使用 --net=container:containerName 键将 docker 容器附加到另一个容器的网络
Attaching a docker container to another container's network with --net=container:containerName key
我正在阅读 Jaroslaw Krochmalski 的书 "Docker and Kubernetes for Java Developers",并且偶然发现了以下示例。作者建议创建一个桥接myNetwork网络,然后运行两个容器(ApacheTomcat和BusyBox)连接到这个网络,如下(命令应该是运行在单独的终端会话):
$ docker run -it --name myTomcat --net=myNetwork tomcat
$ docker run -it --net container:myTomcat busybox
作者特意说 "we want our busybox container to use the same network as Tomcat uses. As an alternative, we could of course go with specifying a network name explicitly, using the --net myNetwork option".
那么作者建议通过运行在busybox容器中执行以下命令来检查容器之间的通信:
$ wget localhost:8080
这确实有效,但立即让我感到困惑,因为我们有两个不同的容器,并且不清楚它们为什么通过本地主机进行通信。事实证明,上面提到的带有 --net container:myTomcat 键的命令并没有准确地将容器添加到网络中,而是使它在与 myTomcat 容器相同的 IP 下以某种方式可见。
观察结果证实了这一点,如果您 运行 docker network inspect myNetwork,您将看到实际上只有一个容器连接到网络:
[
{
"Name": "myNetwork",
...
"Containers": {
"464ed70a0c31784226dc943bcbcb79f7c4666b9d7825183706505731ac06a9bf": {
"Name": "myTomcat",
"EndpointID": "a4c384f17c6f8e443a430f130093ff6936bb59b1b54d0f056d1f0b4c703c1489",
"MacAddress": "02:42:ac:14:00:02",
"IPv4Address": "172.20.0.2/16",
"IPv6Address": ""
}
},
...
}
]
相反,如果你运行 busybox容器如下:
$ docker run -it --net=myNetwork busybox
通过 localhost 的可见性将不起作用,但 docker network inspect myNetwork 将显示在不同 IP 下连接到网络的两个容器:
[
{
"Name": "myNetwork",
...
"Containers": {
"41c607b78af36cf6512124b6c057ed31997ddd6067a99ae579fe25b53753178e": {
"Name": "vigorous_clarke",
"EndpointID": "9bf6d6a294d885febcfe7f38e388f68af3f8bc7c0334c1dcea13512c3ead23d5",
"MacAddress": "02:42:ac:14:00:03",
"IPv4Address": "172.20.0.3/16",
"IPv6Address": ""
},
"464ed70a0c31784226dc943bcbcb79f7c4666b9d7825183706505731ac06a9bf": {
"Name": "myTomcat",
"EndpointID": "a4c384f17c6f8e443a430f130093ff6936bb59b1b54d0f056d1f0b4c703c1489",
"MacAddress": "02:42:ac:14:00:02",
"IPv4Address": "172.20.0.2/16",
"IPv6Address": ""
}
},
...
}
]
所以看起来,与作者的说法相反,--net=container:myTomcat 和 --net=myNetwork 键具有完全不同的含义。问题是我找不到任何关于 --net=container:containerName 符号的文档,所以我不确定它到底是什么意思或者它是如何工作的。有人对此有任何见解吗?
--network=container:containerName的含义如下,根据documentation:
With the network set to container a container will share the network stack of another container. [...] Example running a Redis container with Redis binding to localhost then running the redis-cli command and connecting to the Redis server over the localhost interface.
$ docker run -d --name redis example/redis --bind 127.0.0.1
$ # use the redis container's network stack to access localhost
$ docker run --rm -it --network container:redis example/redis-cli -h 127.0.0.1
这就是 busybox 容器可以通过本书示例中的 http://localhost:8080 访问 tomcat 应用程序的原因。
感谢@tgogos 为我指明了正确的方向。
我正在阅读 Jaroslaw Krochmalski 的书 "Docker and Kubernetes for Java Developers",并且偶然发现了以下示例。作者建议创建一个桥接myNetwork网络,然后运行两个容器(ApacheTomcat和BusyBox)连接到这个网络,如下(命令应该是运行在单独的终端会话):
$ docker run -it --name myTomcat --net=myNetwork tomcat
$ docker run -it --net container:myTomcat busybox
作者特意说 "we want our busybox container to use the same network as Tomcat uses. As an alternative, we could of course go with specifying a network name explicitly, using the --net myNetwork option".
那么作者建议通过运行在busybox容器中执行以下命令来检查容器之间的通信:
$ wget localhost:8080
这确实有效,但立即让我感到困惑,因为我们有两个不同的容器,并且不清楚它们为什么通过本地主机进行通信。事实证明,上面提到的带有 --net container:myTomcat 键的命令并没有准确地将容器添加到网络中,而是使它在与 myTomcat 容器相同的 IP 下以某种方式可见。
观察结果证实了这一点,如果您 运行 docker network inspect myNetwork,您将看到实际上只有一个容器连接到网络:
[
{
"Name": "myNetwork",
...
"Containers": {
"464ed70a0c31784226dc943bcbcb79f7c4666b9d7825183706505731ac06a9bf": {
"Name": "myTomcat",
"EndpointID": "a4c384f17c6f8e443a430f130093ff6936bb59b1b54d0f056d1f0b4c703c1489",
"MacAddress": "02:42:ac:14:00:02",
"IPv4Address": "172.20.0.2/16",
"IPv6Address": ""
}
},
...
}
]
相反,如果你运行 busybox容器如下:
$ docker run -it --net=myNetwork busybox
通过 localhost 的可见性将不起作用,但 docker network inspect myNetwork 将显示在不同 IP 下连接到网络的两个容器:
[
{
"Name": "myNetwork",
...
"Containers": {
"41c607b78af36cf6512124b6c057ed31997ddd6067a99ae579fe25b53753178e": {
"Name": "vigorous_clarke",
"EndpointID": "9bf6d6a294d885febcfe7f38e388f68af3f8bc7c0334c1dcea13512c3ead23d5",
"MacAddress": "02:42:ac:14:00:03",
"IPv4Address": "172.20.0.3/16",
"IPv6Address": ""
},
"464ed70a0c31784226dc943bcbcb79f7c4666b9d7825183706505731ac06a9bf": {
"Name": "myTomcat",
"EndpointID": "a4c384f17c6f8e443a430f130093ff6936bb59b1b54d0f056d1f0b4c703c1489",
"MacAddress": "02:42:ac:14:00:02",
"IPv4Address": "172.20.0.2/16",
"IPv6Address": ""
}
},
...
}
]
所以看起来,与作者的说法相反,--net=container:myTomcat 和 --net=myNetwork 键具有完全不同的含义。问题是我找不到任何关于 --net=container:containerName 符号的文档,所以我不确定它到底是什么意思或者它是如何工作的。有人对此有任何见解吗?
--network=container:containerName的含义如下,根据documentation:
With the network set to
containera container will share the network stack of another container. [...] Example running a Redis container with Redis binding to localhost then running the redis-cli command and connecting to the Redis server over the localhost interface.$ docker run -d --name redis example/redis --bind 127.0.0.1 $ # use the redis container's network stack to access localhost $ docker run --rm -it --network container:redis example/redis-cli -h 127.0.0.1
这就是 busybox 容器可以通过本书示例中的 http://localhost:8080 访问 tomcat 应用程序的原因。
感谢@tgogos 为我指明了正确的方向。