docker networking - current status and goals of experimental networking
TRANSCRIPT
DOCKER NETWORKING
Presenter Name: Sreenivas MakamPresented at: Docker Meetup Bangalore
Presentation Date: August 22, 2015
About me
• Senior Engineering Manager at Cisco Systems Data Center group
• Like to follow SDN and Cloud related Opensource projects and write about it.
• Personal blog can be found at https://sreeninet.wordpress.com/ and my hacky code at https://github.com/smakam
• You can reach me on LinkedIn at https://in.linkedin.com/in/sreenivasmakam
Agenda
• Why we need Container Networking?• Current Docker Networking Internals• Existing external networking options for
Docker – Pipework, Flannel, Weave• Limitations of current Docker Networking• What’s coming up Next• Demo
Why we need Container Networking?
• Containers need to talk to external world.• Reach Containers from external world to use
the services Containers provides.• Containers need to talk to host machine.• Inter-container connectivity in same host and
across hosts.
Basics
• Namespaces – Virtualize processes, networks, file systems, users etc.
• Software switch – could be Linux bridge, OVS, Cisco n1k, VMWare vswitch etc that resides in hypervisor used to switch traffic between VM, Container.
• Iptables – for NAT kind of functionality
Docker Networking options• –net=bridge. This is the default option that Docker provides where containers
connect to the linux “docker” bridge.• –net=host. In this option, there is no new network namespace created for the
container and the container shares the same network namespace as host machine.
• –net=(container name or id). In this option, the new container shares the same network namespace as the specified container in the ‘net’ option. (Example: “sudo docker run -ti –name=ubuntu2 –net=container:ubuntu1 ubuntu:14.04 /bin/bash”. Here, ubuntu2 container shares same network namespace as ubuntu1 container)
• –net=none. In this option, container does not get allocated a new network namespace. Only the loopback interface is created in this case. This option is useful in scenarios where we want to create our own networking options for the container.
Default Docker Networking
• Docker linux bridge(docker0) gets created on the host machine. Default IP address is 172.17.42.1 with 16 bit subnet mask.
• Each Container has 2 network interface, eth0 gets IP address in 172.17.x.x network, another is loopback interface.
• Host machine has veth* interface on the linux bridge to which eth0 interface in the container gets connected.
Docker Container Networking
External connectivity to Containers
• To reach Apache webserver container service from outside.
docker run -d -p 8080:80 smakam/apachedocker• Port 80 on the Container is mapped to port
8080 on localhost.
Linking 2 containers on same host – Option 1• 2 Containers Wordpress and mysql compose the Wordpress
application. • Wordpress application needs to connect to mysql container.docker run --name some-mysql -e MYSQL_ROOT_PASSWORD=mysql -d mysqldocker run --name some-wordpress -e WORDPRESS_DB_PASSWORD=mysql -e WORDPRESS_DB_HOST=172.17.0.16:3306 -p 8080:80 -d wordpress• Above, we need to specify IP address and environment
variable manually.
Linking 2 containers on same host – Option 2• In this option, we use Container linking mechanism to feed environment variables
automatically.docker run --name mysql -e MYSQL_ROOT_PASSWORD=mysql -d mysqldocker run --name wordpress --link mysql:mysql -d -p 8080:80 wordpress• Following environment variables automatically gets created in Wordpress container.root@ee066d135ca5:/var/www/html# set|grep MYSQLMYSQL_ENV_MYSQL_MAJOR=5.6MYSQL_ENV_MYSQL_ROOT_PASSWORD=mysqlMYSQL_ENV_MYSQL_VERSION=5.6.26MYSQL_NAME=/wordpress/mysqlMYSQL_PORT=tcp://172.17.0.24:3306MYSQL_PORT_3306_TCP=tcp://172.17.0.24:3306MYSQL_PORT_3306_TCP_ADDR=172.17.0.24MYSQL_PORT_3306_TCP_PORT=3306MYSQL_PORT_3306_TCP_PROTO=tcp
Linking 2 containers on same host – Option 3• In this option, we use docker-compose to create and link both the containers.Docker-compose.ymlwordpress: image: wordpress links: - db:mysql ports: - 8080:80
db: image: mysql environment: MYSQL_ROOT_PASSWORD: example• We can execute “docker-compose up –d” to start the Wordpress application.
Native Docker Networking limitations
• Cannot create more than 1 interface in the container.
• Multi-host containers are difficult to create.• IP addressing scheme for the containers is not
flexible.• Multi-tenant container solution is not possible
with enough isolation and security.• Automatic service discovery is not possible.
Pipework• Pipework is a script developed by Jerome Petazonni to network
Docker containers for complex environments.• As mentioned by Jeremy himself, the script is a temporary solution
till a more permanent solution gets developed natively in Docker. • Following are some features that Pipework supports:
– Connect Containers across multiple hosts.– Create any number of interfaces with arbitrary IP addresses.– Allows use of ovs bridge instead of Linux bridge.– Allows isolation of containers using vlans.– Allows configuration of IP, mac, netmask, gateway.
Host 1:sudo ovs-vsctl add-port ovsbr0 gre0 -- set interface gre0 type=gre options:remote_ip=<host2 ip>sudo ~/pipework/pipework ovsbr0 <cid> 11.1.1.1/24 @10
Host 2:sudo ovs-vsctl add-port ovsbr0 gre0 -- set interface gre0 type=gre options:remote_ip= <host1 ip>sudo ~/pipework/pipework ovsbr0 <cid> 11.1.1.3/24 @10
Weave• Weave creates a Weave bridge as well as a Weave router in the host
machine.• Weave router establishes both tcp and udp connection across hosts to
other Weave routers. TCP connection is used for discovery and protocol related exchange. UDP is used for data encapsulation. Encryption can be done if needed.
• The Weave bridge is configured to sniff the packets that needs to be sent across hosts and redirect to the Weave router. For local switching, weave router is not used.
Flannel
• Flannel creates an Overlay network using either udp or vxlan encapsulation.
• Flannel links itself to the Docker bridge to which the containers are attached and creates the overlay.
• Flannel is closely integrated with CoreOS, can be used as standalone as well.
What’s ahead - Docker Experimental Networking
• Docker Experimental Networking addresses majority of the problems mentioned above.
• Current approach taken is batteries-included approach where Docker provides a default Networking solution that customers can substitute with other Networking plugins based on their need.
• Docker 1.8 experimental release provides a good taste of the Networking features that will be coming soon.
References
• https://docs.docker.com/• https://github.com/docker/docker/tree/master/
experimental• https://sreeninet.wordpress.com/category/docker/
QUESTIONS?
Linking 2 containers on same hostWeb server container connecting to Database container:$ sudo docker run -d --name db training/postgres $ sudo docker run -d -p 8080:80 --name web --link db:dblink smakam/apachedocker• Webserver container gets environment variables of DB container
using which it connects to database. Following environment variables gets imported automatically.
# set|grep DBLINK DBLINK_ENV_PG_VERSION=9.3 DBLINK_NAME=/web/dblink DBLINK_PORT=tcp://172.17.0.3:5432 DBLINK_PORT_5432_TCP=tcp://172.17.0.3:5432 DBLINK_PORT_5432_TCP_ADDR=172.17.0.3 DBLINK_PORT_5432_TCP_PORT=5432 DBLINK_PORT_5432_TCP_PROTO=tcp