2015年1月26日 星期一

docker networking

http://www.dasblinkenlichten.com/docker-networking-101/

  1. By default, all container networks are hidden from the real network. Here’s a masquerade (hide NAT) rule for all container traffic.  This allows all of the containers to talk to the outside world (AKA the real network) but doesn’t allow the outside rule to talk back to the containers.
  2. docker run -it –rm –p 8080:80 busybox   If we run that command, we can see that iptables creates an associated NAT rule that forwards traffic destined for 8080 on the host (10.20.30.100 in this case) to port 80 on the container…  if the busybox container on docker1 wants to talk to the busybox container on docker2, it could only do so through an exposed port on the hosts network interface. 
  3. 在host中把icc=false,container之間就不會互聯,要在run時用--link參數