Docker Networking Luis Michael Ibarra clvx → IRC, Twitter, Reddit 

2 About me ● Docker Lima Organizer. ● Ubuntu member. ● Member of the Technical Advisory Group for containers in Azure. ● System Engineer. 

3 Network Namespaces ● NET_NS: Provides isolation of the system resources associated with networking: network devices, IPv4 and IPv6 protocol stacks, IP routing tables, firewalls, the /proc/net directory, the /sys/class/net directory, port numbers (sockets), and so on. ● namespaces(7). 

4 Network Namespaces: Features ● It uses a virtual device(veth) pair to create a tunnel for communication between namespaces. ● It always comes in pair, with one end in the root namespace and the other end in a namespace. ● The device is created in whatever namespace is current in. ● If a device does not belong to the current namespace, it becomes invisible. 

5 Network Namespaces: Features ● It provides a brand-new network stack for all the processes within the namespace which includes: ● Network interfaces. ● Routing tables. ● Iptables rules. ● Etc. ● From the system’s point of view, when creating a new process via clone() or unshare() syscall, passing the flag CLONE_NEWNET will create a brand-new network namespace into the new process. ●/proc/$(container_pid)/ns/net 

6 Docker Networking ● It’s based on network namespaces ● Three drivers by default: ● Bridge: Creates a linux bridge named docker0. ● None: No network at all. ● Host: It uses the global network namespace. 

7 Docker Networking: user-define network ● Control communication between containers. ● Enables DNS resolution with an embedded. ● Permits to connect/disconnect running containers from networks without restarting the container. ● Network drivers: ● Bridge ● Overlay ● Based on VXLAN. ● It needs a key-value store to map vxlan id’s – Etcd/Consul ● MacVLAN 

8 Docker Networking: Others ● Support to create custom network drivers. 

9 DEMO