首先,我知道使用基于ip命令的标记创建一个VXLAN接口:
ip link add vxlan-br0 type vxlan id <tag-id> group <multicast-ip> local <host-ip> dstport 0
但它对我的实际需求毫无用处,我的要求是使用不同的标签隔离多个docker容器,例如:
brctl addif br1 veth111111 tag=10 # veth111111 is the netdev used by docker container 1
brctl addif br1 veth222222 tag=20 # veth222222 is the netdev used by docker container 2
brctl addif br1 veth333333 tag=10 # veth111111 is the netdev used by docker container 3
我想从容器1和3中隔离容器2,并且不要隔离容器1和3之间的通信。如何实现这一点?
答案 0 :(得分:0)
添加两个桥networks将提供隔离。
docker create network net1
docker create network net2
然后启动一些容器
docker run -d --name one --net net1 busybox sleep 600
docker run -d --name two --net net2 busybox sleep 600
docker run -d --name three --net net1 busybox sleep 600
one和three会在连接到同一个网桥时进行通信
docker exec one ping three
docker exec three ping one
其他人会因为跨越网络/桥梁而失败
docker exec one ping two
docker exec two ping one
docker exec three ping two
您会注意到docker在网络中提供主机/名称解析,因此它实际上是上面失败的主机名称解析。 IP也不在网桥之间路由。
$ docker exec three ip ad sh dev eth0
17: eth0@if18: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:14:00:03 brd ff:ff:ff:ff:ff:ff
inet 172.20.0.3/16 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe14:3/64 scope link
valid_lft forever preferred_lft forever
Ping two
$ docker exec three ping -c 1 -w 1 172.21.0.2
PING 172.21.0.2 (172.21.0.2): 56 data bytes
--- 172.21.0.2 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
Ping one
docker exec three ping -c 1 -w 1 172.20.0.2
PING 172.20.0.2 (172.20.0.2): 56 data bytes
64 bytes from 172.20.0.2: seq=0 ttl=64 time=0.044 ms
此设置也适用于overlay networking driver,但设置起来比较复杂。