Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to...
Transcript of Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to...
![Page 1: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/1.jpg)
Docker Networking: From One to Many
Don Mills
![Page 2: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/2.jpg)
What we are going to talk about
● Overview of traditional Docker networking
● Some demonstrations● Questions● New Docker features● Some more demonstrations● Questions again
![Page 3: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/3.jpg)
The Building Blocks of Docker Networking
Network Namespaces(netns)
Virtual EthernetInterfaces
(Veths)
Discovery
VXLAN
Segmentation
![Page 4: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/4.jpg)
The Building Blocks Part One– Network Namespaces (netns)
A logical, separated, discrete copy of the network stack.
Network Namespaces(netns)
![Page 5: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/5.jpg)
Network Namespaces virtualize the network functions
Each container has one*
HARDWARE
Linux Kernel Global Namespace(interfaces, routing table, iptables)
Container 1Namespace(interfaces,routing table)
Container 1Namespace(interfaces,routing table)
Container 2Namespace(interfaces,routing table)
Container NNamespace(interfaces,routing table)
![Page 6: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/6.jpg)
Docker Single Host Networking (Traditional)
Four “modes”● Null (None)● Host ● Mapped Container ● Bridged (default)
![Page 7: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/7.jpg)
The Building Blocks Part Two– Virtual Ethernet Devices (veths)
Network Namespaces(netns)
Virtual EthernetInterfaces
(veths)
A linked pair of virtual interfaces
![Page 8: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/8.jpg)
Veths link the namespaces
Traffic goes in one, comes out the other
VETH1 VETH2
Container Bridge (docker0)
Container's Network Namespace Host's Network Namespace
![Page 9: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/9.jpg)
Bridged Mode – Network
Docker Host
NIC
Outbound traffic NAT to host NIC IP address
ContainerA10.0.1.3
eth0
Inbound traffic DNAT from outside port to inside port
Bridgedocker0
192.168.0.3
80 8080
![Page 10: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/10.jpg)
The Building Blocks Part Three- Discovery
How containers discover other containers.
Network Namespaces(netns)
Virtual EthernetInterfaces
(Veths)
Discovery
![Page 11: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/11.jpg)
Legacy Links
![Page 12: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/12.jpg)
Questions?
![Page 13: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/13.jpg)
The Building Blocks Part Four - Segmentation
Keeping container networks separate and distinct
Network Namespaces(netns)
Virtual EthernetInterfaces
(Veths)
Discovery Segmentation
![Page 14: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/14.jpg)
User-Defined Bridges
Users can now define additional bridges to allow for network micro-segregation.
BridgeYellow
ContainerYellow2
ContainerYellow1
BridgeGreen
ContainerGreen2
ContainerGreen1
![Page 15: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/15.jpg)
Discovery 2 - Embedded DNS Servers, Aliases, and New Links
![Page 16: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/16.jpg)
The Building Blocks Part Five – VXLAN
VXLAN (Virtual Extensible LAN) is a way of tunneling layer 2 traffic inside layer 3 routed traffic.
Network Namespaces(netns)
Virtual EthernetInterfaces
(Veths)
Discovery
VXLAN
Segmentation
![Page 17: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/17.jpg)
Bridged Mode – Inbound Example
![Page 18: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/18.jpg)
VXLAN Header
One ethernet packet inside another
![Page 19: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/19.jpg)
VXLAN Process
![Page 20: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/20.jpg)
The Architecture of a Switch
Management
Control
Data
![Page 21: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/21.jpg)
Multi-host Network Container
DockerA
Linux Bridgedocker_gwbridge
Docker Host
NIC
Outbound traffic NAT to host NIC IP address
172.18.0.3eth1
10.0.1.3eth0
Overlay traffic encapsulated in VXLAN
Linux BridgeOverlayNetNS vxlan1
![Page 22: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/22.jpg)
Questions?
![Page 23: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/23.jpg)
Appendix (Extra Slides)
![Page 24: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/24.jpg)
The Building Blocks Part One– Network Namespaces (netns)
A logical, separated discrete copy of the network stack.
