An in-depth look into Docker Networking. We will cover all the networking features natively available in Docker and take you through hands-on exercises designed to help you learn the skills you need to deploy and maintain Docker containers in your existing network environment.
Led by Docker Networking Pros:
Madhu Venugopal
Jana Radhakrishnan
4. • Traditional Networking is incredibly vast and complex
• But, Networking is inherent part of distributed applications
• Make it developer-friendly & application driven.
Why is Networking important?
5. “We'll do for Networking,
What Docker did for
Compute.” — Moby
6. • Make "network" a first class object
• Distributed application portability
• Secure control and data paths
• Provide a pluggable networking stack
• Span networks across multiple hosts
• Support multiple OS platforms
Goals
7. Design Philosophy
• Users First:
• Application Developers
• IT/Network Ops
• Plugin API Design
• Batteries Included but Swappable
10. Library for creating and managing network stacks for containers
Driver-based networking
Implements the Container Network Model
Native service discovery and load balancing
What’s libnetwork?
11. • Pluggability Flexibility
• Docker Native UX and API User Friendly
• Distributed Scalability + Performance
• Decentralized Highly-Available
• Out-of-the-Box Support with Docker Datacenter
Key Advantages
22. Overlay Networking Under the Hood
1. VXLAN==>DataTransport
• Virtual eXtensible Local Area Networks
• L2 Network over an L3 network ( overlay )
• RFC7348
• Invisible to the container
• Host as VXLAN Tunnel End Point (VTEP)
• Point-to-Multi-Point Tunnels
• Proxy-ARP
24. Overlay Networking Under the Hood
3. Network Namespaces
• A Linux Bridge per Subnet per Overlay Network per Host
• A VXLAN interface per Overlay Network per Host
• 1 Linux Bridge per Host for default traffic
(docker_gwbridge)
• Lazy creation ( Only if container is attached to network)
25. Overlay Networking Under the Hood
C1
C2
C3
C5
C4
br0
Veth
Veth
Veth
Host NIC
VXLAN
Host NIC
br0
Veth
Veth
VXLAN
Docker Host 1 Docker Host 2
28. Embedded DNS Under the Hood
• DNS listener per container
• Distributed ( for both bridge and overlay)
• Proxy for external DNS services
• Can be used with DNSSEC
engine
DNS Server
DNS Resolver DNS Resolver
DNS requests
32. • 2 VMS per attendee
• Ubuntu 15 based with Docker 1.12!
• Received SSH pem/ppk and VM info
• Go ahead and SSH Into one of the machines.
Lab Access
33. Pre-Defined Networks
bridge (default) --> containers in local docker0 bridge
null --> containers without any network interfaces
host --> containers use same interfaces as host ( same netns)
34. - Run `docker network ls` to list all the networks on the host
- Run `docker network inspect <network_name>` to inspect a network
- You can easily remove a network with `docker network rm
<network_name>` No need to remove any network… but you can try
Exercise 0: Explore Docker Networks
35. - Start a container with `none` network and explore `ifconfig`
- docker run -it --net=none mrjana/lab
- Try to ping www.docker.com
- Are the results expected?
- What are the key use-cases and disadvantages of using `none` networks?
Exercise 1: Pre-Defined Networks
36. - Start a container with `host` network and explore `ifconfig`
- docker run -it --net=host mrjana/lab
- Run a `tcpdump -i eth0 port 22` and explore the results?
- Are the results expected?
- What are the key use-cases and disadvantages of using `Host`
networking?
Exercise 2: Pre-Defined Networks
37. - Create a custom bridge network and call it `mynet`
- docker network create -d bridge mynet
- Start two containers with the mynet network and name them c1 and c2
- docker run -itd --net=mynet –name c1 mrjana/lab
- docker run -itd --net=mynet –name c2 mrjana/lab
- Run `ping c1` from c2 container.
- Run a `nslookup c1` from c2 container and explore the results?
Exercise 3: User-Defined Networks
38. - Start two containers with the `mynet` network and name them c3 with
network-alias=foo and c4 with network-alias=bar.
- docker run -itd --net=mynet –name c3 –net-alias foo mrjana/lab
- docker run -itd --net=mynet –name c4 –net-alias bar mrjana/lab
- Run `ping c3` from c4 container.
- Run `ping foo` from c4 container. What do you observe?
- Lets create another container c5 that is part of the foo network alias.
- Run `ping foo` from c4 container. What do you observe?
- Run a `nslookup foo` from c4 container and explore the results?
Exercise 4: Aliases and Loadbalancing
39. - Create another network and name it `myothernet`
- Start two more containers: container c6 on the `mynet` network and c7 on
the `myothernet` network.
- docker run -itd --net=mynet –name c6 mrjana/lab
- docker run -itd --net=myothernet –name c7 mrjana/lab
- Now let’s create another container `c8` on the `mynet` network.
- docker run -itd --net=mynet –name c8 mrjana/lab
- Now, connect c8 to myothernet
- docker network connect myothernet c8
- Try and ping c6 and c7 from c8.
- Can you ping c7 from c6 ?
Exercise 5: Multi-Network Container Connection