配置橋接網路

　　橋接本地物理網路的目的,是為了區域網內使用者方便訪問 docker 例項中服務,不需要各種埠對映即可訪問服務。 但是這樣做,又違背了 docker 容器的安全隔離的原則,工作中辯證的選擇。

建立橋接裝置：

安裝包：

[[email protected] ~]# rpm -ivh /mnt/Packages/bridge-utils-1.5-9.el7.x86_64.rpm

把網絡卡幫到br0橋裝置上

[[email protected] ~]# cd /etc/sysconfig/network-scripts/

[[email protected] network-scripts]# cp ifcfg-ens33 /opt/

[[email protected] network-scripts]# vim ifcfg-ens33

TYPE=Ethernet

PROXY_METHOD=none

BROWSER_ONLY=no

BOOTPROTO=static

DEFROUTE=yes

IPV4_FAILURE_FATAL=no

IPV6INIT=yes

IPV6_AUTOCONF=yes

IPV6_DEFROUTE=yes

IPV6_FAILURE_FATAL=no

IPV6_ADDR_GEN_MODE=stable-privacy

NAME=ens33

UUID=74a03b29-1fe1-4c5c-8361-4c25e321ea47

DEVICE=ens33

ONBOOT=yes

IPADDR=192.168.199.7    刪除地址相關的配置

NETMASK=255.255.255.0

GATEWAY=192.168.199.1

DNS=114.114.114.114

DNS2=119.29.29.29

BRIDGE=br0      新增該配置

[[email protected] network-scripts]# vim ifcfg-br0

DEVICE="br0"

NM_CONTROLLED="yes"

ONBOOT="yes"

TYPE="Bridge"

BOOTPROTO=none

IPADDR=192.168.209.7

NETMASK=255.255.255.0

GATEWAY=192.168.209.254

DNS1=114.114.114.114

[[email protected] network-scripts]# systemctl restart network   重啟網路服務

檢視地址：

[[email protected] network-scripts]# ifconfig
br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.209.7  netmask 255.255.255.0  broadcast 192.168.209.255
        inet6 fe80::20c:29ff:fe73:f66b  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:73:f6:6b  txqueuelen 1000  (Ethernet)
        RX packets 927  bytes 65484 (63.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 345  bytes 45743 (44.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 0.0.0.0
        ether 02:42:ae:a2:84:7e  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 00:0c:29:73:f6:6b  txqueuelen 1000  (Ethernet)
        RX packets 978  bytes 82130 (80.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 471  bytes 62022 (60.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
使用pipework給容器繫結靜態IP地址

給容器繫結IP地址使用pipework這個工具

[[email protected] ~]# git clone https://github.com/jpetazzo/pipework.git

[[email protected] ~]# cd pipework/

[[email protected] pipework]# ls

docker-compose.yml  doctoc  LICENSE  pipework  pipework.spec  README.md

[[email protected] pipework]# cp pipework /usr/local/bin/

[[email protected] pipework]# ls /usr/local/bin/

pipework

至此pipework安裝完畢。

啟動容器

[[email protected] ~]# docker run -itd --net=none --privileged=true docker.io/centos:latest bash

[[email protected] ~]# docker ps
CONTAINER ID        IMAGE                     COMMAND             CREATED             STATUS              PORTS               NAMES
742430cbc590        docker.io/centos:latest   "bash"              11 hours ago        Up 6 seconds                            goofy_mestorf

[[email protected] ~]# pipework br0 742430cbc590 192.168.209.10/[email protected]       繫結IP
[[email protected] ~]# ping 192.168.209.10
PING 192.168.209.10 (192.168.209.10) 56(84) bytes of data.
64 bytes from 192.168.209.10: icmp_seq=1 ttl=64 time=0.333 ms

檢視容器的IP：

[[email protected] ~]# docker exec -it 742430cbc590 bash

[[email protected] /]# yum install net-tools -y    docker中沒有ifconfig命令。需要安裝
[[email protected] /]# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.209.10  netmask 255.255.255.0  broadcast 192.168.209.255
        inet6 fe80::6435:e4ff:fee5:49e6  prefixlen 64  scopeid 0x20<link>
        ether 66:35:e4:e5:49:e6  txqueuelen 1000  (Ethernet)
        RX packets 459  bytes 363810 (355.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 145  bytes 10285 (10.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

到此給容器綁定了靜態IP，但是有一個缺點就是容器一旦重啟地址就會失效。

實戰：

使用靜態IP啟動一個web服務。

在上面的容器的基礎上，來做該實驗。

[[email protected] ~]# docker exec -it 742430cbc590 bash
[[email protected] /]# yum install httpd -y      安裝服務
[[email protected] /]# systemctl start httpd    這樣啟動時不行的
Failed to get D-Bus connection: Operation not permitted
[[email protected] /]# httpd            使用httpd啟動
建立測試頁：

[[email protected] /]# echo "this is a test" > /var/www/html/index.html
測試：