● Gets own routes, interfaces, and iptables rules
● Each container gets its own in /var/run/docker/netns – called it's “SandboxKey”#docker run itd –name=test1 busybox#docker inspect test1 | grep "SandboxKey""SandboxKey": "/var/run/docker/netns/2fb603b6d595",
![Page 25: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/25.jpg)
Docker Single Host Networking (Traditional)
Four “modes”● Null (None) – Container only has loopback interface in netns
● Host – Container shares host's default netns
● Mapped Container – Container shares another container's netns
● Bridged (default)
![Page 26: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/26.jpg)
None Mode
Container has loopback interface but no other network interfaces.#docker run it –net=none –name=test1 busybox/ #ip link1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
![Page 27: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/27.jpg)
Host Mode
Container uses Docker Host network stack (runs in default netns). #docker run it –net=host –name=test1 busybox/ #ip link1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:002: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 08:00:27:2c:fe:f4 brd ff:ff:ff:ff:ff:ff3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 08:00:27:3e:2d:96 brd ff:ff:ff:ff:ff:ff4: docker0: <NOCARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue link/ether 02:42:5a:ce:26:f7 brd ff:ff:ff:ff:ff:ff
![Page 28: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/28.jpg)
Mapped Container Mode
Container uses network stack of another container (runs in other container's netns).dmills@dockerhost:~$ docker run it –name=test1 busybox/ # ip link1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:0051: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
dmills@dockerhost:~$ docker run it net=container:test1 name=test2 busybox/ # ip link1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:0051: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
![Page 29: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/29.jpg)
Default Bridged Mode
All containers connect their networking interfaces to a shared Linux Bridge
● Allows internal communication between all containers by default – can control with --icc=true/false
● All traffic outbound is Source Translated (Linux IP Masquerade)
● All inbound traffic is Destination Translated
![Page 30: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/30.jpg)
The Building Blocks Part Two– Virtual Ethernet Devices (Veths)
A linked pair of virtual ethernet interfaces (always 2 in a pair)
● Traffic that goes into one comes out of the other
● One veth goes in the container netns● The other goes into the bridge● You can find the linked veth by using ethtool S {vethname}
![Page 31: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/31.jpg)
Default Bridged Mode – The Bridge
Creates a bridge interface and bridge on Docker host (docker0).#brctl showbridge name bridge id STP enabled interfacesdocker0 8000.02425ace26f7 no vethb270fef#ip addr show dev docker04: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:5a:ce:26:f7 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 scope global docker0 valid_lft forever preferred_lft forever
![Page 32: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/32.jpg)
Default Bridged Mode - Outbound
Adds an iptables MASQ (Source NAT) rule for outbound traffic to NAT to interface on host.#iptables L t nat…Chain POSTROUTING (policy ACCEPT)target prot opt source destination MASQUERADE all 172.17.0.0/16 anywhere
![Page 33: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/33.jpg)
Default Bridged Mode - Inbound
Adds an iptables DNAT rule under the “Docker” Chain for inbound traffic if configured.#docker run dit name=test1 p 80:8080 busybox#iptables L t natChain DOCKER (2 references)target prot opt source destination DNAT tcp anywhere anywhere tcp dpt:http to:172.17.0.2:8080
![Page 34: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/34.jpg)
Default Bridged Mode – Links for discovery
Containers are assigned a random ip address on instantiation...how can they find each other? Through the --link feature. (As of Docker 1.10 known as “legacy link”).# docker run dit name test1 busybox028c276905c9777328cb00bf1338fe3360b8b12b68af411a481d043117d8e847# docker run it name test2 link test1 busybox/ # grep test1 /etc/hosts172.17.0.2 test1 028c276905c9
![Page 35: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/35.jpg)
Default Bridged Mode – Links for micro-segmentation
If Docker daemon started with “--icc=false” and “--iptables=true” options, then links allow communication between two containers (by adding iptables rules).# docker run dit name test1 busybox028c276905c9777328cb00bf1338fe3360b8b12b68af411a481d043117d8e847# docker run it name test2 link test1 busybox
![Page 36: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/36.jpg)
New Features!
New Features in Docker 1.9/1.10:● The docker network commands● Multiple user-defined bridges for micro-
segmentation● Built in DNS server for user-defined bridges
and overlays and link “aliases”(1.10)● Multi-host overlays● Plug-in Architecture
![Page 37: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/37.jpg)
Docker Network commands
Docker has moved most network related commands to the “docker network” set.
● docker network ls● docker network inspect● docker network create● docker network rm● docker network connect/disconnect
![Page 38: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/38.jpg)
User-Defined Bridges
Users can now define additional bridges (beyond the docker0 default) to allow for network micro-segregation.
● Replaces functionality of “--icc=false” and links ● All containers on the user-defined bridge can
reach each other ● All containers on the user-defined bridge can
resolve hostname (container-name) of each other #docker network create bridgeyellow
![Page 39: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/39.jpg)
Internal DNS Server
As of Docker 1.10, user-defined bridges and overlay networks now use an embedded DNS server on each Docker host
● Runs at 127.0.0.11● Injects Server entry into /etc/resolv.conf● You can add network-scoped aliases for a container
– all containers on that network can reach it by the alias as well#docker run it name=server1 netalias=web test/apache
![Page 40: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/40.jpg)
Multi-Host Overlay Networks
● Allows containers on separate hosts to communicate directly
● Can have multiple Overlay networks on same hosts for segregation
● Embedded DNS Server on each host can resolve the container names of every container on the overlay network for discovery
![Page 41: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/41.jpg)
The Building Blocks Part Three – VXLAN
VXLAN (Virtual Extensible LAN) is a way of tunneling layer 2 traffic inside layer 3 routed traffic.
● Runs on UDP port 4789● Encapsulates the original ethernet frame inside the ip packet
● Traffic is encapsulated at VTEPs (Virtual Tunnel Endpoints)
● Contains a VNI (Virtual Network Identifier) number that distinguishes between virtual LANS (so you can run multiple ones on the same physical network)
![Page 42: Docker Networking: From One to Manyfiles.meetup.com/18366808/Docker Networking - From One to Many.… · New Features in Docker 1.9/1.10: The docker network commands Multiple user-defined](https://reader030.fdocuments.net/reader030/viewer/2022040409/5ec55f88db364e203c69a76f/html5/thumbnails/42.jpg)
The Vagrant setups
● Layer 2 (all in same subnet)https://github.com/DonMills/dockeroverlayvagrant
● Layer 3 (with a router in the middle of two subnets)https://github.com/DonMills/dockeroverlayvyos