chris swan at container.camp: docker networking
TRANSCRIPT
copyright 2014 1
Docker networking
Chris Swan, CTO
@cpswan
Cloud native networking
copyright 2014 2
TL;DR docker0 bridge is the heart of default networking
Plus some iptables magic
Docker can help link your containers (on a single host)
But it’s easier with a compositing tool
There are advanced options
On a single host
On multi hosts
and advanced tools
copyright 2014 3
Why me?
copyright 2014 4
copyright 2014 5
The basics
copyright 2014 6
Let’s start with a regular host
eth0
10.0.1.1
copyright 2014 7
Install Docker
eth0
10.0.1.1
docker0
172.17.42.1
copyright 2014 8
Start a container
eth0
10.0.1.1
docker0
172.17.42.1
eth0
172.17.0.1
veth67ab
copyright 2014 9
Start another container
eth0
10.0.1.1
docker0
172.17.42.1
eth0
172.17.0.1
veth67ab
eth0
172.17.0.2
veth9c5d
copyright 2014 10
iptables magic
copyright 2014 11
Connecting to the outside world
$ sudo iptables -t nat -L –n
...
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.17.0.0/16 !172.17.0.0/16
...
copyright 2014 12
Connecting from the outside world
$ sudo docker run –dp 1880:1880 cpswan/node-red
$ sudo docker ps
CONTAINER ID IMAGE COMMAND
CREATED STATUS PORTS
NAMES
7696169d9438 cpswan/node-red:latest node red.js
2 weeks ago Up 2 weeks 0.0.0.0:1880->1880/tcp
backstabbing_davinci
$ sudo iptables -t nat -L –n
...
Chain DOCKER (2 references)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0
tcp dpt:1880 to:172.17.0.7:1880
copyright 2014 13
Container linking
copyright 2014 14
From the docker command line
From the outside:
# start the database
sudo docker run -dp 3306:3306 --name todomvcdb \
-v /data/mysql:/var/lib/mysql cpswan/todomvc.mysql
# start the app server
sudo docker run -dp 4567:4567 --name todomvcapp \
--link todomvcdb:db cpswan/todomvc.sinatra
On the inside:
dburl = 'mysql://root:pa55Word@' +
ENV['DB_PORT_3306_TCP_ADDR'] + '/todomvc'
DataMapper.setup(:default, dburl)
copyright 2014 15
Simplify life with Fig
fig.yml:
todomvcdb:
image: cpswan/todomvc.mysql
expose:
- "3306"
volumes:
- /data/mysql:/var/lib/mysql
todomvcapp:
image: cpswan/todomvc.sinatra
ports:
- "4567:4567"
links:
- todomvcdb:db
I still need this on the inside:
dburl = 'mysql://root:pa55Word@' +
ENV['DB_PORT_3306_TCP_ADDR'] + '/todomvc'
DataMapper.setup(:default, dburl)
copyright 2014 16
Other networking modes
copyright 2014 17
--net=host
eth0
10.0.1.1
docker0
172.17.42.1
eth0
172.17.0.1
veth67ab
eth0
172.17.0.2
veth9c5d
copyright 2014 18
--net=container:$container2
eth0
10.0.1.1
docker0
172.17.42.1
eth0
172.17.0.1
veth67ab
eth0
172.17.0.2
veth9c5d
copyright 2014 19
--net=none
eth0
10.0.1.1
docker0
172.17.42.1
eth0
172.17.0.1
veth67ab
eth0
172.17.0.2
veth9c5d
copyright 2014 20
Connecting containers between
machines
copyright 2014 21
Marek Goldmann did this with OVS
copyright 2014 22
A more generic approach (ODCA)
copyright 2014 23
Still want more…
copyright 2014 24
Pipework etc.
Pipework: • Create bridges
• Attach to container interfaces
• Attach to host interfaces
• and much more…
Tenus: • Golang package offering programmatic
network configuration along similar lines
to Pipework
copyright 2014
libchan
‘A low level component that we can use as a
communication layer that we can use across the board for
all the different aspects of communication within Docker’
Solomon Hykes – DockerCon 2014 (my emphasis)
What it is – Golang like channels over the network
‘A lightweight communication protocol for distributed
systems’
What it does – yet to be revealed
25
copyright 2014 26
Gotchas
copyright 2014 27
Our old enemy the network hub
eth0
10.0.1.1
docker0
172.17.42.1
eth0
172.17.0.1
veth67ab
eth0
172.17.0.2
veth9c5d
copyright 2014 28
A bit like a home network
eth0
10.0.1.1
docker0
172.17.42.1
eth0
172.17.0.1
veth67ab
eth0
172.17.0.2
veth9c5d
copyright 2014
Host as router can be painful
• VirtualBox requires specific network adaptors (in a
specific configuration) to play nicely with pipework
• Even with source/destination checks disabled pipework
won’t play nicely on EC2 • Mileage may vary on other clouds, but some don’t even have the option to flick that
bit (or make it very hard to get at)
29
copyright 2014 30
The end (nearly)
copyright 2014 31
copyright 2014 32
TL;DR docker0 bridge is the heart of default networking
Plus some iptables magic
Docker can help link your containers (on a single host)
But it’s easier with a compositing tool
There are advanced options
On single hosts
On multi hosts
and advanced tools