Principle of container network

Bridge:
docker adopt docker0 This bridge is used to ensure the communication between containers , But the bridge generally only recognizes mac Address , Do not recognize ip Address , It belongs to layer-2 network equipment , The router belongs to a three-layer network device , We send a package to a ip after , First, the layer 3 network device will broadcast arp Package to inquire about the ip To which the address belongs mac Address , find mac Address will be mac The purpose of writing the address into the network packet mac Address , Then layer-2 network devices can pass mac Address find the corresponding network card, that is , The bridge is usually a two-layer device , It's not ip Address of the , that docker0 It's a virtual bridge , Why set up a ip The address? , This is because you set a ip After the address , It is associated with the kernel protocol stack , In this way, the associated network namespace can be linked to the host , And the public network

veth-pair:
Linux A network device of , This network device has two endpoints , Data enters from an endpoint , It's bound to flow from the other end point , Every veth Can be endowed with ip Address , And participate in the three-layer network routing process. The network equipment is given ip after , Then one end of it can be considered to be connected to the protocol stack

docker After starting a container , Will create a veth-pair network card , One end links docker0, One end links the protocol stack in the container , And create routes for them （ Why do you create routes at both ends ）
We created one veth-pair After equipment , We have two network segments at both ends ip, We from ip1 ping To ip2 When , If there is no corresponding routing rule , Then the host will not know which device to send the packet to , After we create a route, the protocol stack knows to send to veth-pair equipment , But after sending vethpair Need destination mac Address , our ip2 received arp After the request , reply mac Address , But the request it replies to doesn't know which device to send , So you also need to create a path matching

docker Communication between containers and with host ：
docker The communication between containers is through docker0 This bridge , After starting a container, create a veth-pair equipment , One end links the internal network namespace protocol stack of the container , One end links docker0, such docker0 As a bridge, you can communicate during the period of Derong , If between containers ip Are different network segments , Then you need to configure the routing table , otherwise arp The package cannot find the address and cannot return mac Address , Then how does the internal network namespace of the container communicate with the host , This needs to be docker0 To configure a ip Address to link the network protocol stack of the host , Then you need to add routing rules inside the container , Configure the next hop address as docker0, such docker0 You can forward packets to the host

docker Visit the Internet ：
In fact, after the container is linked to the host protocol stack, it can communicate with the host or the external network , But there is a precondition ：
1. Run firewall , Routing and forwarding
iptables -A FORWARD -j ACCEPT
2. The kernel allows routing and forwarding , Modify value 1
vim /proc/sys/net/ipv4/ip_forward
3. To configure iptables -t nat -A POSTROUTING -S 192.168.15.0/24 -J MASQUERADE   This configuration will 192.168.15.0/24 Address out ip Change the source address of to the gateway address , If you don't replace it, you won't find the network card when you come back

flannel vxlan: Realize the communication between different host containers ： 
vxlan It's a kind of Linux Network devices on （ It is a layer-2 network device ）, This device is able to send packets inside udp Encapsulation , To the outside to achieve vxlan Unpack the package on ,vxlan When the package is received , Will be in fdb In the table, the mac Check the address to be delivered ip Address .

vxlan By looking for fdb To forward the received packets ,

Such as through bridge fdb see
......
00:00:00:00:00:00 dev vxlan0 dst 192.168.64.4 via enp0s1 self permanent 
This means any mac Address the package as long as it arrives vxlan0 On this network device , He will be sent to a purpose ip by 192.168.64.4 On this host ,k8s Slightly different

calico It realizes the communication between different hosts by configuring routing rules , His advantage is that there is no unpacking , More efficient