Docker Compose 网络配置
概述
Docker Compose 提供了强大的网络功能,允许服务之间进行安全、高效的通信。本文将详细介绍 Docker Compose 中的网络配置,包括默认网络、自定义网络、网络模式以及服务间通信的最佳实践。
Docker 网络基础
网络驱动类型
- bridge: 默认网络驱动,适用于单主机容器通信
- host: 容器直接使用主机网络
- overlay: 用于跨主机容器通信(Swarm 模式)
- macvlan: 为容器分配 MAC 地址
- none: 禁用网络
默认网络行为
自动创建的默认网络
version: '3.8'
services:
web:
image: nginx
api:
image: node:14
db:
image: postgres
在上述配置中,Docker Compose 会:
- 创建一个名为
项目名_default的网络 - 所有服务都连接到这个网络
- 服务可以通过服务名相互访问
服务发现
# 在 web 容器中可以直接访问其他服务
curl http://api:3000
curl http://db:5432
自定义网络配置
1. 基本自定义网络
version: '3.8'
services:
web:
image: nginx
networks:
- frontend
api:
image: node:14
networks:
- frontend
- backend
db:
image: postgres
networks:
- backend
networks:
frontend:
driver: bridge
backend:
driver: bridge
2. 网络隔离
version: '3.8'
services:
# 前端服务 - 只能访问 API
web:
image: nginx
networks:
- frontend
# API 服务 - 连接前端和后端
api:
image: node:14
networks:
- frontend
- backend
# 数据库 - 只能被 API 访问
db:
image: postgres
networks:
- backend
# 缓存 - 只能被 API 访问
redis:
image: redis
networks:
- backend
networks:
frontend:
driver: bridge
backend:
driver: bridge
internal: true # 内部网络,不能访问外部
3. 网络别名
version: '3.8'
services:
api:
image: node:14
networks:
backend:
aliases:
- api-server
- backend-api
- microservice-api
worker:
image: node:14
networks:
backend:
aliases:
- task-worker
- background-processor
networks:
backend:
driver: bridge
高级网络配置
1. 网络驱动选项
networks:
custom_network:
driver: bridge
driver_opts:
com.docker.network.bridge.name: custom_bridge
com.docker.network.bridge.enable_icc: "true"
com.docker.network.bridge.enable_ip_masquerade: "true"
com.docker.network.driver.mtu: 1500
2. IP 地址管理
version: '3.8'
services:
web:
image: nginx
networks:
app_network:
ipv4_address: 172.20.0.10
api:
image: node:14
networks:
app_network:
ipv4_address: 172.20.0.11
db:
image: postgres
networks:
app_network:
ipv4_address: 172.20.0.12
networks:
app_network:
driver: bridge
ipam:
config:
- subnet: 172.20.0.0/16
gateway: 172.20.0.1
3. 多子网配置
networks:
multi_subnet:
driver: bridge
ipam:
driver: default
config:
- subnet: 172.20.0.0/24
gateway: 172.20.0.1
- subnet: 172.21.0.0/24
gateway: 172.21.0.1
外部网络
1. 使用已存在的网络
version: '3.8'
services:
app:
image: myapp
networks:
- existing_network
- new_network
networks:
existing_network:
external: true
new_network:
driver: bridge
2. 指定外部网络名称
networks:
production_network:
external:
name: prod_network
网络模式
1. Host 网络模式
services:
app:
image: myapp
network_mode: host
# 注意:使用 host 模式时不能使用 ports 映射
2. Container 网络模式
services:
app1:
image: myapp1
app2:
image: myapp2
network_mode: "container:app1" # 共享 app1 的网络
3. Service 网络模式
services:
app1:
image: myapp1
app2:
image: myapp2
network_mode: "service:app1" # 共享 app1 的网络
4. None 网络模式
services:
isolated_app:
image: myapp
network_mode: none # 完全隔离,无网络访问
服务间通信
1. 基本通信
version: '3.8'
services:
web:
image: nginx
ports:
- "80:80"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
api:
image: node:14
environment:
- DATABASE_URL=postgresql://user:pass@db:5432/mydb
- REDIS_URL=redis://cache:6379
db:
image: postgres:13
environment:
- POSTGRES_DB=mydb
- POSTGRES_USER=user
- POSTGRES_PASSWORD=pass
cache:
image: redis:6
nginx.conf 示例
upstream api_backend {
server api:3000;
}
server {
listen 80;
location /api/ {
proxy_pass http://api_backend/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location / {
root /usr/share/nginx/html;
index index.html;
}
}
2. 负载均衡
version: '3.8'
services:
nginx:
image: nginx
ports:
- "80:80"
volumes:
- ./nginx-lb.conf:/etc/nginx/nginx.conf
depends_on:
- api
api:
image: node:14
deploy:
replicas: 3 # 创建 3 个 API 实例
environment:
- DATABASE_URL=postgresql://user:pass@db:5432/mydb
db:
image: postgres:13
environment:
- POSTGRES_DB=mydb
- POSTGRES_USER=user
- POSTGRES_PASSWORD=pass
nginx-lb.conf 示例
upstream api_cluster {
server api_1:3000;
server api_2:3000;
server api_3:3000;
}
server {
listen 80;
location / {
proxy_pass http://api_cluster;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
3. 服务发现和健康检查
version: '3.8'
services:
consul:
image: consul:latest
ports:
- "8500:8500"
command: agent -server -bootstrap -ui -client=0.0.0.0
api:
image: node:14
