Como funciona a rede bridge por dentro

Docker Bridge Padrão do Docker Network

$ docker container ls -a
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
$ docker network ls
NETWORK ID     NAME      DRIVER    SCOPE
131df83cc78a   bridge    bridge    local
73f2d51a39de   host      host      local
9198ba9fc6fd   none      null      local
$ docker image ls -a
REPOSITORY   TAG       IMAGE ID   CREATED   SIZE

Interfaces existentes:

$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:d1:2f:c9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.43.217/20 brd 192.168.47.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fed1:2fc9/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:1a:26:92:ee brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever

CIDR Block

CIDR, ou Classless Inter-Domain Routing, é uma técnica de alocação de endereços IP que permite um uso mais eficiente do espaço de endereçamento. Ao invés de dividir endereços IP em classes fixas (A, B, C), o CIDR usa uma notação que especifica o número de bits que são utilizados para a parte da rede do endereço.

Um bloco CIDR é representado em uma forma como 192.168.0.0/24, onde "192.168.0.0" é o endereço da rede e "/24" indica que os primeiros 24 bits são utilizados para identificar a rede, enquanto os restantes 8 bits podem ser utilizados para identificar hosts dentro dessa rede. Isso proporciona mais flexibilidade e eficiência na utilização de endereços IP, permitindo que redes de tamanhos variados possam ser criadas conforme a necessidade.

Essa abordagem ajuda a reduzir o desperdício de endereços IP e facilita a roteação na internet.

Destaque para o CIDR Block 172.17.0.1/16 da interface docker0:

3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:1a:26:92:ee brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever

O mesmo da sub-rede padrão bridge do Docker:

$ docker network inspect bridge | grep -Ei "Subnet"
                    "Subnet": "172.17.0.0/16",

docker0é a interface virtual da rede bridge padrão do Docker.

Uma nova interface é criada ao criar uma rede docker, neste exemplo a interface br-0fa57e06379e:

$ docker network create custom1
0fa57e06379e0ea0bab701873005918b10c52feb71246110d057a30f9f9bca8f
$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:d1:2f:c9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.43.217/20 brd 192.168.47.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fed1:2fc9/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:1a:26:92:ee brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
4: br-0fa57e06379e: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:c9:f8:e1:62 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-0fa57e06379e
       valid_lft forever preferred_lft forever
$ docker network inspect custom1 | grep -Ei "Subnet"
                    "Subnet": "172.18.0.0/16",

Ao criar um container na rede bridge padrão do docker é possível verificar uma nova interface criada para o container, neste caso a interface veth828cec5@if5:

$ docker container run -d nginx
Unable to find image 'nginx:latest' locally
latest: Pulling from library/nginx
e4fff0779e6d: Pull complete
2a0cb278fd9f: Pull complete
7045d6c32ae2: Pull complete
03de31afb035: Pull complete
0f17be8dcff2: Pull complete
14b7e5e8f394: Pull complete
23fa5a7b99a6: Pull complete
Digest: sha256:447a8665cc1dab95b1ca778e162215839ccbb9189104c79d7ec3a81e14577add
Status: Downloaded newer image for nginx:latest
51141a2f1c148f939fd914fd9cb493ebf0620c0c8e0bf212606f81715dad150b

$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:d1:2f:c9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.43.217/20 brd 192.168.47.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fed1:2fc9/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:1a:26:92:ee brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:1aff:fe26:92ee/64 scope link
       valid_lft forever preferred_lft forever
4: br-0fa57e06379e: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:c9:f8:e1:62 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-0fa57e06379e
       valid_lft forever preferred_lft forever
6: veth828cec5@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether a6:0f:db:6e:39:cc brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::a40f:dbff:fe6e:39cc/64 scope link
       valid_lft forever preferred_lft forever

Com o comando bridge link é possível verificar que a interface criada está conectar na interface docker0:

$ bridge link
6: veth828cec5@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master docker0 state forwarding priority 32 cost 2

Criação de container na mesma rede bridge padrão do Docker:

$ docker container run -d nginx
7824cf37753e3a0aa189f8bbdcf25ab5fcd27ee9f5e0831e7828760e97c49465
$ docker container ls
CONTAINER ID   IMAGE     COMMAND                  CREATED          STATUS          PORTS     NAMES
7824cf37753e   nginx     "/docker-entrypoint.…"   22 seconds ago   Up 21 seconds   80/tcp    sleepy_aryabhata
51141a2f1c14   nginx     "/docker-entrypoint.…"   7 minutes ago    Up 6 minutes    80/tcp    pedantic_merkle

