当前位置：首页 > news >正文

五、docker的网络模式

news 2025/7/13 1:09:24

五、docker的网络模式

5.1 Docker的四种网络模式

当你安装docker时，它会自动创建三个网络，可使用如下命令查看：

[root@localhost ~]# docker network  ls
NETWORK ID     NAME      DRIVER    SCOPE
7390284b02d6   bridge    bridge    local
d6f8e8de2c03   host      host      local
ec6c758e2ed2   none      null      local

Bridge：此模式会为每一个容器分配、设置IP等。使用 --net=bridge 指定，默认设置。

host：容器将不会虚拟出自己的网卡，配置自己的IP等，而是使用宿主机的IP和端口。使用--net=host 指定。

None：该模式关闭了容器的网络功能。使用 --net=none 指定。

Container：创建的容器不会创建自己的网卡，配置自己的IP，而是和一个指定的容器共享IP、端口范围。使用 --net=container:NAMEorID 指定。

5.2 None网络模式

使用none模式，Docker容器拥有自己的Network Namespace，但是，并不为Docker容器进行任何网络配置。也就是说，这个Docker容器没有网卡、IP、路由等信息，只有lo 网络接口。需要我们自己为Docker容器添加网卡、配置IP等。

不参与网络通信，运行于此类容器中的进程仅能访问本地回环接口；仅适用于进程无须网络通信的场景中，例如：备份、进程诊断及各种离线任务等。None模式示意图如下所示：

在这里插入图片描述

[root@localhost ~]# docker run -it --network none --rm busybox:latest
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
/ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
/ # exit

5.3 Host网络模式

如果启动容器的时候使用host模式，那么这个容器将不会获得一个独立的Network Namespace，而是和宿主机共用一个Network Namespace。容器将不会虚拟出自己的网卡，配置自己的IP等，而是使用宿主机的IP和端口。但是，容器的其他方面，如文件系统、进程列表等还是和宿主机隔离的。Host模式示意图如下所示：

在这里插入图片描述

[root@localhost ~]# ip a show ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000link/ether 00:0c:29:fb:63:04 brd ff:ff:ff:ff:ff:ffaltname enp2s1inet 192.168.168.101/24 brd 192.168.168.255 scope global noprefixroute ens33valid_lft forever preferred_lft foreverinet6 fe80::20c:29ff:fefb:6304/64 scope link noprefixroutevalid_lft forever preferred_lft forever
[root@localhost ~]# docker run --name busybox --rm -it --network host  busybox:latest
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel qlen 1000link/ether 00:0c:29:fb:63:04 brd ff:ff:ff:ff:ff:ffinet 192.168.168.101/24 brd 192.168.168.255 scope global noprefixroute ens33valid_lft forever preferred_lft foreverinet6 fe80::20c:29ff:fefb:6304/64 scope link noprefixroutevalid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueuelink/ether 02:42:1e:0f:2f:31 brd ff:ff:ff:ff:ff:ffinet 172.17.0.1/16 brd 172.17.255.255 scope global docker0valid_lft forever preferred_lft foreverinet6 fe80::42:1eff:fe0f:2f31/64 scope linkvalid_lft forever preferred_lft forever
37: veth0a9f628@if36: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue master docker0link/ether ea:67:63:ea:8d:5a brd ff:ff:ff:ff:ff:ffinet6 fe80::e867:63ff:feea:8d5a/64 scope linkvalid_lft forever preferred_lft forever
38: br-f65f09f8a274: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueuelink/ether 02:42:40:d3:87:29 brd ff:ff:ff:ff:ff:ffinet 172.18.0.1/16 brd 172.18.255.255 scope global br-f65f09f8a274valid_lft forever preferred_lft foreverinet6 fe80::42:40ff:fed3:8729/64 scope linkvalid_lft forever preferred_lft forever
/ # exit

5.4 container网络模式

这个模式指定新创建的容器和已经存在的一个容器共享一个 Network Namespace，而不是和宿主机共享。新创建的容器不会创建自己的网卡，配置自己的 IP，而是和一个指定的容器共享 IP、端口范围等。同样，两个容器除了网络方面，其他的如文件系统、进程列表等还是隔离的。两个容器的进程可以通过 lo 网卡设备通信。Container模式示意图如下：

在这里插入图片描述

（1）先用bridge网络模式启动容器1

[root@localhost ~]# docker run -d --name web4 nginx:1.27.2-alpine
e5c5ae64f304fd37af4952659b4139f0d478bee732bc784ede8c36c93f638f76
[root@localhost ~]# docker inspect  web4 | grep -i ipaddress"SecondaryIPAddresses": null,"IPAddress": "172.17.0.3","IPAddress": "172.17.0.3",

