Docker Networking : 0 to 60mph slides

Docker Networking WorkshopJana Radhakrishnan

Nicola Kabar

Docker Networking Model

ArchitectureDesign ConsiderationsAdvantages

Agenda

Evolution + Under the Hood

DriversDNSRoutingLoad BalancingDemos

Deployment Models Exercises

+

Roadmap

Container Networking ModelDesign, Architecture, and Key Advantages

• Traditional Networking is incredibly vast and complex

• But, Networking is inherent part of distributed applications

• Make it developer-friendly & application driven.

Why is Networking important?

“We'll do for Networking, What Docker did for

Compute.” — Moby

• Make "network" a first class object

• Distributed application portability

• Secure control and data paths

• Provide a pluggable networking stack

• Span networks across multiple hosts

• Support multiple OS platforms

Goals

Design Philosophy

• Users First: • Application Developers • IT/Network Ops

• Plugin API Design • Batteries Included but Swappable

Container Networking Model

• Endpoint

• Network

• Sandbox

Create

Network

Create

Container

Defer to Driver

Defer to Driver

Library for creating and managing network stacks for containers

Driver-based networking

Implements the Container Network Model

Native service discovery and load balancing

What’s libnetwork?

• Pluggability Flexibility• Docker Native UX and API User Friendly• Distributed Scalability + Performance • Decentralized Highly-Available• Out-of-the-Box Support with Docker Datacenter

Key Advantages

Use-Case: Microservices Segmentation

Q&A

Break

Docker Networking Evolution

Docker Networking Timeline

1.7 1.8 1.9 1.10 1.11

Libnetwork(CNM) - Multihost Networking- Plugins- IPAM- Network UX/API

Service Discovery Distributed DNS

- Aliases- DNS Round Robin LB

1.12

Under the Hood of Bridge

Networking

Bridge Networking Under the Hood

• netns• Iptables• NAT• IP management• Routing• userland proxy eth0

docker0

C1

eth0 eth0

C2

• Iptables• NAT

• User proxy• Routing

eth0

Demo 1 : Bridge Networking

Under the Hood of Multihost

Networking

KV Store

Docker Host Docker Host Docker Host

C1

C2

C3C4

C5

C6C7

C8

C9

Overlay Networking Under the Hood

1. VXLAN==>DataTransport • Virtual eXtensible Local Area Networks • L2 Network over an L3 network ( overlay ) • RFC7348• Invisible to the container• Host as VXLAN Tunnel End Point (VTEP) • Point-to-Multi-Point Tunnels• Proxy-ARP

Overlay Networking Under the Hood

2. Key-Value Store• Network ID• Subnets• Nodes• VXLAN ID

Overlay Networking Under the Hood

3. Network Namespaces • A Linux Bridge per Subnet per Overlay Network per Host• A VXLAN interface per Overlay Network per Host• 1 Linux Bridge per Host for default traffic

(docker_gwbridge)• Lazy creation ( Only if container is attached to network)

Overlay Networking Under the Hood

C1

C2

C3

C5

C4

br0

Veth

Veth

Veth

Host NIC

VXLAN

Host NIC

br0

Veth

Veth

VXLAN

Docker Host 1 Docker Host 2

Demo 2 : Overlay Networking

Under the Hood of embedded

DNS

Embedded DNS Under the Hood

• DNS listener per container• Distributed ( for both bridge and overlay)• Proxy for external DNS services• Can be used with DNSSEC

engine

DNS Server

DNS Resolver DNS Resolver

DNS requests

Demo 3 : DNS Demo

Break

Networking Exercises

• 2 VMS per attendee• Ubuntu 15 based with Docker 1.12!• Received SSH pem/ppk and VM info• Go ahead and SSH Into one of the machines.

Lab Access

Pre-Defined Networks

bridge (default) --> containers in local docker0 bridgenull --> containers without any network interfaceshost --> containers use same interfaces as host ( same netns)

- Run `docker network ls` to list all the networks on the host- Run `docker network inspect <network_name>` to inspect a network- You can easily remove a network with `docker network rm

<network_name>` No need to remove any network… but you can try

Exercise 0: Explore Docker Networks

- Start a container with `none` network and explore `ifconfig`- docker run -it --net=none mrjana/lab

- Try to ping www.docker.com - Are the results expected?- What are the key use-cases and disadvantages of using `none` networks?

Exercise 1: Pre-Defined Networks

- Start a container with `host` network and explore `ifconfig`- docker run -it --net=host mrjana/lab

- Run a `tcpdump -i eth0 port 22` and explore the results?- Are the results expected?- What are the key use-cases and disadvantages of using `Host`

networking?

Exercise 2: Pre-Defined Networks

- Create a custom bridge network and call it `mynet`- docker network create -d bridge mynet

- Start two containers with the mynet network and name them c1 and c2- docker run -itd --net=mynet –name c1 mrjana/lab- docker run -itd --net=mynet –name c2 mrjana/lab

- Run `ping c1` from c2 container. - Run a `nslookup c1` from c2 container and explore the results?

Exercise 3: User-Defined Networks

- Start two containers with the `mynet` network and name them c3 with network-alias=foo and c4 with network-alias=bar.

- docker run -itd --net=mynet –name c3 –net-alias foo mrjana/lab- docker run -itd --net=mynet –name c4 –net-alias bar mrjana/lab

- Run `ping c3` from c4 container. - Run `ping foo` from c4 container. What do you observe?- Lets create another container c5 that is part of the foo network alias.- Run `ping foo` from c4 container. What do you observe?- Run a `nslookup foo` from c4 container and explore the results?

Exercise 4: Aliases and Loadbalancing

- Create another network and name it `myothernet` - Start two more containers: container c6 on the `mynet` network and c7 on

the `myothernet` network. - docker run -itd --net=mynet –name c6 mrjana/lab- docker run -itd --net=myothernet –name c7 mrjana/lab

- Now let’s create another container `c8` on the `mynet` network. - docker run -itd --net=mynet –name c8 mrjana/lab

- Now, connect c8 to myothernet- docker network connect myothernet c8

- Try and ping c6 and c7 from c8.- Can you ping c7 from c6 ?

Exercise 5: Multi-Network Container Connection

Thank you!