docker快速入门4-docer网络
安装好docker引擎的主机上会多出一个虚拟的网络设备docker0,其IP地址为172.17.0.1,可以把它看作是一个虚拟的交换机(网桥),当创建一个容器时(默认的网络方式为brigde)会同时创建一个虚拟的网络连接,一端连接在容器内,另一端则连接在docker0这个虚拟交换机上。容器内的虚拟网卡默认分配的IP为172.17.0.0/16网段内。
root@node01:~# docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f705f6f4779a busybox:latest "sh" 7 minutes ago Up 7 minutes bbox01
83436ed405c7 busybox-httpd:v0.2 "/bin/httpd -f -h /d…" 45 minutes ago Up 45 minutes httpd-01
# 安装网桥管理工具
root@node01:~# apt-get install bridge-utils
root@node01:~# brctl show # 查看网桥
bridge name bridge id STP enabled interfaces
docker0 8000.02425749873b no veth9cb81f9
veth9f1b4f7
root@node01:~# ip link show
...
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 02:42:57:49:87:3b brd ff:ff:ff:ff:ff:ff
13: veth9f1b4f7@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether 26:8d:9e:92:aa:a6 brd ff:ff:ff:ff:ff:ff link-netnsid 0
21: veth9cb81f9@if20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default
link/ether 1a:94:6b:46:8a:8c brd ff:ff:ff:ff:ff:ff link-netnsid 1
容器内如果想访问宿主机外的资源则会进行地址伪装,默认是使用iptable实现的
oot@node01:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 21 packets, 2248 bytes)
pkts bytes target prot opt in out source destination
4 256 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 18 packets, 2046 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1545 packets, 116K bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 1545 packets, 116K bytes)
pkts bytes target prot opt in out source destination
3 202 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
其中
Chain POSTROUTING (policy ACCEPT 1545 packets, 116K bytes)
pkts bytes target prot opt in out source destination
3 202 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
表示从172.17.0.0/16网络里的任何地址来源的数据,想访问非从docker0设备出去的资源,即访问宿主机以外的资源都将做MASQUERADE。
docker的网络模型
第一种:Closed container, 封闭式容器,表示此种容器只有Loopback回环地址,不能进行网络相关的请求
第二种:Bridged container,桥接式网络,这是创建容器时默认的网络方式
第三种:Joined container,联盟式网络,表示多个容器共享UTC,IPC,NET三个名称空间,即多个容器具有相同的主机名,相同的网络设备
第四种:Open container,开放式网络,共享宿主机的网络名称空间
网络名称空间探索
为了不影响node01上的环境,另开一主机node02。先创建两个网络名称空间
root@node02:~# ip netns add ns01
root@node02:~# ip netns add ns02
root@node02:~# ip netns list
ns02
ns01
创建一对虚拟网络设备
root@node02:~# ip link add name veth1.1 type veth peer name veth1.2
root@node02:~# ip link show type veth
3: veth1.2@veth1.1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 4a:1c:b7:38:0f:5e brd ff:ff:ff:ff:ff:ff
4: veth1.1@veth1.2: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 36:72:d3:88:4c:5d brd ff:ff:ff:ff:ff:ff
分配一个虚拟网卡给ns01名称空间
root@node02:~# ip link set dev veth1.2 netns ns01
root@node02:~# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 00:0c:29:aa:9b:4f brd ff:ff:ff:ff:ff:ff
4: veth1.1@if3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 36:72:d3:88:4c:5d brd ff:ff:ff:ff:ff:ff link-netnsid 0
# 查看ns01名称空间的网络设备
root@node02:~# ip netns exec ns01 ifconfig -a
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth1.2: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether 4a:1c:b7:38:0f:5e txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@node02:~# ip netns exec ns01 ip link set dev veth1.2 name eth0 # 还可以修改设备名称
root@node02:~# ip netns exec ns01 ifconfig -a
eth0: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether 4a:1c:b7:38:0f:5e txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
现在宿主机上只有veth1.1这个虚拟网卡,veth1.2�则被移动到了ns01名称空间。
给两个虚拟设备配置IP地址并激活
root@node02:~# ifconfig veth1.1 10.0.0.1/24 up
root@node02:~# ip netns exec ns01 ifconfig eth0 10.0.0.2/24 up
root@node02:~# ip netns exec ns01 ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.2 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::481c:b7ff:fe38:f5e prefixlen 64 scopeid 0x20<link>
ether 4a:1c:b7:38:0f:5e txqueuelen 1000 (Ethernet)
RX packets 9 bytes 726 (726.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 656 (656.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@node02:~# ifconfig veth1.1
veth1.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::3472:d3ff:fe88:4c5d prefixlen 64 scopeid 0x20<link>
ether 36:72:d3:88:4c:5d txqueuelen 1000 (Ethernet)
RX packets 10 bytes 796 (796.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 796 (796.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
测试不同名称空间的虚拟网卡的连通性
root@node02:~# ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.043 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.059 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.059 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=0.091 ms
64 bytes from 10.0.0.2: icmp_seq=5 ttl=64 time=0.058 ms
^C
--- 10.0.0.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4031ms
rtt min/avg/max/mdev = 0.043/0.062/0.091/0.015 ms
root@node02:~# ip netns exec ns01 ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.048 ms
64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.087 ms
64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.084 ms
^C
--- 10.0.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3040ms
rtt min/avg/max/mdev = 0.020/0.059/0.087/0.029 ms
也可把宿主机上的veth1.1移动到ns02名称空间中
root@node02:~# ip link set dev veth1.1 netns ns02
root@node02:~# ip netns exec ns02 ifconfig -a
lo: flags=8<LOOPBACK> mtu 65536
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth1.1: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether 36:72:d3:88:4c:5d txqueuelen 1000 (Ethernet)
RX packets 23 bytes 1874 (1.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 23 bytes 1874 (1.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
# 移动后IP地址信息丢失,需要重新设置
root@node02:~# ip netns exec ns02 ifconfig veth1.1 10.0.0.3/24 up
root@node02:~# ip netns exec ns02 ifconfig
veth1.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.3 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::3472:d3ff:fe88:4c5d prefixlen 64 scopeid 0x20<link>
ether 36:72:d3:88:4c:5d txqueuelen 1000 (Ethernet)
RX packets 25 bytes 2054 (2.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 42 bytes 3048 (3.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@node02:~# ip netns exec ns02 ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.132 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.061 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.060 ms
^C
--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2030ms
rtt min/avg/max/mdev = 0.060/0.084/0.132/0.034 ms
服务暴露
先整理一个运行容器时的一些选项
root@node01:~# docker container run --name bbox-03 -i -t --network bridge --hostname bbox03.learn.io --add-host b.163.com:1.1.1.1 --add-host c.163.com:2.2.2.2 --dns 114.114.114.114 --dns 8.8.8.8 --rm busybox:latest
--network 指定容器使用的网络模型,none, host, bridge,默认为bridge
--hostname 指定容器的主机名,如果不指定为容器的ID
--add-host 为容器的/etc/hosts增加一条解析记录,可以多次使用
--dns 为容器设置dns服务器,可以多次使用
--rm 表示退出容器后自动删除容器
服务暴露有4种方式
docker container run -p <containerPort> 将指定容器端口映射至宿主机所有地址的一个动态端口
docker container run -p <hostPort>:<containerPort> 将容器端口映射至宿主机所有地址的指定端口
docker container run -p <ip>::<containerPort> 将容器端口映射至宿主机指定IP的动态端口
docker container run -p <ip>:<hostPort>:<containerPort> 将容器端口映射至宿主机指定IP的指定端口
如果要暴露多个端口,-p可以使用多次
root@node01:~# docker container run -i -t --name httpd-01 --rm -p 80 busybox-httpd:v0.2
root@node01:~# docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
3708cbbc6a99 busybox-httpd:v0.2 "/bin/httpd -f -h /d…" 10 seconds ago Up 9 seconds 0.0.0.0:32768->80/tcp httpd-01
root@node01:~# docker port httpd-01 # 查看端口映射情况
80/tcp -> 0.0.0.0:32768
-p 80:80时
root@node01:~# docker port httpd-01
80/tcp -> 0.0.0.0:80
-p 192.168.101.40::80时
root@node01:~# docker port httpd-01
80/tcp -> 192.168.101.40:32768
-p 192.168.101.40:8080:80时
root@node01:~# docker port httpd-01
80/tcp -> 192.168.101.40:8080
联盟模式及host网络
多个docker容器可以共享网络名称空间,即多个容器共用网络设备。
先基于busybox:latest镜像运行一个容器
root@node01:~# docker container run -i -t --rm --hostname b1 --name bbox-01 busybox:latest
/ # hostname
b1
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1116 (1.0 KiB) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
另起终端再运行一个容器,增加--network container:bbox-01选项
root@node01:~# docker container run -i -t --rm --hostname b2 --name bbox-02 --network container:bbox-01 busybox:latest
docker: Error response from daemon: conflicting options: hostname and the network mode.
See ‘docker run --help‘.
root@node01:~# docker container run -i -t --rm --name bbox-02 --network container:bbox-01 busybox:latest
/ # hostname
b1
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1116 (1.0 KiB) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
发现bbox-01与bbox-02两个容器的网络地址完全相同。而且使用了--network container:bbox-01选项后与--hostname是相冲突的,两容器的hostname也是相同的。两容器共用了网络名称空间和主机名名称空间。
为了进一步验证两容器共享网络名称空间,在第一个终端运行的容器中启用一个httpd服务
/ # echo "Hello Word." > /tmp/index.html
/ # httpd -h /tmp
/ # netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 :::80 :::* LISTEN
再到第二个终端的容器中查看网络监听
# netstat -tanl
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 :::80 :::* LISTEN
/ # wget -O - -q http://localhost
Hello Word.
/ #
同样有监听了80端口。
既然两个容器间可以共享网络名称空间,那容器也可以共享宿主机的网络
root@node01:~# docker container run -i -t --rm --name bbox-04 --network host busybox:latest
/ # hostname
node01
/ # ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:57:49:87:3B
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
inet6 addr: fe80::42:57ff:fe49:873b/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:927 (927.0 B) TX bytes:3376 (3.2 KiB)
ens33 Link encap:Ethernet HWaddr 00:0C:29:96:48:2C
inet addr:192.168.101.40 Bcast:192.168.101.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe96:482c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34294 errors:0 dropped:0 overruns:0 frame:0
TX packets:15471 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:22539440 (21.4 MiB) TX bytes:1727705 (1.6 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:290 errors:0 dropped:0 overruns:0 frame:0
TX packets:290 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28034 (27.3 KiB) TX bytes:28034 (27.3 KiB)
获取到的主机名,网络设备都是宿主机的。这样在容器内运行一个服务监听一端口,那外部通过访问宿主机的网络地址就可以访问到,这样的做的好处在于程序就打包在容器里,而网络使用宿主机的网络,如果宿主机损坏或需要部署多个程序,只需要把镜像copy到其他运行有docker引擎的主机后直接run起来就行,部署变得简单。
自定义docker0及daemon监听
docker0属性定义
默认情况下虚拟设备docker0的地址是172.17.0.1,容器分配的子网地址为172.17.0.0/16,容器默认的nameserver为宿主机使用的nameserver,默认网关指向docker0的ip地址,这些信息都可以自定义设置。
# 自定义docer0桥的网络属性: /etc/docker/daemon.json 文件
{
"bip": "10.1.0.1/16",
"fixed-cidr": "10.1.0.0/16",
"fixed-cidr-v6": "",
"mtu": 1500,
"default-gateway": "",
"default-gateway-v6": "",
"dns": ["",""]
}
最核心的是bip即bridge ip,其他的大多都可以通过计算得出。如果要修改docker0的网络地址及容器分配的ip地址,只修改bip,然后重新启动docker进程。
dockerd监听网络套接字
方法一
dockerd守护进程的C/S模型,其默认监听unix socket格式的地址,位置在/var/run/docker.sock,如果要使用TCP套接字,在/etc/docker/daemon.json中增加hosts这个key
"hosts" ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]
root@node01:~# vim /etc/docker/daemon.json
{
"registry-mirrors": [
"https://1nj0zren.mirror.aliyuncs.com",
"https://docker.mirrors.ustc.edu.cn",
"http://registry.docker-cn.com"
],
"insecure-registries": [
"docker.mirrors.ustc.edu.cn"
],
"debug": true,
"experimental": true,
"hosts": ["unix:///var/run/docker.sock","tcp://0.0.0.0:2375"]
}
关闭dockerd
root@node01:/lib/systemd/system# systemctl stop docker
Warning: Stopping docker.service, but it can still be activated by:
docker.socket
有个警告信息,尝试启动失败
root@node01:/lib/systemd/system# systemctl start docker
Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xe" for details.
修改/lib/systemd/system/docker.service文件
[Service]
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
修改为
ExecStart=/usr/bin/dockerd --containerd=/run/containerd/containerd.sock
root@node01:/lib/systemd/system# systemctl daemon-reload # docker.service更改后需要重新加载
root@node01:/lib/systemd/system# systemctl start docker
root@node01:/lib/systemd/system# ss -tanl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:2375 *:*
LISTEN 0 128 [::]:22 [::]:*
2375已监听。但停止docker可能有警告信息,不知有何影响
root@node01:/lib/systemd/system# systemctl stop docker
Warning: Stopping docker.service, but it can still be activated by:
docker.socket
root@node01:/lib/systemd/system# systemctl start docker
root@node01:/lib/systemd/system# ss -tanl | grep 2375
LISTEN 0 128 *:2375 *:*
在node2上调用docker命令操作node1上的资源
root@node02:~# docker -H 192.168.101.40:2375 image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox-httpd v0.2 985f056d206d 12 hours ago 1.22MB
zhaochj/httpd v0.1 985f056d206d 12 hours ago 1.22MB
busybox-httpd v0.1 806601ab5565 12 hours ago 1.22MB
nginx stable-alpine 8c1bfa967ebf 7 days ago 21.5MB
busybox latest c7c37e472d31 2 weeks ago 1.22MB
quay.io/coreos/flannel v0.12.0-amd64 4e9f801d2217 4 months ago 52.8MB
方法二
更多信息请参考:https://docs.docker.com/engine/reference/commandline/dockerd/
直接修改/lib/systemd/system/docker.service文件,不用去修改/etc/docker/daemon.json文件
[Service]
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
修改为
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375 --containerd=/run/containerd/containerd.sock
root@node01:/lib/systemd/system# systemctl daemon-reload
root@node01:/lib/systemd/system# systemctl stop docker
root@node01:/lib/systemd/system# systemctl start docker
root@node01:/lib/systemd/system# ss -tanl | grep 2375
LISTEN 0 128 *:2375 *:*
监听在网络套接字上docker认为这是有潜在风险,不安全的,不建议开启。
docker快速入门4-docer网络
原文:https://blog.51cto.com/zhaochj/2536320
