This article is a summary of container network learning and learning deepening ( The following containers refer to docker Containers ). The concepts involved and the whole process are introduced in detail .

The conclusion of this study ： Limited to their own Network Namespace Container processes in , In fact, by Veth Pair equipment + The host bridge realizes the data exchange with other containers .

Some of the concepts

Network stack ： network card （Network Interface）、 Loopback equipment （Loopback Device）、 Routing table （Routing Table） and iptables The rules . For a process, these elements constitute the basic environment for it to initiate and respond to network requests .

Each container is its own Network Namespace, The host itself is Host Namespace

bridge （Bridge）： stay Linux Network equipment that acts as a virtual switch in the system , It works at the data link layer （Data Link）, The main function is based on MAC The address forwards packets to different ports of the bridge （Port） On .

ARP（Address Resolution Protocol）： Through three layers of IP Find the corresponding second floor address MAC Address agreement .

Something to pay attention to

1,Docker By default, the project will create a host named docker0 The bridge , As long as it is connected to docker0 Containers on the bridge can communicate through it .

2, How about containers “ Connect ” To docker0 bridge ？——Veth Pair equipment , The two ends are connected separately docker0 And containers , The two ends correspond to each other . Act as a network cable .

3, Containers a Access to the container b when , Need to know b Of MAC Address , Need to send first ARP radio broadcast .

Basic conditions

There are two containers running on the host a、b, Enter one of the containers ifconfig, You will see that there is a named eth0 Virtual network card ; In the host computer ifconfig, You will see that the virtual network card is in docker0 The name on ,veth-xxxxx, At this point, it can be said that the virtual device is plugged in docker0 On the bridge , The same is true of another container , One end can be seen in the container network , The other end is docker0 You can see on the bridge .

Now , If in a In the container ping once b Container of IP Address , You will find that two containers on the same host are connected by default .

Journey of analysis

a Container access b Containers , First of all, according to the purpose IP(b Containers ) Match to the corresponding routing rule , You can see , Gateway for this routing rule （Gateway） yes 0.0.0.0, This means that this is a direct connection rule , namely ： Anything that matches this rule IP package , It should go through the local eth0 network card , It is directly sent to the destination host through the layer-2 network .

At this point, you need 172.17.0.3 This IP Address corresponding MAC Address . therefore a Container's network protocol stack , It needs to pass eth0 The network card sends a ARP radio broadcast , adopt IP Address search for the corresponding MAC Address .

If the virtual network card eth0 Plug in docker0 On the bridge , It will become the bridge “ Slave device ”, It will be “ deprive ” Call the network protocol stack to process packets , thus “ Downgrade ” Become a port on the bridge . And the only function of this port is , It's receiving incoming packets , And then put these packets of “ The power of life and death ”（ Like forwarding or discarding ）, All to the corresponding bridge .

After receiving these ARP After the request ,docker0 The bridge will act as a layer 2 switch , hold ARP The broadcast is forwarded to others “ insert ” stay docker0 Virtual network card on . such , Also connected to docker0 Upper nginx-2 The network protocol stack of the container will receive this ARP request , So that 172.17.0.3 The corresponding MAC Reply the address to nginx-1 Containers . With this purpose MAC Address ,nginx-1 Container of eth0 The network card can send data packets .

docker0 The process of processing forwarding , Continue to play the role of layer 2 switch . here ,docker0 The bridge depends on the purpose of the packet MAC Address （ That is to say nginx-2 Container of MAC Address ）, In its CAM surface （ That is, the switch passes through MAC Port and address for learning and maintenance MAC Table of addresses ） Find the corresponding port in the （Port） by ：vethb4963f3, Then send the packet to this port . And this port , It is nginx-2 Containers “ insert ” stay docker0 Another virtual network card on the bridge , Of course , It's also a Veth Pair equipment . such , The packet enters nginx-2 Container of Network Namespace in .