Octo Talk Dockermulti Hostnetworking 151211120053

7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053

1/29

Herve Leclerc@dt

DOCKER MULTI-HOST NETWORKING


2/29

ALTER WAY


3/29

LIBN

DOCKER

Herve Leclerc@dt


4/29

DOCKER LIBNETWORK

OPEN SOURCE SINCE APRIL 2015

Multiple OS

> 500 PR

> 500 !

Herve Leclerc@dt


5/29

DOCKER LIBNETWORK

Implements Container Network Model (CNM)

3 main components

Sandbox

Endpoint

Networknetwork

endpoint

sandbox

Herve Leclerc@dt


6/29

docker Container #1

Network Sandbox

endpoint

docker Container #2

Network Sandbox

docker

Ne

endpoint endendpoint

Backend Network Backend Network

Network SandboxAn isolated environment where the Networking configuration for a Docker Container

EndpointA network interface that can be used for communication over a specific network. Eexactly one network and multiple endpoints can exist within a single Network Sand

NetworkA network is a uniquely identifiable group of endpoints that are able to communic

other. You could create a Frontend and Backend network and they would be comp

CNM

Herve Leclerc@dt


7/29

The Network drivers

Implement the Driver API

Provide the specifics of how a network and en

implemented

Create Network

Create Container (attach to the network)

DOCKER LIBNETWORK

Herve Leclerc@dt


8/29

Create a linux Bridge for each network

Create a veth pair for each endpoint

One end attached to the bridge

the other as eth0 inside containers

iptables rules created for NAT

DOCKER LIBNETWORK : BRIDGE DRIVER

Herve Leclerc@dt


9/29

Create a separate network namespace for every n

Create a linux Bridge and VXLAN tunnels to ever

discovered host

Creates a veth pair for each endpoint

One is attached to the bridge

The other appears as eth0 inside container

Network namespace connected to host network usi

DOCKER LIBNETWORK : OVERLAY DRIVER

Herve Leclerc@dt


10/29

Implemented using lib network's remote driver

Use JSON-RPC transport

Can be written in any language

Can be deployed as a container

DOCKER LIBNETWORK : NETWORK PLUGINS

Herve Leclerc@dt


11/29

HOW DOCKER NETWORKS A CONTAINER ?

Docker Host

containerX

dock

er0

lo

eth0lo

vethXXXeth0

docker run :

--net=bridge (default)

--net=host

--net=container:NAME_or

--net=none

--net=overlay_name

Herve Leclerc@dt


12/29

HOW DOCKER NETWORKS A CONTAINER ?

Docker Host

containerbabase

d

oc

ker0

lo

eth0lo

vethXXXeth0

# docker run -tid --name babase -e database=mabase

# docker run -tid --link babase:babase --name fron

# docker exec frontend env

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/

HOSTNAME=e83cfafdbca0

TERM=xterm

BABASE_NAME=/frontend/babase

BABASE_ENV_database=mabase

HOME=/root

# docker exec cat /etc/hosts

172.17.0.5 e83cfafdbca0

172.17.0.4 babase fa10fbead100# docker exec frontend ping babase

PING babase (172.17.0.4): 56 data bytes

64 bytes from 172.17.0.4: seq=0 ttl=64 time=0.0

containerfrontend

vethXXX

lo

eth0

Herve Leclerc@dt

netstat -rn


13/29

eth010.0.0.2

02:42:0A:00:00:02

eth1172.18.0.2

02:42:AC:12:00:02

overlaybr010.0.0.1

vethXX

vxlan1

eth1192.168.99.103

eth010.0.2.15

docker0172.17.0.1

docker_gwbridge172.18.0.1

iptables(masquerade)

iptables -t nat -L -vnChain PREROUTING (policy ACCEPT 427 packets, 54721 bytes)pkts bytes target prot opt in out source destination431 26098 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 425 packets, 54618 bytes)pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 391 packets, 28774 bytes)pkts bytes target prot opt in out source destination

0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 391 packets, 28774 bytes)

pkts bytes target prot opt in out source destination2 103 MASQUERADE all -- * !docker_gwbridge 172.18.0.0/16 0.0.0.0/04 240 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0

vethXX

netstat rnKernel IP routing tableDestination Gateway Genmask 0.0.0.0 172.18.0.1 0.0.0.0 10.0.0.0 0.0.0.0 255.255.255.0 172.18.0.0 0.0.0.0 255.255.0.0

ip netns exec 3-2eb093042e ip a2: br0: mtu group default

link/ether 36:89:6b:73:b9:7d brd ff:ff:ff:inet 10.0.0.1/24 scope global br0

valid_lft forever preferred_lft foreverinet6 fe80::4cc0:d1ff:fe82:4730/64 scope lvalid_lft forever preferred_lft forever

19: vxlan1: master br0 state UNKNOWN group default

link/ether 42:d5:16:ca:78:11 brd ff:ff:ff:inet6 fe80::40d5:16ff:feca:7811/64 scope l

valid_lft forever preferred_lft forever21: veth2@if20:


