copyright 2014 1

Docker networking

Chris Swan, CTO

@cpswan

Cloud native networking

copyright 2014 2

TL;DR docker0 bridge is the heart of default networking

Plus some iptables magic

Docker can help link your containers (on a single host)

But it’s easier with a compositing tool

There are advanced options

On a single host

On multi hosts

and advanced tools

copyright 2014 3

Why me?

copyright 2014 4

copyright 2014 5

The basics

copyright 2014 6

Let’s start with a regular host

eth0

10.0.1.1

copyright 2014 7

Install Docker

eth0

10.0.1.1

docker0

172.17.42.1

copyright 2014 8

Start a container

eth0

10.0.1.1

docker0

172.17.42.1

eth0

172.17.0.1

veth67ab

copyright 2014 9

Start another container

eth0

10.0.1.1

docker0

172.17.42.1

eth0

172.17.0.1

veth67ab

eth0

172.17.0.2

veth9c5d

copyright 2014 10

iptables magic

copyright 2014 11

Connecting to the outside world

$ sudo iptables -t nat -L –n

...

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

MASQUERADE all -- 172.17.0.0/16 !172.17.0.0/16

...

copyright 2014 12

Connecting from the outside world

$ sudo docker run –dp 1880:1880 cpswan/node-red

$ sudo docker ps

CONTAINER ID IMAGE COMMAND

CREATED STATUS PORTS

NAMES

7696169d9438 cpswan/node-red:latest node red.js

2 weeks ago Up 2 weeks 0.0.0.0:1880->1880/tcp

backstabbing_davinci

$ sudo iptables -t nat -L –n

...

Chain DOCKER (2 references)

target prot opt source destination

DNAT tcp -- 0.0.0.0/0 0.0.0.0/0

tcp dpt:1880 to:172.17.0.7:1880

copyright 2014 13

Container linking

copyright 2014 14

From the docker command line

From the outside:

# start the database

sudo docker run -dp 3306:3306 --name todomvcdb \

-v /data/mysql:/var/lib/mysql cpswan/todomvc.mysql

# start the app server

sudo docker run -dp 4567:4567 --name todomvcapp \

--link todomvcdb:db cpswan/todomvc.sinatra

On the inside:

dburl = 'mysql://root:pa55Word@' +

ENV['DB_PORT_3306_TCP_ADDR'] + '/todomvc'

DataMapper.setup(:default, dburl)

copyright 2014 15

Simplify life with Fig

fig.yml:

todomvcdb:

image: cpswan/todomvc.mysql

expose:

- "3306"

volumes:

- /data/mysql:/var/lib/mysql

todomvcapp:

image: cpswan/todomvc.sinatra

ports:

- "4567:4567"

links:

- todomvcdb:db

I still need this on the inside:

dburl = 'mysql://root:pa55Word@' +

ENV['DB_PORT_3306_TCP_ADDR'] + '/todomvc'

DataMapper.setup(:default, dburl)

copyright 2014 16

Other networking modes

copyright 2014 17

--net=host

eth0

10.0.1.1

docker0

172.17.42.1

eth0

172.17.0.1

veth67ab

eth0

172.17.0.2

veth9c5d

copyright 2014 18

--net=container:$container2

eth0

10.0.1.1

docker0

172.17.42.1

eth0

172.17.0.1

veth67ab

eth0

172.17.0.2

veth9c5d

copyright 2014 19

--net=none

eth0

10.0.1.1

docker0

172.17.42.1

eth0

172.17.0.1

veth67ab

eth0

172.17.0.2

veth9c5d

copyright 2014 20

Connecting containers between

machines

copyright 2014 21

Marek Goldmann did this with OVS

copyright 2014 22

A more generic approach (ODCA)

copyright 2014 23

Still want more…

copyright 2014 24

Pipework etc.

Pipework: • Create bridges

• Attach to container interfaces

• Attach to host interfaces

• and much more…

Tenus: • Golang package offering programmatic

network configuration along similar lines

to Pipework

copyright 2014

libchan

‘A low level component that we can use as a

communication layer that we can use across the board for

all the different aspects of communication within Docker’

Solomon Hykes – DockerCon 2014 (my emphasis)

What it is – Golang like channels over the network

‘A lightweight communication protocol for distributed

systems’

What it does – yet to be revealed

25

copyright 2014 26

Gotchas

copyright 2014 27

Our old enemy the network hub

eth0

10.0.1.1

docker0

172.17.42.1

eth0

172.17.0.1

veth67ab

eth0

172.17.0.2

veth9c5d

copyright 2014 28

A bit like a home network

eth0

10.0.1.1

docker0

172.17.42.1

eth0

172.17.0.1

veth67ab

eth0

172.17.0.2

veth9c5d

copyright 2014

Host as router can be painful

• VirtualBox requires specific network adaptors (in a

specific configuration) to play nicely with pipework

• Even with source/destination checks disabled pipework

won’t play nicely on EC2 • Mileage may vary on other clouds, but some don’t even have the option to flick that

bit (or make it very hard to get at)

29

copyright 2014 30

The end (nearly)

copyright 2014 31

copyright 2014 32

TL;DR docker0 bridge is the heart of default networking

Plus some iptables magic

Docker can help link your containers (on a single host)

But it’s easier with a compositing tool

There are advanced options

On single hosts

On multi hosts

and advanced tools

copyright 2014 33

Chicago, US

ContactMe@cohesiveft.com

+1 888 444 3962

Questions?