from network namespace to fabric overlays
TRANSCRIPT
![Page 1: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/1.jpg)
From network namespace to fabric overlays
Eugene Yakubovich@eyakubovich
![Page 2: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/2.jpg)
Containers are awesome
- Containers provide isolation- For networking
- its own port space- its own IP
![Page 3: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/3.jpg)
Network Namespace
- Can every container have a "real" IP?- How should network be virtualized?- Is network virtualization part of "container
runtime"?
![Page 4: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/4.jpg)
$ sudo unshare -n /bin/bash
$ ip addr1: lo: <LOOPBACK> mtu 65536 ... link/loopback 00:00:00:00:00:00 brd ...
New net ns
![Page 5: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/5.jpg)
$ ip link set lo up
$ ip addr1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 ... link/loopback 00:00:00:00:00:00 brd ... inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever
New net ns
![Page 6: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/6.jpg)
$ ping 8.8.8.8connect: Network is unreachable
$ ip route show$
New net ns
![Page 7: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/7.jpg)
veth
10.0.1.5/3110.0.1.4
10.0.1.7/3110.0.1.6
![Page 8: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/8.jpg)
veth
10.0.1.5/24
10.0.1.7/24
10.0.1.1/24
![Page 9: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/9.jpg)
Virtualizing the NIC and Network
- veth pair (plus linux-bridge)- macvlan- ipvlan- OVS- vlan- vxlan
![Page 10: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/10.jpg)
IP Address Management
- Host- Cluster- Global
![Page 11: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/11.jpg)
Which one?
No right answer!
![Page 12: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/12.jpg)
Need pluggable network strategy
![Page 13: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/13.jpg)
Container Runtime (e.g. rkt)
veth macvlan ipvlan OVS
![Page 14: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/14.jpg)
Container Runtime (e.g. rkt)
veth macvlan ipvlan OVS
![Page 15: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/15.jpg)
Container Runtime (e.g. rkt)
veth macvlan ipvlan OVS
Container Networking Interface (CNI)
![Page 16: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/16.jpg)
CNI
- Container can join multiple networks- Network described by JSON config - Plugin supports two commands
- Add container to the network- Remove container from the network
![Page 17: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/17.jpg)
User configures a network
$ cat /etc/rkt/net.d/10-mynet.conf{ "name": "mynet", "type": "bridge", "ipam": { "type": "host-local", "subnet": "10.10.0.0/16" }}
![Page 18: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/18.jpg)
CNI: Step 1
Container runtime creates network namespace and gives it a named handle
$ cd /run$ touch myns$ unshare -n mount --bind /proc/self/ns/net myns
![Page 19: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/19.jpg)
CNI: Step 2
Container runtime invokes the CNI plugin
$ export CNI_COMMAND=ADD$ export CNI_NETNS=/run/myns$ export CNI_CONTAINERID=5248e9f8-3c91-11e5-...$ export CNI_IFNAME=eth0
$ $CNI_PATH/bridge </etc/rkt/net.d/10-mynet.conf
![Page 20: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/20.jpg)
CNI: Step 3
Inside the bridge plugin (1):
$ brctl addbr mynet$ ip link add veth123 type veth peer name $CNI_IFNAME$ brctl addif mynet veth123$ ip link set $CNI_IFNAME netns $CNI_IFNAME$ ip link set veth123 up
![Page 21: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/21.jpg)
CNI: Step 3
Inside the bridge plugin (2):
$ IPAM_PLUGIN=host-local # from network conf$ echo $IPAM_PLUGIN{ "ip4": { "ip": "10.10.5.9/16", "gateway": "10.10.0.1" }}
![Page 22: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/22.jpg)
CNI: Step 3
Inside the bridge plugin (3):
# switch to container namespace
$ ip addr add 10.0.5.9/16 dev $CNI_IFNAME
# Finally, print IPAM result JSON to stdout
![Page 23: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/23.jpg)
Current plugins
Top levelptpbridgemacvlanipvlan
IPAMhost-localdhcp
![Page 24: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/24.jpg)
Q: How do we give each container a routable IP in "restricted" env?
A: Overlay network: flannel, weave
![Page 25: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/25.jpg)
![Page 26: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/26.jpg)
![Page 27: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/27.jpg)
{ "network": "10.1.0.0/16"}
![Page 28: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/28.jpg)
10.1.16.0/24
10.1.24.0/24 10.1.71.0/24
![Page 29: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/29.jpg)
10.1.16.0/24
# /run/flannel/subnet.env
FLANNEL_NETWORK=10.1.0.0/16FLANNEL_SUBNET=10.1.16.0/24FLANNEL_MTU=1472
![Page 30: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/30.jpg)
10.0.16.0/24
10.1.24.0/24 10.1.71.0/24
10.1.16.2
10.1.24.3
![Page 31: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/31.jpg)
Putting it all together
CNI
![Page 32: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/32.jpg)
flannel CNI plugin
- "meta" plugin- reads in /run/flannel/subnet.env- writes out "bridge" + "host-local" conf- calls out to "bridge"
![Page 33: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/33.jpg)
{ "name": "mynet", "type": "flannel"}
# /run/flannel/subnet.envFLANNEL_NETWORK=10.1.0.0/16FLANNEL_SUBNET=10.1.16.0/24FLANNEL_MTU=1472
{ "name": "mynet", "type": "bridge", "mtu": 1472, "ipam": { "type": "host-local", "subnet": "10.1.16.0/24" }}
![Page 34: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/34.jpg)
$ sudo rkt run --private-net=mynet --interactive debian.aci
(debian) $ ip addr… 10.1.16.2 …
(debian) $ ping 10.1.71.3PING 10.1.71.3 (10.1.71.3) 56(84) bytes of data.64 bytes from 10.1.71.3: icmp_seq=1 ttl=55 time=1.6 ms
![Page 35: From network namespace to fabric overlays](https://reader031.vdocuments.us/reader031/viewer/2022022000/58a1aadd1a28abd94d8c47d6/html5/thumbnails/35.jpg)
Questions
github.com/appc/cnigithub.com/coreos/rkt
github.com/coreos/flannel