directory search
Compose About versions and upgrading (Compose) ASP.NET Core + SQL Server on Linux (Compose) CLI environment variables (Compose) Command-line completion (Compose) Compose(组成) Compose command-line reference(组合命令行参考) Control startup order (Compose) Django and PostgreSQL (Compose) Docker stacks and distributed application bundles (Compose) docker-compose build(docker-compose构建) docker-compose bundle docker-compose config docker-compose create docker-compose down docker-compose events docker-compose exec docker-compose help docker-compose images docker-compose kill docker-compose logs docker-compose pause docker-compose port docker-compose ps docker-compose pull docker-compose push docker-compose restart docker-compose rm docker-compose run docker-compose scale docker-compose start docker-compose stop docker-compose top docker-compose unpause docker-compose up Environment file (Compose) Environment variables in Compose Extend services in Compose Frequently asked questions (Compose) Getting started (Compose) Install Compose Link environment variables (deprecated) (Compose) Networking in Compose Overview of Docker Compose Overview of docker-compose CLI Quickstart: Compose and WordPress Rails and PostgreSQL (Compose) Sample apps with Compose Using Compose in production Using Compose with Swarm Engine .NET Core application (Engine) About images, containers, and storage drivers (Engine) Add nodes to the swarm (Engine) Apply custom metadata (Engine) Apply rolling updates (Engine) apt-cacher-ng Best practices for writing Dockerfiles (Engine) Binaries (Engine) Bind container ports to the host (Engine) Breaking changes (Engine) Build your own bridge (Engine) Configure container DNS (Engine) Configure container DNS in user-defined networks (Engine) CouchDB (Engine) Create a base image (Engine) Create a swarm (Engine) Customize the docker0 bridge (Engine) Debian (Engine) Default bridge network Delete the service (Engine) Deploy a service (Engine) Deploy services to a swarm (Engine) Deprecated Engine features Docker container networking (Engine) Docker overview (Engine) Docker run reference (Engine) Dockerfile reference (Engine) Dockerize an application Drain a node (Engine) Engine FAQ (Engine) Fedora (Engine) Get started (Engine) Get started with macvlan network driver (Engine) Get started with multi-host networking (Engine) How nodes work (Engine) How services work (Engine) Image management (Engine) Inspect the service (Engine) Install Docker (Engine) IPv6 with Docker (Engine) Join nodes to a swarm (Engine) Legacy container links (Engine) Lock your swarm (Engine) Manage nodes in a swarm (Engine) Manage sensitive data with Docker secrets (Engine) Manage swarm security with PKI (Engine) Manage swarm service networks (Engine) Migrate to Engine 1.10 Optional Linux post-installation steps (Engine) Overview (Engine) PostgreSQL (Engine) Raft consensus in swarm mode (Engine) Riak (Engine) Run Docker Engine in swarm mode Scale the service (Engine) SDKs (Engine) Select a storage driver (Engine) Set up for the tutorial (Engine) SSHd (Engine) Storage driver overview (Engine) Store service configuration data (Engine) Swarm administration guide (Engine) Swarm mode key concepts (Engine) Swarm mode overlay network security model (Engine) Swarm mode overview (Engine) Understand container communication (Engine) Use multi-stage builds (Engine) Use swarm mode routing mesh (Engine) Use the AUFS storage driver (Engine) Use the Btrfs storage driver (Engine) Use the Device mapper storage driver (Engine) Use the OverlayFS storage driver (Engine) Use the VFS storage driver (Engine) Use the ZFS storage driver (Engine) Engine: Admin Guide Amazon CloudWatch logs logging driver (Engine) Bind mounts (Engine) Collect Docker metrics with Prometheus (Engine) Configuring and running Docker (Engine) Configuring logging drivers (Engine) Control and configure Docker with systemd (Engine) ETW logging driver (Engine) Fluentd logging driver (Engine) Format command and log output (Engine) Google Cloud logging driver (Engine) Graylog Extended Format (GELF) logging driver (Engine) Journald logging driver (Engine) JSON File logging driver (Engine) Keep containers alive during daemon downtime (Engine) Limit a container's resources (Engine) Link via an ambassador container (Engine) Log tags for logging driver (Engine) Logentries logging driver (Engine) PowerShell DSC usage (Engine) Prune unused Docker objects (Engine) Run multiple services in a container (Engine) Runtime metrics (Engine) Splunk logging driver (Engine) Start containers automatically (Engine) Storage overview (Engine) Syslog logging driver (Engine) tmpfs mounts Troubleshoot volume problems (Engine) Use a logging driver plugin (Engine) Using Ansible (Engine) Using Chef (Engine) Using Puppet (Engine) View a container's logs (Engine) Volumes (Engine) Engine: CLI Daemon CLI reference (dockerd) (Engine) docker docker attach docker build docker checkpoint docker checkpoint create docker checkpoint ls docker checkpoint rm docker commit docker config docker config create docker config inspect docker config ls docker