在上一节中,两个host上四个容器的网络信息如下,然后进行网络连通性测试,可见通vlan的容器即使分布在不同的host上也是可以通信的,不同vlan的容器不管在不在同一个host上都不能通信
root@host1:~# docker exec bbox_10_1 ip r
default via 172.16.10.1 dev eth0
172.16.10.0/24 dev eth0 scope link src 172.16.10.101
root@host1:~# docker exec bbox_20_1 ip r
default via 172.16.20.1 dev eth0
172.16.20.0/24 dev eth0 scope link src 172.16.20.201
root@host2:~# docker exec bbox_10_2 ip r
default via 172.16.10.1 dev eth0
172.16.10.0/24 dev eth0 scope link src 172.16.10.102
root@host2:~# docker exec bbox_20_2 ip r
default via 172.16.20.1 dev eth0
172.16.20.0/24 dev eth0 scope link src 172.16.20.202
root@host1:~# docker exec bbox_10_1 ping -c 2 172.16.10.102
PING 172.16.10.102 (172.16.10.102): 56 data bytes
64 bytes from 172.16.10.102: seq=0 ttl=64 time=0.266 ms
64 bytes from 172.16.10.102: seq=1 ttl=64 time=0.359 ms
--- 172.16.10.102 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.266/0.312/0.359 ms
root@host1:~# docker exec bbox_10_1 ping -c 2 172.16.20.201
PING 172.16.20.201 (172.16.20.201): 56 data bytes
--- 172.16.20.201 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@host1:~# docker exec bbox_10_1 ping -c 2 172.16.20.202
PING 172.16.20.202 (172.16.20.202): 56 data bytes
--- 172.16.20.202 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@host1:~# docker exec bbox_20_1 ping -c 172.16.10.101
ping: invalid number '172.16.10.101'
root@host1:~# docker exec bbox_20_1 ping -c 2 172.16.10.101
PING 172.16.10.101 (172.16.10.101): 56 data bytes
--- 172.16.10.101 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@host1:~# docker exec bbox_20_1 ping -c 2 172.16.10.102
PING 172.16.10.102 (172.16.10.102): 56 data bytes
--- 172.16.10.102 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
root@host1:~# docker exec bbox_20_1 ping -c 2 172.16.20.201
PING 172.16.20.201 (172.16.20.201): 56 data bytes
64 bytes from 172.16.20.201: seq=0 ttl=64 time=0.073 ms
64 bytes from 172.16.20.201: seq=1 ttl=64 time=0.055 ms
--- 172.16.20.201 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.055/0.064/0.073 ms
root@host1:~# docker exec bbox_20_1 ping -c 2 172.16.20.202
PING 172.16.20.202 (172.16.20.202): 56 data bytes
64 bytes from 172.16.20.202: seq=0 ttl=64 time=0.713 ms
64 bytes from 172.16.20.202: seq=1 ttl=64 time=0.400 ms
--- 172.16.20.202 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.400/0.556/0.713 ms
配置路由器,使不同vlan的容器进行通信,在找一台ubuntu服务器
# 1、启用转发功能
[root@docker-machine ~]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
# 2、配置对应两个vlan的子接口,并配置网关ip
[root@docker-machine ~]# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto ens160
iface ens160 inet static
address 10.12.31.213
netmask 255.255.252.0
network 10.12.28.0
broadcast 10.12.31.255
gateway 10.12.28.6
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 10.12.28.6
up route add -net 172.22.0.0 netmask 255.255.0.0 gw 10.12.28.1 ens160
auto ens192
iface ens192 inet manual
auto ens192.10
iface ens192.10 inet manual
vlan-raw-device ens192
auto ens192.20
iface ens192.20 inet manual
vlan-raw-device ens192
[root@docker-machine ~]# ifup ens192.10
WARNING: Could not open /proc/net/vlan/config. Maybe you need to load the 8021q module, or maybe you are not using PROCFS??
Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config
Added VLAN with VID == 10 to IF -:ens192:-
[root@docker-machine ~]# ifup ens192.20
Set name-type for VLAN subsystem. Should be visible in /proc/net/vlan/config
Added VLAN with VID == 20 to IF -:ens192:-
[root@docker-machine ~]# ifconfig ens192.10 172.16.10.1/24
[root@docker-machine ~]# ifconfig ens192.20 172.16.20.1/24
# 3、配置转发规则
[root@docker-machine ~]# iptables -A FORWARD -i ens192.10 -o ens192.20 -j ACCEPT
[root@docker-machine ~]# iptables -A FORWARD -i ens192.20 -o ens192.10 -j ACCEPT
# 4、进行网络连通性验证
root@host1:~# docker exec bbox_10_1 ping -c 2 172.16.20.201
PING 172.16.20.201 (172.16.20.201): 56 data bytes
64 bytes from 172.16.20.201: seq=0 ttl=63 time=0.557 ms
64 bytes from 172.16.20.201: seq=1 ttl=63 time=0.458 ms
--- 172.16.20.201 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.458/0.507/0.557 ms
root@host1:~# docker exec bbox_10_1 ping -c 2 172.16.20.202
PING 172.16.20.202 (172.16.20.202): 56 data bytes
64 bytes from 172.16.20.202: seq=0 ttl=63 time=1.387 ms
64 bytes from 172.16.20.202: seq=1 ttl=63 time=0.409 ms
--- 172.16.20.202 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.409/0.898/1.387 ms
root@host1:~# docker exec bbox_20_1 ping -c 2 172.16.10.101
PING 172.16.10.101 (172.16.10.101): 56 data bytes
64 bytes from 172.16.10.101: seq=0 ttl=63 time=0.520 ms
64 bytes from 172.16.10.101: seq=1 ttl=63 time=0.461 ms
--- 172.16.10.101 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.461/0.490/0.520 ms
root@host1:~# docker exec bbox_20_1 ping -c 2 172.16.10.102
PING 172.16.10.102 (172.16.10.102): 56 data bytes
64 bytes from 172.16.10.102: seq=0 ttl=63 time=0.465 ms
64 bytes from 172.16.10.102: seq=1 ttl=63 time=0.562 ms
--- 172.16.10.102 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.465/0.513/0.562 ms
大致的通信流程如下: