網(wǎng)絡(luò)基本原理本文會(huì)看下ker中容器建立后在宿主機(jī)上一些規(guī)則配置_第1頁(yè)
網(wǎng)絡(luò)基本原理本文會(huì)看下ker中容器建立后在宿主機(jī)上一些規(guī)則配置_第2頁(yè)
網(wǎng)絡(luò)基本原理本文會(huì)看下ker中容器建立后在宿主機(jī)上一些規(guī)則配置_第3頁(yè)
網(wǎng)絡(luò)基本原理本文會(huì)看下ker中容器建立后在宿主機(jī)上一些規(guī)則配置_第4頁(yè)
網(wǎng)絡(luò)基本原理本文會(huì)看下ker中容器建立后在宿主機(jī)上一些規(guī)則配置_第5頁(yè)
已閱讀5頁(yè),還剩9頁(yè)未讀, 繼續(xù)免費(fèi)閱讀

付費(fèi)下載

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

dockerdaemonlibvirt建立的[root@dev~]#systemctlstatus[root@dev~]#systemctlstatusdocker.servicedocker.service-DockerApplicationContainerEngineLoaded:loaded(/usr/lib/systemd/system/docker.service;Active:inactive Docs: [root@dev~]#brctlbridgenamebridgeid STPenabledinterfaces [root@dev[root@dev~]#iptables-#Generatedbyiptables-savev1.4.21onThuAug613:40:20:PREROUTINGACCEPT:INPUTACCEPT:OUTPUTACCEPT:POSTROUTINGACCEPT[0:0]##CompletedonThuAug613:40:20#Generatedbyiptables-savev1.4.21onThuAug613:40:20:INPUTACCEPT:FORWARDACCEPT:OUTPUTACCEPT-AINPUT-mstate--stateRELATED,ESTABLISHED-j-AINPUT-picmp-j-AINPUT-ilo-j-AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-j-AINPUT-jREJECT--reject-withicmp-host--AFORWARD-jREJECT--reject-withicmp-host-prohibited#CompletedonThuAug613:40:20[root@dev[root@dev~]#servicedockerRedirectingto/bin/systemctlstartdocker.service[root@dev~]#brctlshowbridgenamebridgeid STPenabledinterfaces 8000.56847afe9799 [root@dev~]#iplshowdevdocker0:docker0:<NO-CARRIER,BROADCAST,MULTICAST,UP>mtu1500noqueuestateDOWNmodelink/etherlink/ether56:84:7a:fe:97:99brd[root@dev[root@dev~]#iptables-#Generatedbyiptables-savev1.4.21onThuAug613:41:52:PREROUTINGACCEPT:INPUTACCEPT:OUTPUTACCEPT:POSTROUTINGACCEPT:DOCKER--APREROUTING-maddrtype--dst-typeLOCAL-j-AOUTPUT!-d127.0.0.0/8-maddrtype--dst-typeLOCAL-j-APOSTROUTING-s172.17.0.0/16!-odocker0-jMASQUERADE#CompletedonThuAug613:41:52#Generatedbyiptables-savev1.4.21onThuAug613:41:52:INPUTACCEPT:FORWARDACCEPT:OUTPUTACCEPT:DOCKER--AINPUT-mstate--stateRELATED,ESTABLISHED-j-AINPUT-picmp-j-A-AINPUT-ilo-j-AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-j-AINPUT-jREJECT--reject-withicmp-host--AFORWARD-odocker0-j-AFORWARD-odocker0-mconntrack--ctstateRELATED,ESTABLISHED-jACCEPT-AFORWARD-idocker0!-odocker0-j-AFORWARD-idocker0-odocker0-j-AFORWARD-jREJECT--reject-withicmp-host-prohibited#CompletedonThuAug613:41:52可以看到在還沒(méi)啟動(dòng)任何容器的情況下,natfilter這兩個(gè)表中都添加iptables的一些基會(huì)的走:mangle-PREROUTING->nat-PREROUTING->mangle-INPUTfilter-INPUT這個(gè)順序,然后走到接收的應(yīng)用。