Chris Swan's ONUG NYC talk - Container Networks

Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution

October 28-29, 2014


Container Networks and Network Containment

Chris Swan CTO CohesiveFT

@cpswan


Part 1 – Container Networking

3

Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 4

TL;DR docker0 bridge is the heart of default networking Plus some iptables magic Docker can help link your containers (on a single host) But it’s easier with a compositing tool There are advanced options On a single host On multi hosts and advanced tools


Do I first need to explain Docker and containers?

5


Build, Ship > Run?

6

Image credit http://www.mediaagility.com/2014/docker-the-next-big-thing-on-cloud/

http://www.mediaagility.com/2014/docker-the-next-big-thing-on-cloud/


Docker Hub

7

Image credit http://blog.docker.com/2014/06/announcing-docker-hub-and-official-repositories/

http://blog.docker.com/2014/06/announcing-docker-hub-and-official-repositories/


Demo time


Why me?

9


Conceived last summer – released this April

10


The basics

11


Let’s start with a regular host eth0 10.0.1.1


Install Docker eth0 10.0.1.1 docker0 172.17.42.1


Start a container eth0 10.0.1.1 docker0 172.17.42.1

eth0 172.17.0.1

veth67ab


Start another container eth0 10.0.1.1 docker0 172.17.42.1

eth0 172.17.0.1

veth67ab

eth0 172.17.0.2

veth9c5d


iptables magic

16


Connecting to the outside world $ sudo iptables -t nat -L –n

...

Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 172.17.0.0/16 !172.17.0.0/16

...


Connecting from the outside world $ sudo docker run –dp 1880:1880 cpswan/node-red

$ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7696169d9438 cpswan/node-red:latest node red.js 2 weeks ago Up 2 weeks 0.0.0.0:1880->1880/tcp backstabbing_davinci

$ sudo iptables -t nat -L –n

...

Chain DOCKER (2 references) target prot opt source destination DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1880 to:172.17.0.7:1880


Container linking

19


From the docker command line From the outside:

# start the database sudo docker run -dp 3306:3306 --name todomvcdb \ -v /data/mysql:/var/lib/mysql cpswan/todomvc.mysql

# start the app server sudo docker run -dp 4567:4567 --name todomvcapp \ --link todomvcdb:db cpswan/todomvc.sinatra

On the inside:

dburl = 'mysql://root:pa55Word@' + ENV['DB_PORT_3306_TCP_ADDR'] + '/todomvc'

DataMapper.setup(:default, dburl)


Simplify life with Fig fig.yml:

todomvcdb: image: cpswan/todomvc.mysql expose: - "3306" volumes: - /data/mysql:/var/lib/mysql todomvcapp: image: cpswan/todomvc.sinatra ports: - "4567:4567" links: - todomvcdb:db

I still need this on the inside:

dburl = 'mysql://root:pa55Word@' + ENV['DB_PORT_3306_TCP_ADDR'] + '/todomvc'

DataMapper.setup(:default, dburl)


Other networking modes

22


--net=host eth0 10.0.1.1 docker0 172.17.42.1

eth0 172.17.0.1

veth67ab

eth0 172.17.0.2

veth9c5d


--net=container:$container2 eth0 10.0.1.1 docker0 172.17.42.1

eth0 172.17.0.1

veth67ab

eth0 172.17.0.2

veth9c5d


--net=none eth0 10.0.1.1 docker0 172.17.42.1

eth0 172.17.0.1

veth67ab

eth0 172.17.0.2

veth9c5d


Connecting containers between machines

26


Marek Goldmann did this with OVS


A more generic approach (ODCA)


Flocker

29


Weave

30


Still want more…

31


Pipework etc. Pipework: • Create bridges • Attach to container interfaces • Attach to host interfaces • and much more…

Tenus: • Golang package offering programmatic

network configuration along similar lines to Pipework


libchan ‘A low level component that we can use as a communication layer that we can use across the board for all the different aspects of communication within Docker’

Solomon Hykes – DockerCon 2014 (my emphasis)

What it is – Golang like channels over the network

‘A lightweight communication protocol for distributed systems’

What it does – yet to be revealed

33


Gotchas

34


Our old enemy the network hub eth0 10.0.1.1 docker0 172.17.42.1

eth0 172.17.0.1

veth67ab

eth0 172.17.0.2

veth9c5d


A bit like a home network eth0 10.0.1.1 docker0 172.17.42.1

eth0 172.17.0.1

veth67ab

eth0 172.17.0.2

veth9c5d


Host as router can be painful • VirtualBox requires specific network adaptors (in a specific configuration) to

play nicely with pipework

• Even with source/destination checks disabled pipework won’t play nicely on EC2

– Mileage may vary on other clouds, but some don’t even have the option to flick that bit (or make it very hard to get at)

3


The end of this part (nearly)

38


Docker makes a great place to run L4-7 Network Application Services

39


TL;DR docker0 bridge is the heart of default networking Plus some iptables magic Docker can help link your containers (on a single host) But it’s easier with a compositing tool There are advanced options On a single host On multi hosts and advanced tools


Part 2 –Network Containment

41


TL;DR Hard shell and soft centre has never served us well The pressure to move on is mounting Finer grained network segregation was too expensive in hardware Software makes it achievable We’re seeing the dawn of application centric networking and the Application Security Controller


Enterprise networks and perimeters

43


The confectionary networking model

Hard crunchy perimeter Soft chewy centre

Image credit CC by Sandra Fauconnier https://www.flickr.com/photos/spinster/4369608/

https://www.flickr.com/photos/spinster/4369608/


Pretty much everybody has a ‘demilitarized zone’

DMZ

Intranet


Sophisticated organisations have an application server zone

DMZ

Intranet

ASZ


Global scale makes things messy

DMZ

Intranet

ASZ

DMZ

ASZ

DMZ

ASZ

Europe Americas Asia


Some even have a ‘domain zoning concept’


This is VERY expensive when done with hardware


But potentially cheap and flexible if done in software


‘Microsegmentation’ – the VMware view

Image credit http://vinfrastructure.it/2014/09/micro-segmentation-with-nsx/

http://vinfrastructure.it/2014/09/micro-segmentation-with-nsx/


What’s driving this?


Are you being asked to look at this?


In particular this:


Application centric networking


What’s the right granularity?

Microservice Service Service family


The sweet spot likely depends on containment of business data

Microservice Service Service family


To each their own

Encrypted overlay

Firewall

NIDS TLS

Cache

Load balancer

Proxy


Using an ‘Application Security Controller’

Encrypted overlay

Firewall

NIDS TLS

Cache

Load balancer

Proxy


Wrapping up


TL;DR Hard shell and soft centre has never served us well The pressure to move on is mounting Finer grained network segregation was too expensive in hardware Software makes it achievable We’re seeing the dawn of application centric networking and the Application Security Controller


Questions?

[email protected]

@cpswan

Chris Swan's ONUG NYC talk - Container Networks

Technology

open networking user

container networking

distribution build

distribution conceived

distribution docker

distribution iptables

heart of default networking

distribution demo time