docker overlay network - containerday · docker also creates another network called docker_gwbridge...
TRANSCRIPT
CTO@KiratechMarcoBizzantino
@bizzam#containerday
OverlayNetworkMultiDockerHostNetworking
UnderstandDockercontainernetworks
• Networks,bydefinition,providecompleteisolationforcontainers• It’simportanttohavecontroloverthenetworks• Dockercontainernetworksgiveyouthatcontrol
Dockernetworkingmodel
• ContainersdonothaveapublicIPv4address• Theyareallocatedaprivateaddress• Servicesrunningonacontainermustbe
exposedportbyport• Containerportshavetobemappedtothe
hostporttoavoidconflicts
DefaultNetwork
• Dockerinstallationcreatesthreenetworksautomatically
• Youcanuse--netflagtospecifywhichnetworkyouwanttorunacontaineron
BridgeNetwork
• Isthedocker0networkpresentinallDockerinstallations• Allcontainersbydefaultconnectstoit• Partofhost’snetworkstack• docker0 isassignedarandomIPaddressandsubnetfromthe
privaterangedefinedbyRFC1918
NoneNetwork
• Container-specificnetworkstack
• Containerattachedlacksanetworkinterface
HostNetwork
• Addsacontaineronthehostnetworkstack• Networkconfigurationinsidethecontaineris
identicaltothehost
Checkcontainernetworkingproperties
Thedocker networkinspectcommandreturnsinformationaboutanetwork
Networksummary
• Dockercontainersruninasubnetprovisionedbythedocker0bridgeonthehostmachine
• Wecancreateourownbridgeordifferentnetworktoruncontainerson
• AutomappingofcontainerportstohostportsonlyappliestotheportnumbersdefinedintheDockerfileEXPOSEinstruction
Multi-hostnetworking
• ContainersrunningondifferenthostscannotcommunicatewitheachotherwithoutmappingtheirTCPportstothehost’sTCPports
• Multi-hostnetworkingallowsthesecontainerstocommunicatewithoutrequiringportmapping
• TheDockerEnginesupportsmultihostnetworkingnativelyoutoftheboxviatheoverlay networkdriver
Multi-hostnetworking
Requirementsforcreatinganoverlaynetwork• Accesstoakey-valuestore• Aclusterofhostsconnectedtothekey-valuestore• AllhostsmusthaveKernelversion3.16orhigher• DockerEngineproperlyconfiguredoneachhost
Overlaynetwork
• overlaynetworkdriversupportsmulti-hostnetworkingnativelyout-of-the-box
• Basedonlibnetwork,abuilt-inVXLAN-basedoverlaynetworkdriver,andDocker’slibkv library
• Theoverlaynetworkrequiresavalidkey-valuestoreservice
• TheDockerhostsmustbeabletocommunicate• udpport4789 Dataplane(VXLAN)• tcp/udpport7946 Controlplane
Key-valuestore
Storesinformationaboutthenetworkstateincluding• Discovery• Endpoints• IPaddresses
Supportedoptions• Consul• Zookeeper(Distributedstore)• Etcd• BoltDB (Localstore)
Setupkey-valuestoreOnyourMasterNode
Runconsulinacontainerwiththefollowingcommanddocker run -d -p 8500:8500 -h consul --name consul \
progrium/consul -server –bootstrap
Checkthatconsulisrunningandthatport8500ismappedtothehostusingdocker ps
ConfigureDockerEngines
TheDockerEngineoneachnodeneedstobeconfiguredto:• ListenonTCPport2375• UsetheConsulkey-valuestoreonourmasternode
ModifytheDOCKER_OPTSvariable
DOCKER_OPTS="-Htcp://0.0.0.0:2375\-Hunix:///var/run/docker.sock \--cluster-store=consul://<MasterNodeIP>:8500/network\--cluster-advertise=eth0:2375"
ConfiguretheOverlaynetwork
CreateanoverlaynetworkononeofthemachinesintheSwarm
docker networkcreate-doverlay–subnet10.10.2.0/24multinet
Runningcontainersonamulti-hostnetwork
Torunacontaineronthemulti-hostnetwork,youjustneedtospecifythenetworknameonthedocker runcommand.Forexample:docker run -itd --name c1 --net multinet busyboxCanruncontainersfromanyhostconnectedtothenetworkContainerwillbeassignedanIPaddressfromthesubnetofyourmulti-hostnetwork
Runningcontainersonamulti-hostnetwork
Thefirsttimeanoverlaynetworkiscreatedonanyhost,Dockeralsocreatesanothernetworkcalleddocker_gwbridge
Thedocker_gwbridgenetworkprovidesexternalaccessforcontainers
AllTCP/UDPportsareopenonanoverlaynetworkandthus,itisnotnecessarytomapcontainerportstohostportsinorderforcontainerstocommunicate
OverlayNetwork
Onceconnected,eachcontainerhasaccesstoallthecontainersinthenetworkregardlessofwhichDockerhostthecontainerwaslaunchedon.
Containerdiscovery
• Thedocker daemoncontainsanembeddedDNSserver• Containersmustrunwithaname(usingthe--name option).ThismapstotheIPaddressonthenetworkthecontainerisconnectedto.
• Whenacontainerisaddedtoamulti-hostnetwork,allotherhostswillbeabletodiscoveritviatheDNSserver
Containerdiscovery
• Containermayhaveanynumberofaliasesonanetwork
• Containersmayhavedifferentaliasesondifferentnetworks,setusingthe--alias optiononnetwork connect
• IftheembeddedDNSserverisunabletoresolvetherequestitwillbeforwardedtoanyexternalDNSserversconfiguredforthecontainer
Multi-hostNetworkSummary
• Anoverlay(multi-host)networkrequiresakey/valuestore
• Containersaddedtoamulti-hostnetworkarediscoverablebyothercontainers,aslongasthecontainername/aliashasbeenspecified
• Containersondifferenthostscancommunicatewitheachotherwithoutexposinganyportsifthehostsarepartofthesameoverlaynetwork
Macvlan andIpvlan NetworkDrivers
• completecontroloflayer2VLANtaggingandevenIpvlan L3routingforusersinterestedinunderlaynetworkintegration
• containerattacheddirectlytotheDockerhostinterface• easyaccessforexternalfacingservicesasthereisnoportmappings
• stillexperimental
Moreinformations:https://github.com/docker/docker/blob/master/experimental/vlan-networks.md
Thankyou