dockercon us 2016 - docker networking deep dive
TRANSCRIPT
![Page 1: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/1.jpg)
Docker for Ops: Docker Networking Deep DiveMadhu Venugopal @MadhuVenugopal
Jana Radhakrishnan @mrjana
![Page 2: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/2.jpg)
OverviewWhat is libnetworkNew features in 1.12
Agenda
Deep DiveMultihost networkingSecure Control PlaneSecure Data planeService DiscoveryNative LoadbalacingRouting Mesh
FinishDemoQ&A
![Page 3: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/3.jpg)
Overview
![Page 4: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/4.jpg)
It is not just a driver interface
• Docker networking fabric• Defines Container Networking Model• Provides builtin IP address management• Provides native multi-host networking• Provides native Service Discovery and Load Balancing• Allows for extensions by the ecosystem
What is libnetwork?
![Page 5: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/5.jpg)
New features in 1.12 swarm mode
CNM
Routing Mesh
Multi-hostNetworking without external k/v store
Service Discovery
SecureData-Plane
SecureControl-Plane
LoadBalancing
• Cluster aware• De-centralized control
plane• Highly scalable
![Page 6: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/6.jpg)
Macvlan driver
• Out of experimental• Integrates with Underlay• Place containers in your
existing vlans
![Page 7: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/7.jpg)
MacVlan# Create a macvlan network$ docker network create -d macvlan \ --subnet=192.168.0.0/16 \ —-ip-range=192.168.41.0/24 \ --aux-address="favorite_ip_ever=192.168.41.2" \ --gateway=192.168.41.1 \ -o parent=eth0.41 macnet41
# First address is the specified gateway, second is aux$ docker run --net=macnet41 -it --rm alpine /bin/sh
![Page 8: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/8.jpg)
Deep DiveDocker swarm-mode networking design
![Page 9: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/9.jpg)
Multi-host networkingManager
Network CreateOrchestrator
Allocator
Scheduler
Dispatcher
Service Create
Task Create
Task Dispatch
Task Dispatch
Gossip
Worker1 Worker2
Engine
Libnetwork
Engine
Libnetwork
• The VXLAN based data path remains unchanged
• No external key-value store necessary
• Central resource allocation• Improved performance• Highly scalable
![Page 10: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/10.jpg)
• Gossip based protocol• Network scoped• Fast convergence• Secure by default
• periodic key rotations• swarm native key-exchange
• Highly scalable
Network control plane Cluster Scope Gossip
W1W2
W3
W1W5
W4
Network Scope Gossip
Network Scope Gossip
![Page 11: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/11.jpg)
• Available as an option during overlay network creation
• Uses kernel IPSec modules• On-demand tunnel setup• Swarm native key-exchange• Periodic key rotations• Highly performant
Secure dataplaneWorker1
Worker2
Worker3
secure network
secure network
IPSec Tunnel
IPSec Tunnel
IPSec Tunnel
secure network
secure network
non-secure
network
non-secure
network
Open UDP traffic
![Page 12: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/12.jpg)
• Provided by embedded DNS• Highly available• Uses Network Control Plane to learn state• Can be used to discover both tasks and
services
Service Discovery
engine
DNS Server
DNS Resolver DNS Resolver
DNS requests
![Page 13: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/13.jpg)
• Provided by embedded DNS• Highly available• Uses Network Control Plane to learn state• Can be used to discover both tasks and
services• Minimal Overhead because of CNM• Can use DNS RR instead as an option
Internal Load balancer Task1Service
A
Task2 Service
A Task3 Service
A
Client1 Client2
VIP LB VIP LB
![Page 14: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/14.jpg)
• Builtin routing mesh for edge routing• Worker nodes themselves participate in
ingress routing mesh• All worker nodes accept connection
requests on PublishedPort• Port translation happens at the worker
node• Same internal load balancing mechanism
used to load balance external requests
Routing meshExternal
Loadbalancer (optional)
Task1 ServiceA Task1
ServiceA
Task1 ServiceA
Worker1 Worker2
Ingress Network
8080 8080
VIP LB VIP LB
8080->80 8080->80
![Page 15: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/15.jpg)
FinishDemo and Q&A
![Page 16: DockerCon US 2016 - Docker Networking deep dive](https://reader035.vdocument.in/reader035/viewer/2022062503/586fdcf01a28ab18428b66b1/html5/thumbnails/16.jpg)
Thank you!