config rm docker container docker container attach docker container commit docker container cp docker container create docker container diff docker container exec docker container export docker container inspect docker container kill docker container logs docker container ls docker container pause docker container port docker container prune docker container rename docker container restart docker container rm docker container run docker container start docker container stats docker container stop docker container top docker container unpause docker container update docker container wait docker cp docker create docker deploy docker diff docker events docker exec docker export docker history docker image docker image build docker image history docker image import docker image inspect docker image load docker image ls docker image prune docker image pull docker image push docker image rm docker image save docker image tag docker images docker import docker info docker inspect docker kill docker load docker login docker logout docker logs docker network docker network connect docker network create docker network disconnect docker network inspect docker network ls docker network prune docker network rm docker node docker node demote docker node inspect docker node ls docker node promote docker node ps docker node rm docker node update docker pause docker plugin docker plugin create docker plugin disable docker plugin enable docker plugin inspect docker plugin install docker plugin ls docker plugin push docker plugin rm docker plugin set docker plugin upgrade docker port docker ps docker pull docker push docker rename docker restart docker rm docker rmi docker run docker save docker search docker secret docker secret create docker secret inspect docker secret ls docker secret rm docker service docker service create docker service inspect docker service logs docker service ls docker service ps docker service rm docker service scale docker service update docker stack docker stack deploy docker stack ls docker stack ps docker stack rm docker stack services docker start docker stats docker stop docker swarm docker swarm ca docker swarm init docker swarm join docker swarm join-token docker swarm leave docker swarm unlock docker swarm unlock-key docker swarm update docker system docker system df docker system events docker system info docker system prune docker tag docker top docker unpause docker update docker version docker volume docker volume create docker volume inspect docker volume ls docker volume prune docker volume rm docker wait Use the Docker command line (Engine) Engine: Extend Access authorization plugin (Engine) Docker log driver plugins Docker network driver plugins (Engine) Extending Engine with plugins Managed plugin system (Engine) Plugin configuration (Engine) Plugins API (Engine) Volume plugins (Engine) Engine: Security AppArmor security profiles for Docker (Engine) Automation with content trust (Engine) Content trust in Docker (Engine) Delegations for content trust (Engine) Deploying Notary (Engine) Docker security (Engine) Docker security non-events (Engine) Isolate containers with a user namespace (Engine) Manage keys for content trust (Engine) Play in a content trust sandbox (Engine) Protect the Docker daemon socket (Engine) Seccomp security profiles for Docker (Engine) Secure Engine Use trusted images Using certificates for repository client verification (Engine) Engine: Tutorials Engine tutorials Network containers (Engine) Get Started Part 1: Orientation Part 2: Containers Part 3: Services Part 4: Swarms Part 5: Stacks Part 6: Deploy your app Machine Amazon Web Services (Machine) Digital Ocean (Machine) docker-machine active docker-machine config docker-machine create docker-machine env docker-machine help docker-machine inspect docker-machine ip docker-machine kill docker-machine ls docker-machine provision docker-machine regenerate-certs docker-machine restart docker-machine rm docker-machine scp docker-machine ssh docker-machine start docker-machine status docker-machine stop docker-machine upgrade docker-machine url Driver options and operating system defaults (Machine) Drivers overview (Machine) Exoscale (Machine) Generic (Machine) Get started with a local VM (Machine) Google Compute Engine (Machine) IBM Softlayer (Machine) Install Machine Machine Machine CLI overview Machine command-line completion Machine concepts and help Machine overview Microsoft Azure (Machine) Microsoft Hyper-V (Machine) Migrate from Boot2Docker to Machine OpenStack (Machine) Oracle VirtualBox (Machine) Provision AWS EC2 instances (Machine) Provision Digital Ocean Droplets (Machine) Provision hosts in the cloud (Machine) Rackspace (Machine) VMware Fusion (Machine) VMware vCloud Air (Machine) VMware vSphere (Machine) Notary Client configuration (Notary) Common Server and signer configurations (Notary) Getting started with Notary Notary changelog Notary configuration files Running a Notary service Server configuration (Notary) Signer configuration (Notary) Understand the service architecture (Notary) Use the Notary client
characters

