|
|
一、docker网络访问的方式
随机映射:
- docker run -P
指定映射:
1. -p hostPort:containerPort
2. -p ip:hostPort:containerPort
3. -p ip::containerPort
4. -p hostPort:containerPort
5. -p hostPort:containerPort:udp
1、环境准备
环境准备
IP 主机名 操作系统
192.168.56.11 linux-node1 centos7
注意:我这里使用的是centos7,如果是使用centos5或者centos6,需要升级操作系统内核,否则Docker的许多新功能都无法使用
2、随机映射
优点: 不会发生端口冲突
[iyunv@linux-node1 ~]# docker run -d -P nginx
4d5a21ea94e0df102198812fd899d8293198a2376dd5d952642113b76448ca65
[iyunv@linux-node1 ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4d5a21ea94e0 nginx "nginx -g 'daemon off" 7 seconds ago Up 4 seconds 0.0.0.0:10001->80/tcp, 0.0.0.0:10000->443/tcp evil_murdock
c627741a7dc1 centos "/bin/bash" 13 days ago Up 2 hours mydocker
[iyunv@linux-node1 ~]#
本地的10001端口映射到80,10000端口映射到443
访问本地的端口
在url中输入192.168.56.11:10001,可以进入到nginx的欢迎界面
查看端口占用情况
[iyunv@linux-node1 ~]# netstat -lnpt|grep 10001
tcp6 0 0 :::10001 :::* LISTEN 6800/docker-proxy
查询nat的详细信息
-nvL 这其实是三个参数,等效于 -n -v -L
-n 不解析主机名和端口名,也就是全部主机和端口都用数字表示
-v 详细信息列表
-L 列表
[iyunv@linux-node1 ~]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 7 packets, 855 bytes)
pkts bytes target prot opt in out source destination
2 104 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 7 packets, 855 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 959 packets, 57540 bytes)
pkts bytes target prot opt in out source destination
12949 777K DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 960 packets, 57592 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
0 0 MASQUERADE tcp -- * * 172.17.0.3 172.17.0.3 tcp dpt:443
0 0 MASQUERADE tcp -- * * 172.17.0.3 172.17.0.3 tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 to:172.17.0.3:443
1 52 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10001 to:172.17.0.3:80
使用之前写的进入docker的脚本,进入docker,查看进程
[iyunv@linux-node1 ~]# ./docker_in.sh 4d5a21ea94e0
root@4d5a21ea94e0:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 31724 2840 ? Ss 05:58 0:00 nginx: master process nginx -g daemon off;
nginx 8 0.0 0.0 32116 1936 ? S 05:58 0:00 nginx: worker process
root 9 0.2 0.0 20256 1956 ? S 06:13 0:00 -bash
root 22 0.0 0.0 17492 1156 ? R+ 06:13 0:00 ps aux
root@4d5a21ea94e0:/#
docker运行的第一进程的PID是1
root@4d5a21ea94e0:/# ip ad li
1: lo:mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
18: eth0@if19:mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.3/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:3/64 scope link
valid_lft forever preferred_lft forever
root@4d5a21ea94e0:/#
这个IP地址是通过DHCP获取的
我们可以使用docker logs查看nginx的访问日志
[iyunv@linux-node1 ~]# docker logs 4d5a21ea94e0
192.168.56.1 - - [19/Sep/2016:06:01:04 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36" "-"
192.168.56.1 - - [19/Sep/2016:06:01:06 +0000] "GET /favicon.ico HTTP/1.1" 404 571 "http://192.168.56.11:10001/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36" "-"
2016/09/19 06:01:06 [error] 8#8: *1 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 192.168.56.1, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "192.168.56.11:10001", referrer: "http://192.168.56.11:10001/"
3、指定端口映射:
(1)将本地的81端口映射到docker容器的80端口
[iyunv@linux-node1 ~]# docker run -d -p 192.168.56.11:81:80 --name mynginx nginx
17df7e2a56678e60e18a6cb1d5d9197b031f922dc8a18f045296dcab30d60f76
[iyunv@linux-node1 ~]# docker ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
17df7e2a5667 nginx "nginx -g 'daemon off" 10 seconds ago Up 9 seconds 443/tcp, 192.168.56.11:81->80/tcp mynginx
通过端口映射的方式,我们可以很方便的访问docker容器内的服务
可以使用docker port命令查看端口映射情况
[iyunv@linux-node1 ~]# docker port mynginx
80/tcp -> 192.168.56.11:81
查看docker容器端口映射
(2)多个端口的映射
[iyunv@linux-node1 ~]# docker run -d -p 443:443 -p 82:80 --name nginx2 nginx
c4c9b4947e613e15f84bfaa9233116377f2608796de8f824285360c6aeddc028
[iyunv@linux-node1 ~]# docker port nginx2
80/tcp -> 0.0.0.0:82
443/tcp -> 0.0.0.0:443
[iyunv@linux-node1 ~]#
缺点:由于端口映射的方式是经过NAT的,所以会影响系统的性能。
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2016-9-26 09:00:48
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