The New World ofThe New World ofDocker NetworkingDocker Networking

12

Nicola Kabar

|| nicola@docker.comSolutions Architect at DockerHelp Customers Design Solutions based on DockerCCIE (for those who care)Favorite Moto : "Ping works. Not my problem !!!"

@nicolakabar

3

Agenda

Old Networking ModelChallengesWhat's Multi-Host Networking?How does it work?DemoUse-casesRoadmap

4

5

Docker Networking (< 1.9)Docker Networking (< 1.9)Docker creates three networksbridge (default) --> containers in local docker0 bridgenull --> containers without any network interfaceshost --> containers use same interfaces as host ( same netns)

NETWORK ID NAME DRIVER51d5e0c6b3f4 bridge bridge0b240f7c1d73 none nullb9819d9c0380 host host

$ ifconfigdocker0 Link encap:Ethernet HWaddr 02:42:30:91:60:49 inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 inet6 addr: fe80::1/64 Scope:Link inet6 addr: fe80::42:30ff:fe91:6049/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1 RX packets:23957697 errors:0 dropped:0 overruns:0 frame:0 TX packets:17161453 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:9273953094 (9.2 GB) TX bytes:4601244328 (4.6 GB)

6

ChallengesChallengesRequired host port mapping for multi-host deploymentNo network visibilityNeed linking for container discoveryNo horizontal scaling

7

The New Multi-Host Networking The New Multi-Host Networking Exited experimental in 1.9Batteries included: `overlay` network driver + IPAMNew network API + UXNetwork Driver + IPAM PluginsIntegration with Swarm and Compose ( --x-networking )

$ docker network --help

Usage: docker network [OPTIONS] COMMAND [OPTIONS]

Commands: disconnect Disconnect container from a network inspect Display detailed network information ls List all networks rm Remove a network create Create a network connect Connect container to a network

8

Under the Hood Under the Hood 1. VXLAN ==> Data Transport

Virtual eXtensible Local Area Networks L2 Network over an L3 network ( overlay )RFC7348Invisible to the containerHost as VXLAN Tunnel End Point (VTEP)Point-to-Multi-Point TunnelsProxy-ARP

9

Under the Hood Under the Hood 2. Key-Value Store ==> Cluster Discovery ( Strongly Consistent)

support etcd, zookeeper,consul,boltdbstore Network ID, Subnets, Nodes, VXLAN ID, IPAM...etc

3. Serf ==> Cluster Discovery (Eventually Consistent)

Gossip protocolPropagates cluster updates(e.g MAC <> VTEP IP mapping)

10

Under the Hood Under the Hood 4 . Network Namespaces ==> Host + Container Networks

A Linux Bridge per Subnet per Overlay Network per HostA VXLAN interface per Overlay Network per Host1 Linux Bridge per Host for default traffic (docker_gwbridge)Lazy creation ( Only if container is attached to network)

11

RequirementsRequirements Linux Kernel 3.16+

Docker Engine 1.9Underlying Open TCP/UDP Ports

Docker Engine port (e.g TCP 2376)VXLAN: UDP 4789Serf: TCP + UDP 7946Key-value store ( e.g for Consul TCP 8500)

Swarm 1.0Compose 1.5

12

Configuration WorkflowConfiguration Workflow 1. Create K/V Store

2. Configure Engines with `cluster-store` and `cluster-advertise`3. Create Overlays with `docker network create -d oberlay BLUE`4. Run containers with `--net BLUE`

$ docker network create -d overlay --subnet 10.10.10.0/24 BLUE68478121f0a73b7c27854f5ac7a7750bcb4bd1400d2fc20f1c1303aa72a5dfd5

$ docker network lsNETWORK ID NAME DRIVER68478121f0a7 BLUE overlay3748cf0d06c5 none nullc7be99c9c48f host host418e521b16a0 bridge bridge

13

Demo:Demo:Overlay NetworkingOverlay Networking

14

Use-cases:Use-cases:Multi-tenancySegmentationMulti-Cloud Networks

15

Roadmap:Roadmap:

IPv6 Support for OverlaysDNS-based service discoveryProxy containersEncryption

16

Thank you!Thank you!

www. .com

@nicolakabar