Networking features in Docker for Mac

96
Veekend
2017.02.14 11:03* 字数 1654

Docker for Mac的网络功能

Docker for Mac provides several networking features to make it easier to use.
(Docker for Mac提供了一些网络功能来方便我们使用)

Features
VPN Passthrough(VPN通道)
Docker for Mac’s networking can work when attached to a VPN. To do this, Docker for Mac intercepts traffic from the HyperKit
and injects it into macOS as if it originated from the Docker application.
(Docker for Mac的网络层可以通过链接到VPN工作,它是通过拦截来自HyperKit的流量并将其注入到macOS中,就好像它来自于Docker应用程序一样)

Port Mapping(端口映射)
When you run a container with the -p argument, for example: $ docker run -p 80:80 -d nginx Docker for Mac will make the container port available at localhost.
(当你使用<code>-p</code>命令来运行容器时,例如<code>$ docker run -p 80:80 -d nginx</code>,Docker for Mac会使容器端口在localhost中可用)

HTTP/HTTPS Proxy Support(HTTP/HTTPS代理支持)
Docker for Mac will detect HTTP/HTTPS Proxy Settings from macOS and automatically propagate these to Docker and to your containers. For example, if you set your proxy settings to http://proxy.example.com in macOS, Docker will use this proxy when pulling containers.
(Docker for Mac会从macOS查询HTTP/HTTPS代理设置,并且自动将这些传播到Docker和你的容器中。例如,如果你在macOS中设置代理设置为<a>http://proxy.example.com</a>,Docker会在pulling容器的时候使用该代理)

Paste_Image.png

When you start a container, you will see that your proxy settings propagate into the containers. For example:
(当您启动容器时,您将看到代理设置传播到容器中。 例如:)

<pre>
$ docker run -it alpine env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
HOSTNAME=b7edf988b2b5
TERM=xterm
HOME=/root
HTTP_PROXY=http://proxy.example.com:3128
http_proxy=http://proxy.example.com:3128
no_proxy=*.local, 169.254/16
</pre>

You can see from the above output that the HTTP_PROXY, http_proxy and no_proxy environment variables are set. When your proxy configuration changes, Docker restarts automatically to pick up the new settings. If you have containers that you wish to keep running across restarts, you should consider using [restart policies]
(https://docs.docker.com/engine/reference/run/#restart-policies-restart)
(您可以从上面的输出中看到HTTP_PROXY,http_proxy和no_proxy环境变量都已设置。 当代理配置更改时,Docker会自动重新启动以选择新设置。 如果您有要在重新启动时保持运行的容器,则应考虑使用restart policies

Known Limitations, Use Cases, and Workarounds
Following is a summary of current limitations on the Docker for Mac networking stack, along with some ideas for workarounds.
(以下是Docker for Mac网络堆栈的当前限制的摘要,以及解决方法的一些想法)

There is no docker0 bridge on macOS
(macOS上没有docker0 bridge)
Because of the way networking is implemented in Docker for Mac, you cannot see a docker0 interface in macOS. This interface is actually within HyperKit.
(由于在Docker for Mac中实现网络的方式,您在macOS中看不到docker0接口。 这个接口实际上在HyperKit中。)

I cannot ping my containers
Unfortunately, due to limitations in macOS, we’re unable to route traffic to containers, and from containers back to the host.
(不幸的是,由于macOS的限制,我们无法将流量路由到容器,以及从容器返回到主机。)

Per-container IP addressing is not possible
The docker (Linux) bridge network is not reachable from the macOS host.
(不能从macOS主机访问Docker(Linux)bridge。)

Use cases and workarounds(用例和解决方法)
There are two scenarios that the above limitations will affect:
(有两种情况,上述限制会影响:)

I want to connect from a container to a service on the host
The Mac has a changing IP address (or none if you have no network access). Our current recommendation is to attach an unused IP to the lo0 interface on the Mac; for example: sudo ifconfig lo0 alias 10.200.10.1/24, and make sure that your service is listening on this address or 0.0.0.0 (ie not 127.0.0.1). Then containers can connect to this address.
(第一种:我想从容器连接到主机上的服务)
(Mac有一个变化的IP地址(或没有,如果你没有网络访问)。我们当前的建议是将未使用的IP附加到Mac上的<code>lo0</code>接口,例如<code>sudo ifconfig lo0 alias 10.200.10.1/24</code>并且确保你的服务正在监听该地址或0.0.0.0(IE并非127.0.0.1)。然后容器会链接到这地址。)
I want to connect to a container from the Mac
Port forwarding works for localhost; --publish, -p, or -P all work. Ports exposed from Linux are forwarded to the Mac.
Our current recommendation is to publish a port, or to connect from another container. Note that this is what you have to do even on Linux if the container is on an overlay network, not a bridge network, as these are not routed.
(第二种:我想链接Mac到容器)
(端口转发工作在<code>localhost</code>中;<code>--publish</code>,<code>--p</code>或者<code>-P</code>命令都有效,从Linux公开的端口转发到Mac。)
(我们当前的建议是公开一个端口或者从其他容器连接。请注意,即使在Linux上,如果容器在覆盖网络上,而不是bridge,也必须执行这些操作,因为这些不会路由)

The command to run the nginx(运行nginx命令)
webserver shown in Getting Started is an example of this.
<code>docker run -d -p 80:80 --name webserver nginx</code>

To clarify the syntax, the following two commands both expose port 80 on the container to port 8000
on the host:
(为了澄清语法,以下两个命令将容器上的端口80公开到主机上的端口8000:)
<pre>docker run --publish 8000:80 --name webserver nginx docker run --p 8000:80 --name webserver nginx</pre>

To expose all ports, use the -P flag. For example, the following command starts a container (in detached mode) and the -P exposes all ports on the container to random ports on the host.
(要显示所有端口,请使用-P标志。 例如,以下命令启动容器(在分离模式下),-P将容器上的所有端口暴露给主机上的随机端口。)
<pre>docker run -d -P --name webserver nginx</pre>

See the run commmand for more details on publish options used with docker run
.
A view into implementation
We understand that these workarounds are not ideal, but there are several problems. In particular, there is a bug in macOS that is only fixed in 10.12 and is not being backported as far as we can tell, which means that we could not support this in all supported macOS versions. In addition, this network setup would require root access which we are trying to avoid entirely in Docker for Mac (we currently have a very small root helper that we are trying to remove).
(实施观点
我们知道这些解决方法不理想,但有几个问题。 特别是,macOS中有一个bug,它只在10.12版本中修复,并且没有被反向导出,因为我们可以告诉它,这意味着我们不能在所有支持的macOS版本中支持。 此外,这个网络设置将需要root访问,我们试图在Docker for Mac中完全避免这种访问(我们目前有一个非常小的root helper,我们试图删除)。)

Docker for Mac
Web note ad 1