14/29

eth010.0.0.2

02:42:0A:00:00:02

eth1172.18.0.2

02:42:AC:12:00:02

overlaybr010.0.0.1

vethXX

vxlan1

eth1192.168.99.103

eth010.0.2.15

docker0172.17.0.1

docker_gwbridge172.18.0.1

iptables(masquerade)

vethXX

eth010.0.0.3

02:42:0A:00:00:02

eth1172.18.0.2

02:42:AC:12:00:02

overlaybr010.0.0.1

vethXX

vxlan1

eth1192.168.99.102

TunnelVXLAN OverlaV

Herve Leclerc@dt


15/29

OVS bridge

vRouter

midone

u

ipsec

LibNetwork Alternatives

Herve Leclerc@dt


16/29

!"#$%&'()*$+,-& //+ -#"&(0

!"#$%&' -&12#'% 3/!"#$%&' )* !+," *&)-"&

./.012113450 6768 69::;;7?@885AA3BA2


17/29

!"#$%&'()*$+,-& //+ -#"&(4

!"#$%&' -&12#'% 3/!"#$%&' )* !+," *&)-"&

FB0.3A7?@

Herve Leclerc@dt


18/29

!"#$%&'()*$+,-& //+ -#"&(0!"#$%&' -&12#'% $'&*1& (" #5&'3*6 /%6-&1.8243=4/.80FG/.34.50/


19/29

!"#$%&' '7- (1," ((-*)& $0 ((-&1 /%6-&1 *38,-& */+

!"#$%&' -&12#'% 3/!"#$%&' )* !+," *&)-"&

.8243=4/.80F ?HI68@ 7J8C:0IG45AB5831B== 6768 69::58./A37?@ >7?@A5/44=45;//0 B7FH8CKEL2CDBE8 2CDBE8FB0.3A


20/29

!3- (/ 95*'9'7-9"#$%&'9-&1-/90(4&:;4& 95*'9'7-9-&1-/90(4&:;4&MDN 68@ :[email protected]=4/.8

DN 68@6? 8P8F AO.8243=4/.8 DN 0AQ 3#Q RS%%TU+V'WXTWS%$"&KXTY Z@9 ;GG=; [BD?F 67[9898 ?@0@8 X!'!%$! EC79N B8109:@:D6H\:77N20FH 44Q44Q44Q44Q44Q44 2CB 44Q44Q44Q44Q44Q44D68@ A.5]4]4]A\< ?F7N8 >7?@ :7

J0:DBK:1@ 17C8J8C NC818CC8BK:1@ 17C8J8CD68@; QQA\A.< ?F7N8 >7?@

J0:DBK:1@ 17C8J8C NC818CC8BK:1@ 17C8J8C.Q :';Q RU&%+*V+^#W,XS#)V+^#WXTWS%$"&KXTY Z@9 A/G4 [BD?F 67[9898 ?@0@8 XT EC79N B8109:@

:D6H\8@>8C .;Q3AQA5Q8C 3.QG0Q4;Q8


21/29

!,8 -&1-/ &?&$ 0(4&:;4& ,8 (" 3,-% /+#2 5?3*-0A/Q JP:06AQ RU&%+*V+^#W,XS#)V+^#WXTWS%$"&KXTY Z@9 AG44 [BD?F 67[Z0?@8C 2C4 ?@0@8 X!'!%$! Z7B8 *"_+XS# EC79N B8109:@

:D6H\8@>8C 40Q/


22/29

!-&1/1*1 (-*178 B C'&8 7"89BN 4 4 4]4]4]4Q>DE


23/29

M FB \X?8C?\>:8F:8CF\B8J\NC7a8@?\*%V'"&\b96V76?9:\NC7a8F@M E96 B8J QQ [email protected]/BF5


24/29

Overlay Network / SWARM / CONSUL

b skynet skynet skynebh h

c1 c2 c3

ping c2ping c3.skynet

docker run --ti -d --net=skynet alpine

8500

libkv

libkv consul

Herve Leclerc@dt


25/29

Herve Leclerc@dt

Overlay network demo #2


26/29

Overlay network demo #2(d1) docker run -ti -d --name=A1alpine /bin/sh(d1) docker run -ti -d --name=A2alpine /bin/sh(d1) inspect --format '{{ .NetworkSettings.IPAddress }}' A1(d1) inspect --format '{{ .NetworkSettings.IPAddress }}' A2(d1) docker attach A2(d1) cat /etc/hosts # (on note quil ny a pas de mise jour du fichier)(d1) ping [IP de A1]------------------------------------------------------------------------------------------------------------------------------------------------------------------ (d1) docker network create d1net(d1) docker run -ti -d --name=B1--net=d1netalpine /bin/sh(d1) docker run -ti -d --name=B2--net=d1net alpine /bin/sh(d1) docker attach B2(d1) cat /etc/hosts # (on note quil ny a une mise jour du fichier avec b1 et b1.d1.net)(d1) ping [IP de A1] (pas de rponse)

(d1) ping B1.d1net(ping OK) # Attention les casse est importante avec alpine:(------------------------------------------------------------------------------------------------------------------------------------------------------------------ (d1) docker network create skynet(d2) docker network ls(d1) docker run -ti -d --name=C1--net=skynetalpine /bin/sh(d2) docker run -ti -d --name=C2--net=skynet alpine /bin/sh(d2) docker attach C2(d2) cat /etc/hosts # (on note quil ny a une mise jour du fichier avec C1et C1.skynet)(d2) ping [IP de A1] (pas de rponse)

(d2) ping B1.d1net(pas de rponse)

(d2) ping C1.skynet(ping ok)

Herve Leclerc@dt

Overlay network demo #3


27/29

Overlay network demo #3Orchestrer le dploiement et lutilisation dune stack lamp

skynet

http

Docker #1

Docker #2

mysql

php-fpm

NFSGlusterFS

EC2...

/var/www

/var/lib/mysql

80bridge

Herve Leclerc@dt

"#$%&'($#)8#/&G)3


28/29

+118"Q>7?@60Z8Q >@@NBOB8Z7OLNDZ0E8Q 0:@8CL0I\>@@NBQ.]/86JK1D:8QO ]\>@@NB]86JO ]\N>N1NZ]86J

68@Q hc!"#$%&'eN7C@?QO


29/29

Octo Talk Dockermulti Hostnetworking 151211120053

Documents

Transcript of Octo Talk Dockermulti Hostnetworking 151211120053