environment:
- CONSUL_URL=http://consul:8500
depends_on:
- consul
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
interval: 30s
timeout: 10s
retries: 3
web:
image: nginx
ports:
- "80:80"
depends_on:
- api
- consul
网络安全
1. 网络分段
version: '3.8'
services:
# DMZ 区域 - 面向公网
nginx:
image: nginx
ports:
- "80:80"
- "443:443"
networks:
- dmz
- frontend
# 应用层 - 内部访问
api:
image: node:14
networks:
- frontend
- backend
# 数据层 - 最高安全级别
db:
image: postgres
networks:
- backend
# 管理网络 - 独立管理
monitoring:
image: prometheus/prometheus
networks:
- management
networks:
dmz:
driver: bridge
frontend:
driver: bridge
internal: true
backend:
driver: bridge
internal: true
management:
driver: bridge
internal: true
2. 防火墙规则
version: '3.8'
services:
app:
image: myapp
networks:
secure_network:
ipv4_address: 172.30.0.10
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
networks:
secure_network:
driver: bridge
ipam:
config:
- subnet: 172.30.0.0/24
driver_opts:
com.docker.network.bridge.enable_icc: "false" # 禁用容器间通信
网络监控和调试
1. 网络检查命令
# 列出所有网络
docker network ls
# 检查网络详情
docker network inspect myproject_default
# 查看容器网络配置
docker-compose exec web ip addr show
# 测试网络连通性
docker-compose exec web ping api
docker-compose exec web nslookup api
# 查看网络统计
docker-compose exec web netstat -i
2. 网络故障排除
version: '3.8'
services:
debug:
image: nicolaka/netshoot # 网络调试工具镜像
command: sleep infinity
networks:
- app_network
app:
image: myapp
networks:
- app_network
networks:
app_network:
driver: bridge
调试命令示例
# 进入调试容器
docker-compose exec debug bash
# 网络连通性测试
ping app
telnet app 3000
nmap -p 1-65535 app
# DNS 解析测试
nslookup app
dig app
# 网络路由检查
traceroute app
route -n
# 端口扫描
nmap -sT app
性能优化
1. 网络性能调优
networks:
high_performance:
driver: bridge
driver_opts:
com.docker.network.driver.mtu: 9000 # 巨型帧
com.docker.network.bridge.enable_icc: "true"
com.docker.network.bridge.enable_ip_masquerade: "false"
2. 连接池配置
services:
api:
image: node:14
environment:
- DB_POOL_SIZE=20
- DB_POOL_TIMEOUT=30000
- REDIS_POOL_SIZE=10
networks:
- backend
实际应用示例
微服务架构网络配置
version: '3.8'
services:
# API 网关
gateway:
image: nginx
ports:
- "80:80"
- "443:443"
volumes:
- ./gateway/nginx.conf:/etc/nginx/nginx.conf
networks:
- public
- services
# 用户服务
user-service:
image: user-service:latest
networks:
- services
- database
environment:
- DATABASE_URL=postgresql://user:pass@user-db:5432/users
# 订单服务
order-service:
image: order-service:latest
networks:
- services
- database
- message-queue
environment:
- DATABASE_URL=postgresql://user:pass@order-db:5432/orders
- RABBITMQ_URL=amqp://rabbitmq:5672
# 支付服务
payment-service:
image: payment-service:latest
networks:
- services
- database
- message-queue
environment:
- DATABASE_URL=postgresql://user:pass@payment-db:5432/payments
- RABBITMQ_URL=amqp://rabbitmq:5672
# 数据库
user-db:
image: postgres:13
networks:
- database
environment:
- POSTGRES_DB=users
- POSTGRES_USER=user
- POSTGRES_PASSWORD=pass
order-db:
image: postgres:13
networks:
- database
environment:
- POSTGRES_DB=orders
- POSTGRES_USER=user
- POSTGRES_PASSWORD=pass
payment-db:
image: postgres:13
networks:
- database
environment:
- POSTGRES_DB=payments
- POSTGRES_USER=user
- POSTGRES_PASSWORD=pass
# 消息队列
rabbitmq:
image: rabbitmq:3-management
networks:
- message-queue
ports:
- "15672:15672" # 管理界面
# 监控
prometheus:
image: prometheus/prometheus
networks:
- monitoring
- services
ports:
- "9090:9090"
grafana:
image: grafana/grafana
networks:
- monitoring
ports:
- "3000:3000"
networks:
public:
driver: bridge
services:
driver: bridge
internal: true
database:
driver: bridge
internal: true
message-queue:
driver: bridge
internal: true
monitoring:
driver: bridge
最佳实践
1. 网络设计原则
- 最小权限原则: 只允许必要的网络访问
- 网络分段: 根据功能和安全级别分离网络
- 服务发现: 使用服务名而不是 IP 地址
- 负载均衡: 在多实例服务前使用负载均衡器
2. 安全建议
- 使用内部网络隔离敏感服务
- 定期审查网络配置
- 实施网络监控和日志记录
- 使用加密通信(TLS/SSL)
3. 性能优化
- 合理配置 MTU 大小
- 使用连接池减少网络开销
- 监控网络延迟和吞吐量
- 考虑使用 overlay 网络进行跨主机通信
4. 故障排除
- 使用网络调试工具容器
- 定期检查网络连通性
- 监控 DNS 解析性能
- 记录网络配置变更
总结
Docker Compose 的网络功能为容器化应用提供了灵活、安全的通信机制。通过合理配置网络,可以实现服务隔离、负载均衡、安全通信等需求。掌握网络配置是构建可靠微服务架构的关键技能。
正确的网络配置不仅能提高应用的安全性和性能,还能简化服务间的通信和管理。在设计网络架构时,应该考虑安全性、可扩展性和可维护性等因素。