（2）再使用Container 网络模式创建容器2

[root@localhost ~]# docker run  --name busybox --rm -it --network container:web4 busybox:latest
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
43: eth0@if44: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueuelink/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ffinet 172.17.0.3/16 brd 172.17.255.255 scope global eth0valid_lft forever preferred_lft forever
#web1上启动的nginx服务在该容器中可以直接访问
/ # wget -O - -q 172.17.0.3
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p><p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p>
</body>
</html>
#注意文件系统并不共享
/ # ls /usr/share
ls: /usr/share: No such file or directory

5.5 Bridge网络模式

安装docker时会自动创建一个docker0网桥，运行容器时，你可以使用docker run --network=<NETWORK>选项指定容器应连接到哪个网络，否则Docker守护程序默认将容器连接到docker0虚拟网桥，通过docker0网桥以及Iptables nat表配置与宿主机通信。

Docker 随机分配一个本地未占用的私有网段（在 RFC1918 中定义）中的一个地址给docker0 接口。此后启动的容器内的网口也会自动分配一个同一网段的地址。docker0的IP地址则为容器的默认网关。在主机上创建一对虚拟网卡veth pair设备，Docker将veth pair设备的一端放在新创建的容器中，并命名为eth0（容器的网卡），另一端放在主机中，以vethxxx这样类似的名字命名，并将这个网络设备加入到docker0网桥中（bridge模式示意图如下图所示）。可以通过brctl show命令查看。

在这里插入图片描述

[root@localhost ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
docker0         8000.02421e0f2f31       no
[root@localhost ~]# ip a show docker0
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group defaultlink/ether 02:42:1e:0f:2f:31 brd ff:ff:ff:ff:ff:ffinet 172.17.0.1/16 brd 172.17.255.255 scope global docker0valid_lft forever preferred_lft foreverinet6 fe80::42:1eff:fe0f:2f31/64 scope linkvalid_lft forever preferred_lft forever

通过这种方式，主机可以跟容器通信，容器之间也可以相互通信。 Docker 就创建了在主机和所有容器之间一个虚拟共享网络。

注：bridge模式是docker的默认网络模式，不写–net参数，就是bridge模式。使用docker run -p时，docker实际是在iptables做了DNAT规则，实现端口转发功能。可以使用iptables -t nat -vnL查看。

5.5.1 使用默认的网桥

#未指定网络模式则默认为bridge模式
[root@localhost ~]# docker run  -d -P --name web3 nginx:1.14-alpine
009f12f2142c6a297cd8cf3d0fb078037a03e2a8388c581016df9015ecaecd66
[root@localhost ~]# docker ps
CONTAINER ID   IMAGE               COMMAND                   CREATED         STATUS         PORTS                                       NAMES
009f12f2142c   nginx:1.14-alpine   "nginx -g 'daemon of…"   4 seconds ago   Up 3 seconds   0.0.0.0:32775->80/tcp, [::]:32775->80/tcp   web3
[root@localhost ~]#
[root@localhost ~]# iptables -t nat -vnL DOCKER
Chain DOCKER (2 references)pkts bytes target     prot opt in     out     source               destination 0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0  0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:32775 to:172.17.0.2:80
[root@localhost ~]# docker exec -it web3 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
36: eth0@if37: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UPlink/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ffinet 172.17.0.2/16 brd 172.17.255.255 scope global eth0valid_lft forever preferred_lft forever
/ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.17.0.1      0.0.0.0         UG    0      0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0
#尝试ping宿主机
/ # ping -c2 192.168.168.101
PING 192.168.168.101 (192.168.168.101): 56 data bytes
64 bytes from 192.168.168.101: seq=0 ttl=64 time=0.062 ms
64 bytes from 192.168.168.101: seq=1 ttl=64 time=0.043 ms