本节中的信息解释了 Docker 默认网桥的 IPv6。这是一个在安装 Docker 时自动创建名称为bridgebridge网络。

由于 IPv4 地址耗尽, IETF 已经在 RFC 2460中标准化了 IPv4后继,Internet 协议版本6。这两种协议(IPv4和 IPv6)都驻留在 OSI模型的第3层。

IPv6 如何在 Docker 上运行

默认情况下,Docker 守护程序(daemon)仅为IPv4配置容器网络。您可以通过运行带有--ipv6标志的Docker 守护程序(daemon)来启用 IPv4 / IPv6 双栈支持。Docker 将docker0使用 IPv6 链接本地地址fe80::1设置网桥。

默认情况下,创建的容器只会获得链路本地 IPv6 地址。要将全局可路由的 IPv6 地址分配给您的容器,您必须指定一个 IPv6 子网来从中选择地址。启动 Docker 守护进程(daemon)时,通过--fixed-cidr-v6参数设置 IPv6子网:

您可以直接运行dockerd这些标志,但建议您将其设置在daemon.json配置文件中。以下示例daemon.json启用 IPv6并将 IPv6子网设置为2001:db8:1::/64

{ "ipv6": true, "fixed-cid4-v6": "2001:db8:1::/64"}

Docker 容器的子网应该至少有一个大小/80,以便 IPv6地址可以以容器的 MAC 地址结束,并且可以防止 Docker 层中的 NDP 邻居缓存失效问题。

默认情况下,--fixed-cidr-v6参数使Docker为路由表添加一个新路由,方法是代表您运行以下三个命令。若要防止自动路由,请设置ip-forwardfalsedaemon.json文件或启动Docker守护进程--ip-forward=false旗子。然后,要获得Docker将自动为您创建的相同的路由表,请发出以下命令:

$ ip -6 route add 2001:db8:1::/64 dev docker0 $ sysctl net.ipv6.conf.default.forwarding=1$ sysctl net.ipv6.conf.all.forwarding=1

子网的所有通信量2001:db8:1::/64将通过docker0接口。

:IPv 6转发可能会干扰现有的IPv 6配置:如果使用路由器广告为主机接口获取IPv 6设置,请设置accept_ra2使用以下命令。否则,启用IPv 6的转发将导致拒绝路由器广告。 $sysctl net.ipv6.con.eth0.接受[医]Ra=2

二次

二次

每个新容器都将从定义的子网中获得一个IPv 6地址,并将添加一个默认路由。eth0通过守护进程选项指定的地址在容器中。--default-gateway-v6%28或default-gateway-v6daemon.json%29(如有)。默认网关默认为fe80::1...

此示例提供了一种检查运行容器中IPv 6网络设置的方法。

docker run -it alpine ash -c "ip -6 addr show dev eth0; ip -6 route show"15: eth0:  mtu 1500 inet6 2001:db8:1:0:0:242:ac11:3/64 scope global valid_lft forever preferred_lft forever inet6 fe80::42:acff:fe11:3/64 scope link valid_lft forever preferred_lft forever2001:db8:1::/64 dev eth0 proto kernel metric 256fe80::/64 dev eth0 proto kernel metric 256default via fe80::1 dev eth0 metric 1024

在这个例子中,容器被分配一个带有子网的链接本地地址。/64%28fe80::42:acff:fe11:3/64%29和全球可路由IPv 6地址%282001:db8:1:0:0:242:ac11:3/6429%。容器将创建与2001:db8:1::/64通过链路本地网关连接fe80::1eth0...

服务器或虚拟机通常会获得/64IPv 6子网分配%28例如。2001:db8:23:42::/6429%。在这种情况下,您可以进一步拆分它,并提供Docker a/80使用单独的子网。/80主机上其他应用程序的子网:

二次

二次

在此设置中,子网2001:db8:23:42::/642001:db8:23:42:0:0:0:02001:db8:23:42:ffff:ffff:ffff:ffff附在eth0,主人正在收听2001:db8:23:42::1.子网2001:db8:23:42:1::/80的地址范围为2001:db8:23:42:1:0:0:02001:db8:23:42:1:ffff:ffff:ffff附在docker0并将用于集装箱。

使用NDP代理

如果您的Docker主机是IPv 6子网的唯一部分,但没有分配IPv 6子网,则可以使用NDP代理通过IPv 6将容器连接到Internet。如果具有IPv 6地址的主机2001:db8::c001是子网的一部分。2001:db8::/64IaaS提供商允许您配置IPv 6地址2001:db8::c0002001:db8::c00f,您的网络配置可能如下所示:

$ ip -6 addr show1: lo:  mtu 65536 inet6 ::1/128 scope host valid_lft forever preferred_lft forever2: eth0:  mtu 1500 qlen 1000 inet6 2001:db8::c001/64 scope global valid_lft forever preferred_lft forever inet6 fe80::601:3fff:fea1:9c01/64 scope link valid_lft forever preferred_lft forever

将可配置地址范围划分为两个子网2001:db8::c000/1252001:db8::c008/125,使用以下方法daemon.json设置。第一个子网将由主机上的非码头进程使用,第二个子网将由Docker使用。