Foi criada uma nova interface para o novo container, também conectada à interface docker0:

$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:d1:2f:c9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.43.217/20 brd 192.168.47.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fed1:2fc9/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:1a:26:92:ee brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:1aff:fe26:92ee/64 scope link
       valid_lft forever preferred_lft forever
4: br-0fa57e06379e: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:c9:f8:e1:62 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-0fa57e06379e
       valid_lft forever preferred_lft forever
6: veth828cec5@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether a6:0f:db:6e:39:cc brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::a40f:dbff:fe6e:39cc/64 scope link
       valid_lft forever preferred_lft forever
8: veth7e95f05@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether e6:93:94:5b:d6:42 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::e493:94ff:fe5b:d642/64 scope link
       valid_lft forever preferred_lft forever

$ bridge link
6: veth828cec5@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master docker0 state forwarding priority 32 cost 2
8: veth7e95f05@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master docker0 state forwarding priority 32 cost 2

Ao conectar o último container criado também na rede custom1 será possível verificar a existência de 3 interfaces virtuais:

$ docker network connect custom1 7824cf37753e

$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:d1:2f:c9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.43.217/20 brd 192.168.47.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fed1:2fc9/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:1a:26:92:ee brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:1aff:fe26:92ee/64 scope link
       valid_lft forever preferred_lft forever
4: br-0fa57e06379e: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:c9:f8:e1:62 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-0fa57e06379e
       valid_lft forever preferred_lft forever
    inet6 fe80::42:c9ff:fef8:e162/64 scope link
       valid_lft forever preferred_lft forever
6: veth828cec5@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether a6:0f:db:6e:39:cc brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::a40f:dbff:fe6e:39cc/64 scope link
       valid_lft forever preferred_lft forever
8: veth7e95f05@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether e6:93:94:5b:d6:42 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::e493:94ff:fe5b:d642/64 scope link
       valid_lft forever preferred_lft forever
10: veth87eba3a@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-0fa57e06379e state UP group default
    link/ether d6:d2:61:27:19:32 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::d4d2:61ff:fe27:1932/64 scope link
       valid_lft forever preferred_lft forever

A interface criada veth87eba3a@if9 está conectada à interface br-0fa57e06379e:

$ bridge link
6: veth828cec5@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master docker0 state forwarding priority 32 cost 2
8: veth7e95f05@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master docker0 state forwarding priority 32 cost 2
10: veth87eba3a@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-0fa57e06379e state forwarding priority 32 cost 2

Desconectar o último container criado da rede bridge:

$ docker container ls
CONTAINER ID   IMAGE     COMMAND                  CREATED          STATUS          PORTS     NAMES
7824cf37753e   nginx     "/docker-entrypoint.…"   16 minutes ago   Up 16 minutes   80/tcp    sleepy_aryabhata
51141a2f1c14   nginx     "/docker-entrypoint.…"   22 minutes ago   Up 22 minutes   80/tcp    pedantic_merkle
$ docker network disconnect bridge 7824cf37753e

A interface veth7e95f05@if7 é excluída e o container possui apenas a conexão com a rede custom1:

$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:d1:2f:c9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.43.217/20 brd 192.168.47.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fed1:2fc9/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:1a:26:92:ee brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:1aff:fe26:92ee/64 scope link
       valid_lft forever preferred_lft forever
4: br-0fa57e06379e: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:c9:f8:e1:62 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-0fa57e06379e
       valid_lft forever preferred_lft forever
    inet6 fe80::42:c9ff:fef8:e162/64 scope link
       valid_lft forever preferred_lft forever
6: veth828cec5@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether a6:0f:db:6e:39:cc brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::a40f:dbff:fe6e:39cc/64 scope link
       valid_lft forever preferred_lft forever
10: veth87eba3a@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-0fa57e06379e state UP group default
    link/ether d6:d2:61:27:19:32 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::d4d2:61ff:fe27:1932/64 scope link
       valid_lft forever preferred_lft forever

$ bridge link
6: veth828cec5@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master docker0 state forwarding priority 32 cost 2
10: veth87eba3a@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br-0fa57e06379e state forwarding priority 32 cost 2

O container acessa a Internet passando por toda a estrutura de rede existente sendo:

veth
switch
interface de rede
máquina local (NAT)
eth0

Previousdocker network disconnect NextRede Host na prática

Last updated 1 year ago