티스토리 뷰
● 포트포워딩
[vagrant@docker1 ~]$ docker run -d --name httpd -p 9900:80 httpd:2.4
● 이유는 방화벽 때문이다
>> DNAT 들어오는걸 막는다
>> tcp 9900 이 들어오면 >> 172.17.0.2:80 으로 중계한다
>> MYSQUERADE ( NAT ) 172.17.0.0/16 은 컨테이너 IP 이고 요청이 들어오면 내보내준다
[vagrant@docker1 ~]$ sudo iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 0.0.0.0/0
MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:80
Chain DOCKER (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9900 to:172.17.0.2:80
▩ 똑같은 포트를 쓰면 이미 사용중이라고 나온다
[vagrant@docker1 ~]$ docker run -d --name httpd2 -p 9900:80 httpd:2.4
74e6756e5cbe4ab3bb802530edad826d230b6e2882549171f67d7fc9826be6f0
docker: Error response from daemon: driver failed programming external
connectivity on endpoint httpd2
(ed6af97e70b598c7a95c250ec2940ecd9bf92a51fdf037c3161f37846ebe8d1c):
Bind for 0.0.0.0:9900 failed: port is already allocated.
▶ 만약, 포트를 입력 안한다면, 30000번대로 자동으로 등록된다
[vagrant@docker1 ~]$ docker run -d --name httpd3 -p :80 httpd:2.4
fa442f94d2426361e533ee5bab74d7b1c5c870074d5306bc01b479ba49ea1291
[vagrant@docker1 ~]$ docker container ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
fa442f94d242 httpd:2.4 "httpd-foreground" 7 seconds ago Up 5 seconds 0.0.0.0:32768->80/tcp, :::32768->80/tcp httpd3
container 간의 통신
● Host 의도커 네트워크
NETWORK ID NAME DRIVER SCOPE
d6a902758f47 bridge bridge local
28479fceff7b host host local
8498db25e184 none null local[vagrant@docker1 ~]$ ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:4d:77:d3 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global noprefixroute dynamic eth0
valid_lft 61566sec preferred_lft 61566sec
inet6 fe80::5054:ff:fe4d:77d3/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:18:2a:83 brd ff:ff:ff:ff:ff:ff
inet 192.168.25.10/24 brd 192.168.25.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe18:2a83/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:a7:54:6f:8f brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:a7ff:fe54:6f8f/64 scope link
valid_lft forever preferred_lft forever
80: vethe55cef2@if79: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 2a:f1:c7:ae:02:7e brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::28f1:c7ff:feae:27e/64 scope link
valid_lft forever preferred_lft forever
84: veth2b59435@if83: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether ce:bd:62:0c:6c:bc brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::ccbd:62ff:fe0c:6cbc/64 scope link
valid_lft forever preferred_lft forever
▶vethe 장비를 확인하기 위한 다운로드
[vagrant@docker1 ~]$ sudo yum -y install bridge-utils
▷ 2개의 docker0이 나오는 이유는 하나는 httpd / 하나는 centos8 이 사용하는 Nic 라고 생각하자
[vagrant@docker1 ~]$ brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242a7546f8f no veth2b59435
vethe55cef2
▷ 각각의 MAC 주소가 존재한다
[vagrant@docker1 ~]$ ip a s veth2b59435
84: veth2b59435@if83: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether ce:bd:62:0c:6c:bc brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::ccbd:62ff:fe0c:6cbc/64 scope link
valid_lft forever preferred_lft forever
[vagrant@docker1 ~]$ ip a s vethe55cef2
80: vethe55cef2@if79: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 2a:f1:c7:ae:02:7e brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::28f1:c7ff:feae:27e/64 scope link
valid_lft forever preferred_lft forever
▶ centos8 로 확인
[vagrant@docker1 ~]$ docker run -d --name mycentos -it centos:8[vagrant@docker1 ~]$ docker exec -it mycentos /bin/bash
[root@dfac5e8141b9 /]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
83: eth0@if84: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever[root@dfac5e8141b9 /]# ip route
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.3
◎ Container 와 docker0 bridge 사이에는 가상의 bridge 가 있다고 생각하자
>> 그리고 외부로 나갈때에는 iptable 을 통해서 나간다
▶ DB 추가
[vagrant@docker1 ~]$ docker run -d --name mydb -e MYSQL_ROOT_PASSWORD=mydb mysql
b47d4926365067a9ede8e9cf09ebf0ed95e473e1b8eb847c6d7db345f7fc26a6
▷ 현재 DB 와 CentOS 가 서로 Ping 이 가는데 이걸 끊어야한다
>> Docker Bridge 에서 캐이블을 뺀다
# host ID 와 Docker ID 는 동일하다
[root@dfac5e8141b9 /]# ping 172.17.0.4
PING 172.17.0.4 (172.17.0.4) 56(84) bytes of data.
