问题描述
是否有可能使同一主机内不同网络中的容器进行通信?请注意,我目前不在使用docker-compose。
以下是我所做操作的摘要。我使用以下命令创建了两个网络
The following is a summary of what I did. I created two networks using the following commands
docker network create --driver bridge mynetwork1
docker network create --driver bridge mynetwork2
然后我使用以下命令在每个创建的网络上运行两个容器:
Then I ran two containers on each of these created networks using the commands:
docker run --net=mynetwork1 -it name=mynet1container1 mycontainerimage
docker run --net=mynetwork1 -it name=mynet1container2 mycontainerimage
docker run --net=mynetwork2 -it name=mynet2container1 mycontainerimage
docker run --net=mynetwork2 -it name=mynet2container2 mycontainerimage
然后我从使用以下内容创建的网络中识别出每个容器的IP地址
I then identified the IP Addresses of each of the containers from the networks created using
docker network inspect mynetwork1
docker network inspect mynetwork2
使用那些我能够在同一网络中的容器之间进行通信,但是我之间无法进行通信跨网络的容器。只能通过将容器添加到同一网络来进行通信。
Using those I was able to communicate between the containers in the same network, but I could not communicate between the containers across the networks. Communication was possible only by adding the containers to the same network.
非常感谢...
推荐答案
不同网络中的容器无法相互通信,因为iptables丢弃了此类数据包。这在过滤器表的DOCKER-ISOLATION-STAGE-1和DOCKER-ISOLATION-STAGE-2链中显示。
Containers in different networks can not communicate with each other because iptables drop such packets. This is shown in the DOCKER-ISOLATION-STAGE-1 and DOCKER-ISOLATION-STAGE-2 chains in the filter table.
sudo iptables -t filter -vL
可以将规则添加到DOCKER-USER链中,以允许不同网络之间的通信。在上述情况下,以下命令将允许mynetwork1中的任何容器与mynetwork2中的任何容器进行通信。
Rules can be added to DOCKER-USER chain to allow communication between different networks. In the above scenario, the following commands will allow ANY container in mynetwork1 to communicate with ANY containers in mynetwork2.
网络的桥接口名称(mynetwork1和mynetwork2)需要首先被发现。它们的名称通常看起来像br-07d0d51191df或br-85f51d1cfbf6,可以使用命令 ifconfig或 ip link show找到它们。由于存在多个网桥接口,为了为感兴趣的网络标识正确的网桥接口,网桥接口的inet地址(如ifconfig中所示)应与命令'docker network inspect mynetwork1'
The bridge interface names of the network (mynetwork1 and mynetwork2) need to be found first. Their names are usually look like br-07d0d51191df or br-85f51d1cfbf6 and they can be found using command "ifconfig" or "ip link show". Since there are multiple bridge interfaces, to identify the correct ones for the networks of interest, the inet address of the bridge interface (shown in ifconfig) should match the subnet address shown in command 'docker network inspect mynetwork1'
sudo iptables -I DOCKER-USER -i br-########1 -o br-########2 -j ACCEPT
sudo iptables -I DOCKER-USER -i br-########2 -o br-########1 -j ACCEPT
可以对规则进行微调,以仅允许特定IP之间的通信。例如,
The rules can be fine tuned to allow only communications between specific IPs. E.g,
sudo iptables -I DOCKER-USER -i br-########1 -o br-########2 -s 172.17.0.2 -d 172.19.0.2 -j ACCEPT
sudo iptables -I DOCKER-USER -i br-########2 -o br-########1 -s 172.19.0.2 -d 172.17.0.2 -j ACCEPT
这篇关于在同一主机上不同网络中的Docker容器之间进行通信的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!