Exploring networking in Linux containers

Transcript

1. Exploring networking in Linux containers

2. About me • Ex-Racker, currently WebOps at GoCardless • I’m

   also responsible for http://containerops.org • Aspiring Gopher • Hit me up on Twitter @milosgajdos https://twitter.com/milosgajdos • Get in touch on LinkedIN http://www.linkedin.com/in/milosgajdos

3. Linux Namespaces • Purpose: create an illusion that processes in

   particular namespace are the only processes on the system • Goal: lightweight process virtualization (no HV) • Implemented via 3 system calls: clone(), unshare(), setns() • Namespaces do not have names. There is no parameter of a namespace name passed to any of the above system calls!

4. Linux Namespaces II • There are currently 6 namespaces implemented

   in Linux kernel: - mnt (mount point, filesystems) - pid (process ID) - net (network stack) - ipc (System V IPC and POSIX message queues) - uts (host and domain names) - user (user and group ID)

5. Network Namespace • logically another copy of the network stack,

   with its own routes, firewall rules, and network devices • Implementation: - a network device belongs exactly to one network namespace - a socket belongs exactly to one network namespace • This for example means that you can run more than 1 process listening on localhost:80 or assign same private

6. Network Namespace II • Create and Delete network namespace: EXAMPLE

   :! ! vagrant@precise64:~$ sudo -s root@precise64:~# ip netns add milosns root@precise64:~# ip netns list milosns root@precise64:~# ls -l /var/run/netns/ total 0 -r-------- 1 root root 0 Jan 28 23:07 milosns root@precise64:~# ip netns del milosns root@precise64:~# ip netns list root@precise64:~# ! root@precise64:~# ip netns monitor

7. Network Namespaces III • Each newly created network namespace includes

   only the loopback device - there are no sockets in a newly created namespace EXAMPLE:! ! root@precise64:~# ip netns exec milosns ip link list 6: lo: <LOOPBACK> mtu 16436 qdisc noop state DOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 root@precise64:~# root@precise64:~# ip netns exec milosns netstat -nl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path root@precise64:~#

8. Network Namespaces IV • You can assign interfaces to network

   namespaces and move it between them EXAMPLE:! ! root@precise64:~# ip link set eth2 netns milosns root@precise64:~# ip link list eth2 Device "eth2" does not exist. root@precise64:~# root@precise64:~# ip netns exec milosns ip link list 4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 08:00:27:9c:f8:58 brd ff:ff:ff:ff:ff:ff 13: lo: <LOOPBACK> mtu 16436 qdisc noop state DOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 ! Move eth2 interface from milosns network namespace back to DEFAULT network namespace - i.e. to the host machine! ! root@precise64:~# ip netns exec milosns ip link set eth2 netns 1 root@precise64:~# ip link list eth2 4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 link/ether 08:00:27:9c:f8:58 brd ff:ff:ff:ff:ff:ff root@precise64:~#

9. Network Namespaces V • You can communicate between 2 network

   namespaces via veth (Virtual Ethernet) interface → veth is like a pipe – what enters at one end, exits on the other EXAMPLE: ! ! Create 2 separate namespaces! ip netns add myns1 ip netns add myns2 ! Start bash in the first namespace! ip netns exec myns1 bash ! Create veth pair and send one side of the pipe to another namespace! ip link add vethNS1 type veth peer name vethNS2 ip link set dev vethNS2 netns myns2 ! Assign ip addresses in each namespace:! ip addr add <ADDR> broadcast <BRD> dev vethNS1 ip addr add <ADDR> broadcast <BRD> dev vethNS2 ! Start sending data!

10. Network Namespaces VI • unshare linux utility – currently supports

    5 namespaces on Ubuntu 12.04 LTS • unshare –-net bash - Starts bash in a new network namespace! - No folder is created /var/run/netns! - When you exit this bash, the network namespace will be freed – that's not the case when you start a bash by running ip netns exec bash

11. LXC Networking • SHAMELESS PLUG - http://containerops.org/2013/11/19/lxc- networking/ - Step

    by step tutorial on various Linux Containers networking configurations

12. Docker networking • At the moment there are 3 (+1)

    ways to configure networking in Docker containers: - Port – explicitly expose Docker port to the host machine - Link - interconnects containers via iptables rules on the host machine and exports “linked” container’s connection details via means of environment variables - Pipework – bash script written by one of the Docker employees which allows for various networking configurations (https://github.com/jpetazzo/ pipework) - LXC configuration parameters: -lxc-conf="lxc.network.type = veth” -lxc-conf="lxc.network.ipv4 = 1.2.3.4/24” …

13. Pipework Let’s create 2 Docker containers, assign some 192.168.1.0/24 IP

    addresses to them and get them communicate to each other Example: Create Docker containers: docker run -d -name mynetcat ubuntu:precise /bin/nc -l 44444 docker run -d -name mynetcat2 ubuntu:precise /bin/nc -l 44444 ! Bridge the containers to the host brtest bridge root@precise64:~# ./pipework brtest e8d3ec118fa9 192.168.1.2/24 root@precise64:~# ./pipework brtest 874b2c0cc90b 192.168.1.3/24 !

14. Links • Network namespaces demo: - https://gist.github.com/milosgajdos83/8693601 • Docker networking

    with Pipework demo: - https://gist.github.com/milosgajdos83/8693612

15. WE ARE HIRING ! https://gocardless.com/jobs