如果一個(gè)數(shù)據(jù)包是從本機(jī)發(fā)送出去的,那么會(huì)走:mangle-OUTPUT->nat-OUTPUT->filter-OUTPUT->mangle-POSTROUTING->nat-POSTROUTING這個(gè)PREROUTING->nat-PREROUTING->mangle-FORWARD->filter-FORWARDmangle-POSTROUTINGnat-POSTROUTINGdockeriptables規(guī)則。也來(lái)看三種mangle-PREROUTING->nat-PREROUTINGmangle-INPUTfilter-INPUTnat表中可以看到-APREROUTINGmaddrtypedst-typeLOCALjDOCKER,也就是說(shuō)addrtypemodule來(lái)匹配數(shù)據(jù)包,如果這個(gè)數(shù)據(jù)包是發(fā)給DOCKERDOCKER鏈?zhǔn)强盏摹?>->里我們看到兩條規(guī)則-AOUTPUTd127.0.0.0/8maddrtype–dst-LOCALjDOCKER以及-APOSTROUTINGs172.17.0.0/16- ->PREROUTING->mangle-FORWARD->filter-FORWARD->mangle-POSTROUTINGnat-POSTROUTING這個(gè)順序。這里有四條規(guī)則是[root@dev[root@dev~]#dockerrun-dit--nametest-os[root@dev[root@dev~]#brctlbridgenamebridgeid STPenabledinterfaces 8000.56847afe9799 [root@dev~]#iplshowdevvethe7cd2e3:vethe7cd2e3:<BROADCAST,UP,LOWER_UP>mtu1500qdiscnoqueuemasterdocker0stateUPmodeDEFAULT link/etherf6:b9:36:fb:5b:acbrdff:ff:ff:ff:ff:ff[root@dev~]#ipashowdevvethe7cd2e3:vethe7cd2e3:<BROADCAST,UP,LOWER_UP>mtu1500qdiscnoqueuemasterdocker0stateUP link/etherf6:b9:36:fb:5b:acbrd inet6fe80::f4b9:36ff:fefb:5bac/64scope valid_lftforeverpreferred_lftvethtest-osnamespace中。需要注意的是dockernamespace的操作是直接通過(guò)套接字發(fā)送到內(nèi)核的,沒(méi)有像Neutronipip命令能查看到的namespaceipip命令查看[root@dev[root@dev~]#iptables-#Generatedbyiptables-savev1.4.21onThuAug614:12:58:PREROUTINGACCEPT:INPUTACCEPT:OUTPUTACCEPT:POSTROUTINGACCEPT:DOCKER--APREROUTING-maddrtype--dst-typeLOCAL-j-AOUTPUT!-d127.0.0.0/8-maddrtype--dst-typeLOCAL-j-APOSTROUTING-s172.17.0.0/16!-odocker0-jMASQUERADE#CompletedonThuAug614:12:58#Generatedbyiptables-savev1.4.21onThuAug614:12:58:INPUTACCEPT:FORWARDACCEPT:OUTPUTACCEPT:DOCKER--AINPUT-mstate--stateRELATED,ESTABLISHED-j-AINPUT-picmp-j-AINPUT-ilo-j-A-AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-j-AINPUT-jREJECT--reject-withicmp-host--AFORWARD-odocker0-j-AFORWARD-odocker0-mconntrack--ctstateRELATED,ESTABLISHED-jACCEPT-AFORWARD-idocker0!-odocker0-j-AFORWARD-idocker0-odocker0-j-AFORWARD-jREJECT--reject-withicmp-host-prohibited#CompletedonThuAug614:12:58vethnamespace的vethe7cd2e3vethe7cd2e3plugdocker0上的,所以會(huì)ipforward,所以這個(gè)包會(huì)->PREROUTING->mangle-FORWARD->filter-FORWARD->mangle-[root@deviptables--L-ChainPREROUTING ACCEPT6518packets,593756bytes) bytes protopt 316 all-- ADDRTYPEmatchdst-typeChainINPUT ACCEPT4packets,256bytes) bytestarget protoptin ChainOUTPUT ACCEPT58packets,4574bytes) bytestarget protoptin 0 all-- ADDRTYPEmatchtypeChainPOSTROUTING ACCEPT58packets,4574bytes) bytestarget protoptin 168MASQUERADEall--* !docker0172.17.0.0/16 ChainDOCKER(2pktsbytestargetprotoptinoutsourcecache時(shí)間造成的。