarding#Overview|to allow forwarding]].


2. Change the iptables FORWARD policy from DROP to ACCEPT:
2. Change the [[Iptables_Command_Line_Tool#List_Rules|iptables]] FORWARD policy from DROP to ACCEPT:


  sudo iptables -P FORWARD ACCEPT
  sudo iptables -P FORWARD ACCEPT


These settings do not persist across a reboot, so in order to survive, they need to be added to a script.
These settings do not persist across a reboot, so in order to survive, they need to be added to a script.

Latest revision as of 17:38, 1 May 2018

Internal

Overview

List Networks

docker network ls

Get Detailed Information about a Network

docker network inspect <network-name>

The containers listed in the "Containers" list are connected (plugged into) to the network. 

[
    {
        "Name": "bridge",
        "Id": "3c9a92ee1a7d1d4208e7f924343b85d1af9152ea3d02634c48007d27103f9d36",
        "Created": "2018-04-30T20:12:12.943677437-07:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "4e5c55294dcc0b4274c73639268c2a570c1e0cae0819ea2fbe21f58d7fdbeba5": {
                "Name": "alpine1",
                "EndpointID": "779600189ed5197e2ab2fb081f0e5d71d4348bc9af096c8ee77b83c7500afef3",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": ""
            },
            "e3092a676f3d9ace791fd7ebb297b71950f1bbd3abe0383f6c7ad78d1fd76523": {
                "Name": "alpine2",
                "EndpointID": "f060429bfcaf8b2af04f071d88cd886b2a4e352a032ac9e2b2c98f40fb0dc759",
                "MacAddress": "02:42:ac:11:00:03",
                "IPv4Address": "172.17.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

Create a New User-Defined Bridge Network

https://docs.docker.com/engine/reference/commandline/network_create/#specify-advanced-options

Command creates a user-defined bridge network: 

docker network create \
   [--driver=bridge] \
   [--subnet=172.29.0.0/16] \
   [--ip-range=172.28.5.0/24 ] \
   [--gateway=172.29.5.253] \
 <user-defined-bridge-network-name>

Example: 

docker network create --driver=bridge green

docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
...
663b4388fb68        green               bridge              local

Remove a User-Defined Bridge Network

docker network rm <user-defined-bridge-network-name>

Note that containers need to be disconnected first from the network being removed.

Connect a Container to a Network

In all examples below, the network to connect to can be the default "bridge" network (which it does not make too much sense, since that is the default), a user-defined bridge network, a host network, etc.

At Container Creation Phase

When a container is created with docker create, one more more --network flags can be specified. Docker will use this information to connect the container to the specified network(s). 

 docker create --name <container-name> \
   --network <network-name> \
   --publish <host-port>:<container-port> \
 ...

By 'docker run' Command

docker run ... --network <network-name> ...

associates the container with the specified network and connects it to the network. After the command completes, the container's IP is routable outside to the Docker host.

When the Container is Running

The container can be connected dynamically to a network while it is running: 

docker network connect <network-name> <container-name>

Disconnect a Container from a Network

docker network disconnect <network-name> <container-name>

Enable IP Forwarding from Containers on the Default Bridge

By default, IP forwarding from containers connected to the default bridge is not enabled. To enabled it:

1. Configure the Linux kernel on the Docker host to allow forwarding.

2. Change the iptables FORWARD policy from DROP to ACCEPT: 

sudo iptables -P FORWARD ACCEPT

These settings do not persist across a reboot, so in order to survive, they need to be added to a script.

Retrieved from "https://kb.novaordis.com/index.php?title=Docker_Network_Operations&oldid=42073"