5.5.2 自定义网桥

#也可以在创建网桥时指定网段docker network create -d bridge --subnet 10.100.0.0/24 --gateway 10.100.0.1 my-bridge
[root@localhost ~]# docker network  create -d bridge my-bridge
[root@localhost ~]# docker network  ls
NETWORK ID     NAME        DRIVER    SCOPE
7390284b02d6   bridge      bridge    local
d6f8e8de2c03   host        host      local
f65f09f8a274   my-bridge   bridge    local
ec6c758e2ed2   none        null      local
[root@localhost ~]# brctl  show
bridge name     bridge id               STP enabled     interfaces
br-f65f09f8a274         8000.024240d38729       no
docker0         8000.02421e0f2f31       no              veth0a9f628
[root@localhost ~]# ip a show br-f65f09f8a274
38: br-f65f09f8a274: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group defaultlink/ether 02:42:40:d3:87:29 brd ff:ff:ff:ff:ff:ffinet 172.18.0.1/16 brd 172.18.255.255 scope global br-f65f09f8a274valid_lft forever preferred_lft forever
[root@localhost ~]# docker run --name busybox --rm -it --network my-bridge busybox:latest
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
41: eth0@if42: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueuelink/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ffinet 172.18.0.2/16 brd 172.18.255.255 scope global eth0valid_lft forever preferred_lft forever
/ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.18.0.1      0.0.0.0         UG    0      0        0 eth0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0
/ # ping 192.168.168.101
PING 192.168.168.101 (192.168.168.101): 56 data bytes
64 bytes from 192.168.168.101: seq=0 ttl=64 time=0.278 ms
64 bytes from 192.168.168.101: seq=1 ttl=64 time=0.060 ms

5.6 容器间的通信

5.6.1 同一台主机上的容器间的通信

（1）容器都使用默认的Bridge网络模式

两个容器使用ip地址互相访问

#运行第一个容器
[root@localhost ~]# docker run --rm -it busybox:1.36 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueuelink/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ffinet 172.17.0.2/16 brd 172.17.255.255 scope global eth0valid_lft forever preferred_lft forever#运行第二个容器
[root@localhost ~]# docker run -it --rm busybox:latest /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
13: eth0@if14: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueuelink/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ffinet 172.17.0.3/16 brd 172.17.255.255 scope global eth0valid_lft forever preferred_lft forever#第一个容器ping第二个容器
/ # ping -c2 172.17.0.3
PING 172.17.0.3 (172.17.0.3): 56 data bytes
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.056 ms
64 bytes from 172.17.0.3: seq=1 ttl=64 time=0.066 ms#第二个容器ping第一个容器
/ # ping -c2 172.17.0.2
PING 172.17.0.2 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.032 ms
64 bytes from 172.17.0.2: seq=1 ttl=64 time=0.062 ms

容器间使用名字互相访问

[root@localhost ~]# docker run --rm -it --name test-name  busybox:1.36 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
19: eth0@if20: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueuelink/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ffinet 172.17.0.3/16 brd 172.17.255.255 scope global eth0valid_lft forever preferred_lft forever
[root@localhost ~]# docker run -it --rm --link test-name:server1 busybox:latest /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
21: eth0@if22: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueuelink/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ffinet 172.17.0.4/16 brd 172.17.255.255 scope global eth0valid_lft forever preferred_lft forever
/ # cat /etc/hosts
127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.3      server1 d9a9e6278e9f test-name
172.17.0.4      9e6943af3424
/ # ping -c 2 server1
PING server1 (172.17.0.3): 56 data bytes
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.035 ms
64 bytes from 172.17.0.3: seq=1 ttl=64 time=0.073 ms--- server1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.035/0.054/0.073 ms
/ # ping -c 2 test-name
PING test-name (172.17.0.3): 56 data bytes
64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.035 ms
64 bytes from 172.17.0.3: seq=1 ttl=64 time=0.062 ms--- test-name ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.035/0.048/0.062 ms
/ #

（2）容器使用不同的bridge模式

[root@localhost ~]# docker network  ls
NETWORK ID     NAME        DRIVER    SCOPE
9d160e040474   bridge      bridge    local
d6f8e8de2c03   host        host      local
f65f09f8a274   my-bridge   bridge    local
ec6c758e2ed2   none        null      local
#查看新添加的网桥
[root@localhost ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
br-f65f09f8a274         8000.02427ef21b98       no              vethf8467c8
docker0         8000.0242c16db1ae       no              vethcde7c3a
#运行第一个容器使用bridge模式
[root@localhost ~]# docker run  --rm --network bridge -it busybox:1.36  /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
5: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueuelink/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ffinet 172.17.0.2/16 brd 172.17.255.255 scope global eth0valid_lft forever preferred_lft forever#在另外一个终端窗口运行第二个容器使用my-bridge模式
[root@localhost ~]# docker run -it --rm --network my-bridge busybox:latest  /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueuelink/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ffinet 172.18.0.2/16 brd 172.18.255.255 scope global eth0valid_lft forever preferred_lft forever#两个容器互相访问，访问失败
#第一个容器ping第二个容器
/ # ping 172.18.0.2
PING 172.18.0.2 (172.18.0.2): 56 data bytes#第二个容器ping第一个容器
/ # ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2): 56 data bytes

