Networking features in Docker for Mac

2017.02.14 11:03* 字数 1654

Docker for Mac的网络功能

Docker for Mac provides several networking features to make it easier to use.
(Docker for Mac提供了一些网络功能来方便我们使用)

VPN Passthrough(VPN通道)
Docker for Mac’s networking can work when attached to a VPN. To do this, Docker for Mac intercepts traffic from the HyperKit
and injects it into macOS as if it originated from the Docker application.
(Docker for Mac的网络层可以通过链接到VPN工作,它是通过拦截来自HyperKit的流量并将其注入到macOS中,就好像它来自于Docker应用程序一样)

Port Mapping(端口映射)
When you run a container with the -p argument, for example: $ docker run -p 80:80 -d nginx Docker for Mac will make the container port available at localhost.
(当你使用<code>-p</code>命令来运行容器时,例如<code>$ docker run -p 80:80 -d nginx</code>,Docker for Mac会使容器端口在localhost中可用)

HTTP/HTTPS Proxy Support(HTTP/HTTPS代理支持)
Docker for Mac will detect HTTP/HTTPS Proxy Settings from macOS and automatically propagate these to Docker and to your containers. For example, if you set your proxy settings to in macOS, Docker will use this proxy when pulling containers.
(Docker for Mac会从macOS查询HTTP/HTTPS代理设置,并且自动将这些传播到Docker和你的容器中。例如,如果你在macOS中设置代理设置为<a></a>,Docker会在pulling容器的时候使用该代理)


When you start a container, you will see that your proxy settings propagate into the containers. For example:
(当您启动容器时,您将看到代理设置传播到容器中。 例如:)

$ docker run -it alpine env
no_proxy=*.local, 169.254/16

You can see from the above output that the HTTP_PROXY, http_proxy and no_proxy environment variables are set. When your proxy configuration changes, Docker restarts automatically to pick up the new settings. If you have containers that you wish to keep running across restarts, you should consider using [restart policies]
(您可以从上面的输出中看到HTTP_PROXY,http_proxy和no_proxy环境变量都已设置。 当代理配置更改时,Docker会自动重新启动以选择新设置。 如果您有要在重新启动时保持运行的容器,则应考虑使用restart policies

Known Limitations, Use Cases, and Workarounds
Following is a summary of current limitations on the Docker for Mac networking stack, along with some ideas for workarounds.
(以下是Docker for Mac网络堆栈的当前限制的摘要,以及解决方法的一些想法)

There is no docker0 bridge on macOS
(macOS上没有docker0 bridge)
Because of the way networking is implemented in Docker for Mac, you cannot see a docker0 interface in macOS. This interface is actually within HyperKit.
(由于在Docker for Mac中实现网络的方式,您在macOS中看不到docker0接口。 这个接口实际上在HyperKit中。)

I cannot ping my containers
Unfortunately, due to limitations in macOS, we’re unable to route traffic to containers, and from containers back to the host.

Per-container IP addressing is not possible
The docker (Linux) bridge network is not reachable from the macOS host.

Use cases and workarounds(用例和解决方法)
There are two scenarios that the above limitations will affect:

I want to connect from a container to a service on the host
The Mac has a changing IP address (or none if you have no network access). Our current recommendation is to attach an unused IP to the lo0 interface on the Mac; for example: sudo ifconfig lo0 alias, and make sure that your service is listening on this address or (ie not Then containers can connect to this address.
(Mac有一个变化的IP地址(或没有,如果你没有网络访问)。我们当前的建议是将未使用的IP附加到Mac上的<code>lo0</code>接口,例如<code>sudo ifconfig lo0 alias</code>并且确保你的服务正在监听该地址或0.0.0.0(IE并非127.0.0.1)。然后容器会链接到这地址。)
I want to connect to a container from the Mac
Port forwarding works for localhost; --publish, -p, or -P all work. Ports exposed from Linux are forwarded to the Mac.
Our current recommendation is to publish a port, or to connect from another container. Note that this is what you have to do even on Linux if the container is on an overlay network, not a bridge network, as these are not routed.

The command to run the nginx(运行nginx命令)
webserver shown in Getting Started is an example of this.
<code>docker run -d -p 80:80 --name webserver nginx</code>

To clarify the syntax, the following two commands both expose port 80 on the container to port 8000
on the host:
<pre>docker run --publish 8000:80 --name webserver nginx docker run --p 8000:80 --name webserver nginx</pre>

To expose all ports, use the -P flag. For example, the following command starts a container (in detached mode) and the -P exposes all ports on the container to random ports on the host.
(要显示所有端口,请使用-P标志。 例如,以下命令启动容器(在分离模式下),-P将容器上的所有端口暴露给主机上的随机端口。)
<pre>docker run -d -P --name webserver nginx</pre>

See the run commmand for more details on publish options used with docker run
A view into implementation
We understand that these workarounds are not ideal, but there are several problems. In particular, there is a bug in macOS that is only fixed in 10.12 and is not being backported as far as we can tell, which means that we could not support this in all supported macOS versions. In addition, this network setup would require root access which we are trying to avoid entirely in Docker for Mac (we currently have a very small root helper that we are trying to remove).
我们知道这些解决方法不理想,但有几个问题。 特别是,macOS中有一个bug,它只在10.12版本中修复,并且没有被反向导出,因为我们可以告诉它,这意味着我们不能在所有支持的macOS版本中支持。 此外,这个网络设置将需要root访问,我们试图在Docker for Mac中完全避免这种访问(我们目前有一个非常小的root helper,我们试图删除)。)

Docker for Mac
Web note ad 1