[root@dev~]#ipdefaultvia172.16.1.1devenp0s3protostaticmetricdefaultvia10.0.2.1devenp0s8protostaticmetric.0.2.0/24devenp0s8protokernelscopelinksrc.0.2.0/24devenp0s8protokernelscopelinksrc10.0.2.6metric100.16.1.0/24devenp0s3protokernelscopelinksrc172.16.1.75metric100.17.0.0/16devdocker0protokernelscopelinksrc.168.56.0/24devenp0s9protokernelscopelinksrc192.168.56.200metric100.168.100.0/24devenp0s10protokernelscopelinksrc192.168.100.101metric100.168.122.0/24devvirbr0protokernelscopelinksrc[root@dev[root@dev~]#dockerrun-dit-p8888:80--nametest-os2docker.io/centos/bin/bash[root@dev~]#iptables-#Generatedbyiptables-savev1.4.21onThuAug614:29:18:PREROUTINGACCEPT:INPUTACCEPT:FORWARDACCEPT:OUTPUTACCEPT:POSTROUTINGACCEPT#CompletedonThuAug614:29:18#Generatedbyiptables-savev1.4.21onThuAug614:29:18:PREROUTINGACCEPT:INPUTACCEPT:OUTPUTACCEPT:POSTROUTINGACCEPT:DOCKER--APREROUTING-maddrtype--dst-typeLOCAL-j-AOUTPUT!-d127.0.0.0/8-maddrtype--dst-typeLOCAL-j-APOSTROUTING-s172.17.0.0/16!-odocker0-j-APOSTROUTING-s172.17.0.6/32-d172.17.0.6/32-ptcp-m--dport80-j-ADOCKER!-idocker0-ptcp-mtcp--dport8888-jDNAT--to-destination172.17.0.6:80##CompletedonThuAug614:29:18#Generatedbyiptables-savev1.4.21onThuAug614:29:18:INPUTACCEPT:FORWARDACCEPT:OUTPUTACCEPT:DOCKER--AINPUT-mstate--stateRELATED,ESTABLISHED-j-AINPUT-picmp-j-AINPUT-ilo-j-AINPUT-ptcp-mstate--stateNEW-mtcp--dport22-j-AINPUT-jREJECT--reject-withicmp-host--AFORWARD-odocker0-j-AFORWARD-odocker0-mconntrack--ctstateRELATED,ESTABLISHED-jACCEPT-AFORWARD-idocker0!-odocker0-j-AFORWARD-idocker0-odocker0-j-AFORWARD-jREJECT--reject-withicmp-host--ADOCKER-d172.17.0.6/32!-idocker0-odocker0-ptcp-mtcp--dport80-jACCEPT#CompletedonThuAug614:29:18可以看到這里多了很多和、8相關(guān)的規(guī)則,我們來(lái)分析下。首先來(lái)看一個(gè)數(shù)據(jù)包需要從容器發(fā)送到公網(wǎng)的情況,此時(shí)會(huì)走轉(zhuǎn)發(fā)的邏輯,也就是我們上面說(shuō)的mangle-NG->t-G->mangle-FORWARDfilter-FORWARDmangle-POSTROUTINGnat-PREROUTINGDOCKER的鏈,DOCKER鏈!-idocker0這個(gè)要求使得這個(gè)數(shù)據(jù)包沒(méi)有被匹配上,于是就繼續(xù)走剩余的規(guī)則。filterFORWARD也沒(méi)有匹配的,于是最后nat-POSTROUTINGSNAT出去了。現(xiàn)在來(lái)看下公網(wǎng)訪8888nat-PREROUTING,然后匹配上了-A

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

最新文檔

評(píng)論

0/150

提交評(píng)論