Docker Networking

Transcript

1. Docker Networking Luis Michael Ibarra clvx → IRC, Twitter, Reddit

2. 2 About me • Docker Lima Organizer. • Ubuntu member.

   • Member of the Technical Advisory Group for containers in Azure. • System Engineer.

3. 3 Network Namespaces • NET_NS: Provides isolation of the system

   resources associated with networking: network devices, IPv4 and IPv6 protocol stacks, IP routing tables, firewalls, the /proc/net directory, the /sys/class/net directory, port numbers (sockets), and so on. • namespaces(7).

4. 4 Network Namespaces: Features • It uses a virtual device(veth)

   pair to create a tunnel for communication between namespaces. • It always comes in pair, with one end in the root namespace and the other end in a namespace. • The device is created in whatever namespace is current in. • If a device does not belong to the current namespace, it becomes invisible.

5. 5 Network Namespaces: Features • It provides a brand-new network

   stack for all the processes within the namespace which includes: • Network interfaces. • Routing tables. • Iptables rules. • Etc. • From the system’s point of view, when creating a new process via clone() or unshare() syscall, passing the flag CLONE_NEWNET will create a brand-new network namespace into the new process. •/proc/$(container_pid)/ns/net

6. 6 Docker Networking • It’s based on network namespaces •

   Three drivers by default: • Bridge: Creates a linux bridge named docker0. • None: No network at all. • Host: It uses the global network namespace.

7. 7 Docker Networking: user-define network • Control communication between containers.

   • Enables DNS resolution with an embedded. • Permits to connect/disconnect running containers from networks without restarting the container. • Network drivers: • Bridge • Overlay • Based on VXLAN. • It needs a key-value store to map vxlan id’s – Etcd/Consul • MacVLAN

8. 8 Docker Networking: Others • Support to create custom network

   drivers.

9. 9 DEMO