Transcript
Docker Networking WorkshopJana Radhakrishnan
Nicola Kabar
Docker Networking Model
ArchitectureDesign ConsiderationsAdvantages
Agenda
Evolution + Under the Hood
DriversDNSRoutingLoad BalancingDemos
Deployment Models Exercises
+
Roadmap
Container Networking ModelDesign, Architecture, and Key Advantages
• Traditional Networking is incredibly vast and complex
• But, Networking is inherent part of distributed applications
• Make it developer-friendly & application driven.
Why is Networking important?
“We'll do for Networking, What Docker did for
Compute.” — Moby
• Make "network" a first class object
• Distributed application portability
• Secure control and data paths
• Provide a pluggable networking stack
• Span networks across multiple hosts
• Support multiple OS platforms
Goals
Design Philosophy
• Users First: • Application Developers • IT/Network Ops
• Plugin API Design • Batteries Included but Swappable
Container Networking Model
• Endpoint
• Network
• Sandbox
Create
Network
Create
Container
Defer to Driver
Defer to Driver
Library for creating and managing network stacks for containers
Driver-based networking
Implements the Container Network Model
Native service discovery and load balancing
What’s libnetwork?
• Pluggability Flexibility• Docker Native UX and API User Friendly• Distributed Scalability + Performance • Decentralized Highly-Available• Out-of-the-Box Support with Docker Datacenter
Key Advantages
Use-Case: Microservices Segmentation
Q&A
Break
Docker Networking Evolution
Docker Networking Timeline
1.7 1.8 1.9 1.10 1.11
Libnetwork(CNM) - Multihost Networking- Plugins- IPAM- Network UX/API
Service Discovery Distributed DNS
- Aliases- DNS Round Robin LB
1.12
Under the Hood of Bridge
Networking
Bridge Networking Under the Hood
• netns• Iptables• NAT• IP management• Routing• userland proxy eth0
docker0
C1
eth0 eth0
C2
• Iptables• NAT
• User proxy• Routing
eth0
Demo 1 : Bridge Networking
Under the Hood of Multihost
Networking
KV Store
Docker Host Docker Host Docker Host
C1
C2
C3C4
C5
C6C7
C8
C9
Overlay Networking Under the Hood
1. VXLAN==>DataTransport • Virtual eXtensible Local Area Networks • L2 Network over an L3 network ( overlay ) • RFC7348• Invisible to the container• Host as VXLAN Tunnel End Point (VTEP) • Point-to-Multi-Point Tunnels• Proxy-ARP
Overlay Networking Under the Hood
2. Key-Value Store• Network ID• Subnets• Nodes• VXLAN ID
Overlay Networking Under the Hood
3. Network Namespaces • A Linux Bridge per Subnet per Overlay Network per Host• A VXLAN interface per Overlay Network per Host• 1 Linux Bridge per Host for default traffic
(docker_gwbridge)• Lazy creation ( Only if container is attached to network)
Overlay Networking Under the Hood
C1
C2
C3
C5
C4
br0
Veth
Veth
Veth
Host NIC
VXLAN
Host NIC
br0
Veth
Veth
VXLAN
Docker Host 1 Docker Host 2
Demo 2 : Overlay Networking
Under the Hood of embedded
DNS
Embedded DNS Under the Hood
• DNS listener per container• Distributed ( for both bridge and overlay)• Proxy for external DNS services• Can be used with DNSSEC
engine
DNS Server
DNS Resolver DNS Resolver
DNS requests
Demo 3 : DNS Demo
Break
Networking Exercises
• 2 VMS per attendee• Ubuntu 15 based with Docker 1.12!• Received SSH pem/ppk and VM info• Go ahead and SSH Into one of the machines.
Lab Access
Pre-Defined Networks
bridge (default) --> containers in local docker0 bridgenull --> containers without any network interfaceshost --> containers use same interfaces as host ( same netns)
- Run `docker network ls` to list all the networks on the host- Run `docker network inspect <network_name>` to inspect a network- You can easily remove a network with `docker network rm
<network_name>` No need to remove any network… but you can try
Exercise 0: Explore Docker Networks
- Start a container with `none` network and explore `ifconfig`- docker run -it --net=none mrjana/lab
- Try to ping www.docker.com - Are the results expected?- What are the key use-cases and disadvantages of using `none` networks?
Exercise 1: Pre-Defined Networks
- Start a container with `host` network and explore `ifconfig`- docker run -it --net=host mrjana/lab
- Run a `tcpdump -i eth0 port 22` and explore the results?- Are the results expected?- What are the key use-cases and disadvantages of using `Host`
networking?
Exercise 2: Pre-Defined Networks
- Create a custom bridge network and call it `mynet`- docker network create -d bridge mynet
- Start two containers with the mynet network and name them c1 and c2- docker run -itd --net=mynet –name c1 mrjana/lab- docker run -itd --net=mynet –name c2 mrjana/lab
- Run `ping c1` from c2 container. - Run a `nslookup c1` from c2 container and explore the results?
Exercise 3: User-Defined Networks
- Start two containers with the `mynet` network and name them c3 with network-alias=foo and c4 with network-alias=bar.
- docker run -itd --net=mynet –name c3 –net-alias foo mrjana/lab- docker run -itd --net=mynet –name c4 –net-alias bar mrjana/lab
- Run `ping c3` from c4 container. - Run `ping foo` from c4 container. What do you observe?- Lets create another container c5 that is part of the foo network alias.- Run `ping foo` from c4 container. What do you observe?- Run a `nslookup foo` from c4 container and explore the results?
Exercise 4: Aliases and Loadbalancing
- Create another network and name it `myothernet` - Start two more containers: container c6 on the `mynet` network and c7 on
the `myothernet` network. - docker run -itd --net=mynet –name c6 mrjana/lab- docker run -itd --net=myothernet –name c7 mrjana/lab
- Now let’s create another container `c8` on the `mynet` network. - docker run -itd --net=mynet –name c8 mrjana/lab
- Now, connect c8 to myothernet- docker network connect myothernet c8
- Try and ping c6 and c7 from c8.- Can you ping c7 from c6 ?
Exercise 5: Multi-Network Container Connection
Thank you!
top related