查看防火墙规则
在这里插入图片描述

#重新配置iptables规则
#（1）先将旧的iptables规则保存至iptables.sh文件中
[root@localhost ~]# iptables-save >  /root/iptables.sh
#（2）修改iptables.sh文件，注释下面两行
#-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
#-A DOCKER-ISOLATION-STAGE-2 -o br-f65f09f8a274 -j DROP
#（3）导入新的iptables规则
[root@localhost ~]# iptables-restore < /root/iptables.sh

#两个容器互相测试
#第一个容器访问第二个容器
/ # ping -c2 172.18.0.2
PING 172.18.0.2 (172.18.0.2): 56 data bytes
64 bytes from 172.18.0.2: seq=0 ttl=63 time=0.066 ms
64 bytes from 172.18.0.2: seq=1 ttl=63 time=0.093 ms
#第二个容器访问第一个容器
/ # ping -c3 172.17.0.2
PING 172.17.0.2 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: seq=0 ttl=63 time=0.067 ms
64 bytes from 172.17.0.2: seq=1 ttl=63 time=0.095 ms
64 bytes from 172.17.0.2: seq=2 ttl=63 time=0.095 ms

5.6.2 不同主机上的容器间的通信

两个主机上的容器之间的通信前提是宿主机之间的网络是可以互相通信的，然后个容器才可以通过宿主机访问到对方的容器，实现原理是在宿主机做一个网络路由就可以实现宿主机A的容器访问宿主机容器B的目的。

由于docker默认网段是172.17.0.X/24，如果要做路由每个宿主机的docker使用的默认网段不能一致。

#服务器A使用默认网段
#服务器B修改默认网段为10.10.0.X/24
[root@node02 yum.repos.d]# vim  /usr/lib/systemd/system/docker.service
#修改该行信息
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --bip=10.10.0.1/24
[root@node02 yum.repos.d]# systemctl daemon-reload
[root@node02 yum.repos.d]# systemctl start docker
[root@node02 yum.repos.d]# ip a show docker0
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group defaultlink/ether 02:42:bb:a0:47:ca brd ff:ff:ff:ff:ff:ffinet 10.10.0.1/24 brd 10.10.0.255 scope global docker0valid_lft forever preferred_lft forever

#服务器A启动容器
[root@localhost ~]# docker run -it --rm busybox:1.36 /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
9: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueuelink/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ffinet 172.17.0.2/16 brd 172.17.255.255 scope global eth0valid_lft forever preferred_lft forever#服务器B启动容器
[root@node02 ~]# docker run -it --rm busybox:latest /bin/sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope hostvalid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueuelink/ether 02:42:0a:0a:00:02 brd ff:ff:ff:ff:ff:ffinet 10.10.0.2/24 brd 10.10.0.255 scope global eth0valid_lft forever preferred_lft forever

#容器间互相访问测试，无法访问
/ # ping -c2 10.10.0.2
PING 10.10.0.2 (10.10.0.2): 56 data bytes--- 10.10.0.2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss/ # ping -c 2 172.17.0.2
PING 172.17.0.2 (172.17.0.2): 56 data bytes--- 172.17.0.2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

#给serverA添加静态路由，当本机要访问10.10.0.0/24网段的主机的时候，网关指定为serverB宿主机的地址
[root@localhost ~]# route add -net 10.10.0.0/24 gw 192.168.168.102
#设置防火墙规则
[root@localhost ~]# iptables -A FORWARD -s 192.168.168.0/24 -j ACCEPT#给serverB添加静态路由，网关地址为serverA的地址
[root@node02 ~]#  route add -net 172.17.0.0/24 gw 192.168.168.101
#设置防火墙规则
[root@localhost ~]# iptables -A FORWARD -s 192.168.168.0/24 -j ACCEPT

#测试
#宿主机A容器访问宿主机B容器
/ # ping -c2 10.10.0.2
PING 10.10.0.2 (10.10.0.2): 56 data bytes
64 bytes from 10.10.0.2: seq=0 ttl=62 time=0.461 ms
64 bytes from 10.10.0.2: seq=1 ttl=62 time=0.556 ms--- 10.10.0.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.461/0.508/0.556 ms#宿主机B容器访问宿主机A容器
/ # ping -c 2 172.17.0.2
PING 172.17.0.2 (172.17.0.2): 56 data bytes
64 bytes from 172.17.0.2: seq=0 ttl=62 time=0.491 ms
64 bytes from 172.17.0.2: seq=1 ttl=62 time=0.575 ms