{ "ipv6": true, "fixed-cidr-v6": "2001:db8::c008/125"}

Docker子网位于由路由器管理并连接到eth0所有由Docker分配地址的容器都将在路由器子网中找到,路由器可以直接与这些容器通信。

二次

二次

当路由器希望向第一个容器发送IPv 6数据包时,它将发送一个邻居请求问“谁有2001:db8::c009“但是,子网上没有一个主机有地址;带有地址的容器隐藏在Docker主机后面。因此,Docker主机必须侦听邻居的请求,并响应它是具有地址的设备。此功能称为NDP代理并由主机上的内核处理。要启用NDP代理,请执行以下命令:

$ sysctl net.ipv6.conf.eth0.proxy_ndp=1

接下来,将容器的IPv 6地址添加到NDP代理表中:

$ ip -6 neigh add proxy 2001:db8::c009 dev eth0

从现在开始,内核在设备上回答邻居请求地址。eth0.到此IPv 6地址的所有通信都通过Docker主机路由,Docker主机将根据其路由表通过docker0装置:

$ ip -6 route show2001:db8::c008/125 dev docker0 metric 12001:db8::/64 dev eth0 proto kernel metric 256

您必须执行ip -6 neigh add proxy ...命令对您的Docker子网中的每个IPv 6地址执行命令。不幸的是,没有通过执行一个命令来添加整个子网的功能。另一种方法是使用ndp代理守护进程,如ndppd...

码头IPv 6集群

交换网络环境

使用可路由IPv 6地址可以实现不同主机上容器之间的通信。让我们看看一个简单的DockerIPv 6集群示例:

二次

二次

码头主机在2001:db8:0::/64子网。主机1被配置为从2001:db8:1::/64子网到它的容器。它配置了三条路由:

  • 将所有交通线路送至2001:db8:0::/64通孔eth0

  • 将所有交通线路送至2001:db8:1::/64通孔docker0

  • 将所有交通线路送至2001:db8:2::/64通过带有IP的主机22001:db8::2

Host 1还充当OSI第3层上的路由器。当其中一个网络客户端试图联系主机1的路由表中指定的目标时,Host 1将相应地转发通信量。它充当它所知道的所有网络的路由器:2001:db8::/64,,,2001:db8:1::/64,和2001:db8:2::/64...

在主机2上,我们的配置几乎相同。主机2的容器将从2001:db8:2::/64.2号旅馆配置了三条路线:

  • 将所有交通线路送至2001:db8:0::/64通孔eth0

  • 将所有交通线路送至2001:db8:2::/64通孔docker0

  • 将所有交通线路送至2001:db8:1::/64通过带有IP的主机12001:db8:0::1

主机1的不同之处在于网络2001:db8:2::/64通过其docker0接口而Host 2到达2001:db8:1::/64通过Host 1的IPv 6地址2001:db8::1...

这样,每个容器都能联系到其他的容器。集装箱Container1-*共享同一个子网,并直接联系对方。之间的交通Container1-*Container2-*将通过Host 1和Host 2路由,因为这些容器不共享相同的子网。

在切换环境中,每个主机都必须知道到每个子网的所有路由。在向群集添加或删除主机后,始终必须更新主机的路由表。

在虚线下面显示的图表中的每个配置都由Docker处理:docker0网桥IP地址配置、主机上到Docker子网的路由、容器IP地址和容器上的路由。线上的配置由用户决定,可以适应个人环境。

路由网络环境

在路由网络环境中,用第三层路由器替换第二层交换机。现在,主机只需知道它们的默认网关%28、路由器%29和到它们自己的容器的路由%28由Docker%29管理。路由器保存有关Docker子网的所有路由信息。当您在此环境中添加或移除主机时,您只需更新路由器中的路由表--而不是在每个主机上。

二次

二次

在这种情况下,同一主机的容器可以直接通信。不同主机上的容器之间的通信将通过它们的主机和路由器进行路由。例如,从Container1-1Container2-1将通过Host1,,,Router,和Host2直到它到达Container2-1...

若要使IPv 6地址在本例中保持较短,请使用/48网络分配给每个主机。主机使用/64它的子网用于它自己的服务,一个子网用于Docker。当添加第三个主机时,您将为子网添加一个路由。2001:db8:3::/48在路由器中并在主机3上配置Docker--fixed-cidr-v6=2001:db8:3:1::/64...

请记住,码头集装箱的子网至少应该有/80这样,IPv 6地址就可以以容器的MAC地址结束,从而防止了Docker层中NDP邻居缓存失效的问题。所以如果你有一个/64为您的整个环境使用/76主机和/80为了容器。这样您就可以使用4096主机和16主机。/80每个人都有。

在虚线下面可视化的图表中的每个配置都由Docker处理:docker0网桥IP地址配置、主机上到Docker子网的路由、容器IP地址和容器上的路由。线上的配置由用户决定,可以适应个人环境。

Previous article: Next article: