In order to execute some command inside container's network you don't need to login to the container.When you run ip addr list command you only see NICs in host network.This may help you identify a veth pair when you see them. See that NIC names end with other peer NIC's line number.PING 172.19.0.2 (172.19.0.2 ) 56 (84 ) bytes of data.ħ3 packets transmitted, 0 received, 100% packet loss, time 73728msģ5: One end of veth pair ( is in container network and the other ( is in host network (or docker0 bridge). $ sudo ip netns exec con1 ping 172.19.0.2 $ sudo ip netns exec con1 ping 172.18.0.3 Link/ether de:d4:74:dd:ea:5c brd ff:ff:ff:ff:ff:ff link-netnsid 3
Link/ether fa:47:38:e1:eb:04 brd ff:ff:ff:ff:ff:ff link-netnsid 2 Inet6 fe80::d492:c7ff:fe41:c6b9/64 scope linkĢ5: mtu 1500 qdisc noqueue master docker0 state UP Inet6 fe80::42:7cff:fe72:8af2/64 scope linkĢ3: mtu 1500 qdisc noqueue master docker0 state UP # See docker bridges' and containers' NICs on the host side.ģ: docker0: mtu 1500 qdisc noqueue state UP group default $ sudo ip netns exec con3 ip a | grep -e 'inet.*eth0' -e mtu 1500 qdisc noqueue state UP group default # See 'con3' virtual network interface and ipv4 address. $ sudo ip netns exec con2 ip a | grep -e 'inet.*eth0' -e mtu 1500 qdisc noqueue state UP group default # See 'con2' virtual network interface and ipv4 address. $ sudo ip netns exec con1 ip a | grep -e 'inet.*eth0' -e mtu 1500 qdisc noqueue state UP group default # See 'con1' virtual network interface and ipv4 address. I run it in a custom docker bridge network named 'testnet'. See that con3 is not in default docker0 bridge. I have three ubuntu containers running locally, "con1", "con2", and "con3" namely. Now we investigate docker's container networking. The plan is to first investigate a docker container's network structure.Īfter that we will try to mimic a docker container network by manually creating a network namespace and veth pair then do required configurations.ġ- Let's Demystify Docker Container Networking Please refer to this diagram frequently while reading the rest of the post. The diagram below may help you visualize and understand container networking better. network interfaces, route tables and rules) from linux core and other processes.Ī " veth pair" is basically a virtual network cable which have a virtual network interface device (NIC) on each end.Ī " linux bridge" is switch like virtual device that enables communication between network devices connected to the bridge, creating something kinda LAN. So let's try to define network namespace, veth pair and linux bridge in one sentence:Ī " linux network namespace" is virtual network barrier encapsulating a process to isolate its network connectivity(in/out) and resources (i.e. This also enables container be connected to the host network and other container networks in the same bridge. Then, Docker connects the new container network to linux bridge docker0 using a veth pair. When Docker creates and runs a container it creates a separate network namespace (container network) and puts the container into it. Docker (and probably any container technology) uses linux network namespaces to isolate container network from host network.
0 kommentar(er)
