服务器如何知道应将传入的HTTP请求路由到Docker?

huangapple go评论66阅读模式
英文:

How does a server know that it should route an incoming HTTP request to Docker?

问题

Background:

我最近一直在阅读关于Docker和通用网络基础设施的内容。就与这个问题相关的我的当前理解是:

  • 连接到互联网的每台服务器都有一个IP地址。
  • 每台服务器都有一个将端口映射到运行在服务器上的服务的表格(每个服务一个端口)。
  • 如果浏览器从服务器请求网页,它会命中服务器的IP地址(通过DNS查找找到),通过端口80。一旦服务器在端口80上收到请求,它会从其端口表中看到端口80映射到其运行的HTTP服务器(一个服务),然后将请求传递给该服务。然后HTTP服务器会响应页面数据,将数据由服务器发送回客户端。
  • HTTP服务器只是运行在服务器上的服务之一,它是由Docker创建的容器中运行的。

Assumptions:

  • 我们有一台安装了Docker Engine的服务器。
  • Docker已经创建了一些副本容器,每个容器都运行着相同的HTTP服务器,为一个Web应用提供服务。
  • 我们已经发布了端口80:3000用于Web服务,因此Docker知道要将主机在端口80上的请求路由到容器内部的端口3000(这对应正在运行的HTTP服务器)。

Question:

当浏览器发送请求到服务器的IP地址的80端口时,服务器如何知道应该将流量路由到Docker?

我明白Docker如何将请求路由到正确的服务(即通过发布的端口),但我不明白服务器最初是如何知道应该将请求发送到Docker Engine。想必,Docker只是在服务器上运行的众多可执行文件之一。

英文:

Background:

I have recently been reading up on Docker and general web infrastructure. My current understanding, as it relates to this question:

  • Each server connected to Internet has an IP address.
  • Each server has a table mapping ports to services running on the server (one port per service).
  • If a browser requests a webpage from a server, it hits the server's IP address (found via DNS lookup) through port 80. Once the server gets a request on port 80, it sees from its port table that port 80 maps to its running HTTP server (a service) and passes the request to that service. The HTTP server then responds with the page data, which is sent by the server back to the client.
  • The HTTP server is just one of the services running on the server, in containers spun up by Docker.

Assumptions:

  • We have a server with Docker Engine installed.
  • Docker has spun up a few replica containers, each running identical HTTP servers serving a web app.
  • We have published port 80:3000 for the web service, so Docker knows to route host requests on port 80 to port 3000 inside the container (which maps to the running HTTP server).

Question:

When the browser sends a request to the server's IP address on port 80, how does the server know that it should route the traffic to Docker?

I get how Docker routes a request to the correct service (i.e. via published ports), but not how the server initially knows that the request should be sent to the Docker Engine. Presumably, Docker is only one of many executables running on the server.

答案1

得分: 2

基本上,Docker将自己注册为操作系统的服务,以接收容器映射到的IP和端口组合的流量。然后,它使用自己的路由逻辑将流量转发到容器。

值得注意的是,服务器实际上可能具有多个IP地址。它们可能有多个网络卡,每个网络卡可能连接到多个VLAN,并且每个VLAN连接可能具有多个IP地址。Docker可以创建一个虚拟网络,并设置一个虚拟路由器,通过主机的网络卡公开其中一个路由器的IP。它还可以将服务器的网络卡设置为桥接以虚拟扩展网络。这使它能够代表容器执行各种复杂的网络操作。

有关更多信息,建议阅读Docker文档的Networking部分。

英文:

Basically Docker registers as a service with the operating system to receive traffic for IP & Port combinations the containers are mapped to. It then uses its own routing logic to forward that traffic to the containers.

It's worth noting that servers may actually have multiple IP addresses. They may have more than one network card, each card may be connected to multiple VLANs and each VLAN connection may have have several IP addresses. Docker can create a virtual network and set up a virtual router with one of the router's IPs exposed through the hosts network cards. It can also set the server's network card up as a bridge to extend the network virtually. This allows it to do all kinds of complex networking on behalf of the containers.

For further information I'd suggest reading the Networking section of the Docker documentation.

答案2

得分: 1

它使用与任何希望监听端口的程序相同的机制。

当一个程序想要监听TCP端口时,它调用bind()来监听端口,然后调用accept4()来接受连接。

Docker也是一样的。当你创建一个具有发布端口并且不使用主机网络的容器时,它会启动一个名为docker-proxy的程序,其工作是监听TCP连接,并将它们中继到容器的IP地址和端口。

在某些情况下,它可以避免使用docker-proxy,并使用nftables将数据包转发到容器。

英文:

(This answer is going to be highly Linux-centric, since that's the platform I have the most experience with.)

It uses the same mechanism that any program which wants to listen to a port does.

When a program wants to listen to a TCP port, it calls bind() to listen to the port, followed by accept4() to accept a connection.

Docker does the same thing. When you create a container which has a published port and does not use host networking, it starts a program called docker-proxy, whose job is to listen for TCP connections, and relay them to the IP address and port of the container.

In some circumstances, it can avoid using docker-proxy, and use nftables to forward packets to the container.

huangapple
  • 本文由 发表于 2023年6月12日 03:46:43
  • 转载请务必保留本文链接:https://go.coder-hub.com/76452272.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定