64 bytes from 172.17.0.4: icmp_seq=1 ttl=64 time=0.103 ms
64 bytes from 172.17.0.4: icmp_seq=2 ttl=64 time=0.101 ms
▷ 캐이블을 뽑았다 >> IP 도 사라진다
[vagrant@docker1 ~]$ docker network disconnect bridge mydb
>> CentOS 에서 핑이 가지 않는다
● 새로운 사용자 정의 bridge 를 만든다
# driver 에는 여러가지 종류가 있다
[vagrant@docker1 ~]$ docker network create --driver
bridge ipvlan macvlan overlay
[vagrant@docker1 ~]$ docker network create --driver bridge mybridge
bb00b36761dacce49ca95abda219fc957251434bb60737a7a81a455ae67a6e38
[vagrant@docker1 ~]$ docker network ls
NETWORK ID NAME DRIVER SCOPE
d6a902758f47 bridge bridge local
28479fceff7b host host local
bb00b36761da mybridge bridge local
8498db25e184 none null local
● 원본 OS 에서 172.18.0.1 대역이 보인다
87: br-bb00b36761da: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:3d:2e:81:0f brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-bb00b36761da
valid_lft forever preferred_lft forever
inet6 fe80::42:3dff:fe2e:810f/64 scope link
valid_lft forever preferred_lft forever
89: veth8c0a92f@if88: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-bb00b36761da state UP group default
link/ether 8a:14:c6:9c:b5:a1 brd ff:ff:ff:ff:ff:ff link-netnsid 2
inet6 fe80::8814:c6ff:fe9c:b5a1/64 scope link
valid_lft forever preferred_lft forever
○ 새로운 사용자 정의 bridge 와 mydb container 와 연결시킨다
[vagrant@docker1 ~]$ docker network connect mybridge mydb
○ apache 와 mydb 와 연결시켜야 하므로 사용자 정의 bridge 에 연결시킨다
[vagrant@docker1 ~]$ docker network connect mybridge myapache
● 원본 OS 에서 새로운 랜카드가 생성
91: vethd63f76b@if90: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-bb00b36761da state UP group default
link/ether 5e:69:b5:db:6d:9b brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::5c69:b5ff:fedb:6d9b/64 scope link
valid_lft forever preferred_lft forever
● 사용자 bridge 는 br- 로 시작하는 새로운 랜카드가 보인다
sudo nmcli dev s
● 포트 개수( port interface )는 연결된 수 만큼 늘어난다
[vagrant@docker1 ~]$ brctl show
bridge name bridge id STP enabled interfaces
br-bb00b36761da 8000.02423d2e810f no veth8c0a92f
vethd63f76b
docker0 8000.0242a7546f8f no veth2b59435
vethe55cef2
◆ 사용하지 않는 것을 삭제 >> prune 옵션
[vagrant@docker1 ~]$ docker network ls
NETWORK ID NAME DRIVER SCOPE
d6a902758f47 bridge bridge local
28479fceff7b host host local
bb00b36761da mybridge bridge local
8498db25e184 none null local[vagrant@docker1 ~]$ all_container_rm
b47d49263650
dfac5e8141b9
410e9edbbd2c
b47d49263650
dfac5e8141b9
d40c08f00041
410e9edbbd2c[vagrant@docker1 ~]$ docker network prune
WARNING! This will remove all custom networks not used by at least one container.
Are you sure you want to continue? [y/N] y
Deleted Networks:
mybridge
>> 남아있는 3가지 랜카드는 삭제할 수 없다
[vagrant@docker1 ~]$ docker network ls
NETWORK ID NAME DRIVER SCOPE
d6a902758f47 bridge bridge local
28479fceff7b host host local
8498db25e184 none null local
▶centos8 을 network 옵션을 사용하여 host에 직접 연결
[vagrant@docker1 ~]$ docker run -d --network host --name centos8 -it centos:8
37a51c5090560d4d653ed47fb083038263d1e6dad0d676c492ae8ac22142b42a
▷ Host 의 ip 가 그대로 나타난다
>> container 로 들어왔지만 Host 와 동일하다
[vagrant@docker1 ~]$ docker exec -it centos8 /bin/bash
[root@docker1 /]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 52:54:00:4d:77:d3 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute eth0
valid_lft 59252sec preferred_lft 59252sec
inet6 fe80::5054:ff:fe4d:77d3/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:18:2a:83 brd ff:ff:ff:ff:ff:ff
inet 192.168.25.10/24 brd 192.168.25.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe18:2a83/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:a7:54:6f:8f brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:a7ff:fe54:6f8f/64 scope link
valid_lft forever preferred_lft forever
○ ps -e 확인했을 때 다름이 보인다
[vagrant@docker1 ~]$ docker exec -it centos8 /bin/bash
[root@docker1 /]# ps -e
PID TTY TIME CMD
1 pts/0 00:00:00 bash
54 pts/1 00:00:00 bash
68 pts/1 00:00:00 ps
● network 와 관련된 모든 파일 설정들만 똑같이 사용한다
● none network 는 인터넷을 사용하지 못하는 격리된 상태이다
[vagrant@docker1 ~]$ docker run -d --network none --name centos1 -it centos:8
123bf30879ad00f66a93d192a7c295df0733007b26902ef8e7117560c454ad5d[root@123bf30879ad /]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
'Docker 와 Container' 카테고리의 다른 글
| Dockerfile - EXPOSE / WORKDIR (0) | 2024.03.05 |
|---|---|
| Dockerfile - ENV / LABEL (0) | 2024.03.05 |
| Dockerfile - ENTRYPOINT / CMD (0) | 2024.03.05 |
| Docker container >> image / tar 만들기 (0) | 2024.03.05 |
| Docker 의 기본 (0) | 2024.03.04 |