Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DCSF 19 Data Center Networking with Containers

107 views

Published on

One of the common challenges for organizations that are moving more workloads to containers is running them inside a data center where you will still need to access both containerized and non-containerized workloads. In many organizations, that means you need to provide external access to and from a container and a traditional VLAN service or network via Layer 2. In this session, we’ll explain how you can interact with traditional network assets without routing through Layer 7 by using MACVLAN and Transparent Networks that allow you to use multiple MAC addresses on the same interface. We will outline how the concepts are similar but the implementations are different by demonstrating the same setup across both Linux and Windows using MACVLAN and Transparent Networks.

Published in: Technology
  • Be the first to comment

DCSF 19 Data Center Networking with Containers

  1. 1. Shaker Gilbert Solution Engineer, Docker Data Center Networking with Containers
  2. 2. ● Common Use Case ● Comparisons of Support ● Caveats ● MACVLAN Modes ● Transparent Networking Modes ● Demo’s ● Q&A AGENDA
  3. 3. COMMON USE CASE Overlay and Bridge Networking is Preferred, but... VLAN_1 192.168.11.221 192.168.11.121 Traditional AppTraditional DB
  4. 4. COMMON USE CASE Overlay and Bridge Networking is Preferred, but... VLAN_1192.168.11.221 192.168.11.121 VLAN_1 host_net default_gw Traditional DB Container APP
  5. 5. Comparisons of Support Single and Bonded / Teamed Interfaces Bridge Mode (parent interface) Trunked Bridge Mode L2 Trunked Bridge (IPVLAN) Dual-Stacked MACVLAN Mode MultiCast IP Range Pools IP Address Exclusions Hyper-V Host Integrated Customized DNS Suffix and Servers IPv4 & IPv6 LINUX WINDOWS
  6. 6. Caveats ● Docker Services are not supported (host mode) ● Avoid IP address exhaustion and IP conflicts ● Service Discovery is not supported ● Network Encryption is not supported ● Cloud providers block macvlan networking ● Networking equipment; both physical and virtual, must support promiscuous mode Note: If multiple networks which use an external vSwitch for connectivity (e.g. Transparent, L2 Bridge, L2 Transparent) are created on the same container host, each of them requires its own network adapter.
  7. 7. MACVLAN Modes
  8. 8. Linux Server Supported Features ● Single and Bonded / Teamed Interfaces ● Bridge Mode (parent interface) ● Trunked Bridge Mode 802.1q ● IPVLAN Trunked Bridge 802.1q ● Dual-Stacked MACVLAN Mode ● IPv4 & IPv6 ● MultiCast ● IP Address Exclusions ● IP Range Pools Requirements Host Native / Libnetwork MACVLAN Linux Kernel > v3.9
  9. 9. Bridge Mode Useful when containers need to access the same network resources that are shared by the host they are on. ● Container has its own MAC address ● Container appears to be physically connected on the host network ● DHCP and Static IP Supported ● All Containers on the bridge can communicate over layer 2. ● Exclude Host IP from IPAM ● Use IP Ranges docker network create --driver macvlan -- subnet=172.16.1.0/24 --gateway=172.16.1.1 --aux-address=172.16.1.52 --ip-range=172.16.1.0/24 -o parent=eth0 hostnet eth0 (default_net)
  10. 10. Trunked Bridge Mode (L3) Useful when containers need access to resources on traditional VLAN networks; isolation domains and security profiles. ● Container has its own MAC Address ● Appears on the same network (VLAN) to other network devices ● Sub-Interfaces are automatically created ● Sub-Interface assigns VLAN tagging docker network create --driver macvlan --subnet=192.168.11.0/24 --gateway=192.168.11.1 -o parent=eth1.10 vlan10 eth0 (default_net) .10 eth1 .20
  11. 11. Dual-Stack Bridge Useful when multiple networks are required and/or both IPv4 and IPv6 addresses are needed on the same VLAN. ● Container has its own MAC Address ● Containers appear to be physically connected on the host port ● Manual IP assignment on network ● Enable IPv6 in /etc/docker/daemon.json ○ “ipv6”: true docker network create --driver macvlan --subnet=192.168.10.0/24 --subnet=192.168.12.0/24 --gateway=192.168.10.1 --gateway=192.168.12.1 --subnet=2001:0db8:85a3:0000::/64 --gateway=2001:0db8:85a3:0000::10 -o parent=eth1.46 -o macvlan_mode=bridge vlan46 eth0 (default_net) .46 eth1
  12. 12. Transparent Modes
  13. 13. Windows Server Supported Features ● Single and Teamed Interfaces ● Bridge Mode (parent interface) ● Trunked Bridge Mode 802.1q ● Layer 2 Bridge 802.1q ● Libnetwork communicates with HNS ● Hyper-V host integrated ● Windows host firewall rules apply to container networks Requirements Host Native / Libnetwork Windows Server 2016 & 2019
  14. 14. Transparent Bridge Mode ● Container has its own MAC address ● Container appears to be physically connected on the host network ● IP assignment either static or DHCP ● Windows Firewall Rules Apply docker network create -d transparent -- subnet="172.16.1.0/24” --gateway="172.16.1.1" -o com.docker.network.windowsshim.interface="Ethernet0" -o com.docker.network.windowsshim.networkname="hostnet" hostnet Useful when containers need to access the same network resources that are shared by the host they are on. (hostnet) Ethernet0
  15. 15. Trunked Bridge Mode (L3) ● Container has its own MAC Address ● Appears on the same network (VLAN) to other network devices ● IP assignment either static or DHCP ● VLAN ID must be specified per network docker network create -d transparent -- subnet="192.168.11.0/24” --gateway="192.168.11.1" -o com.docker.network.windowsshim.interface="Ethernet1" -o com.docker.network.windowsshim.vlanid=”10” -o com.docker.network.windowsshim.networkname="vlan10" vlan10 Ethernet1 (hostnet) Ethernet0 (vlan10) Useful when containers need access to resources on traditional VLAN networks; isolation domains and security profiles.
  16. 16. Layer 2 Bridge Mode ● Container shares the host MAC address ● Container appears to be physically connected on the host network ● Static IP assignment required docker network create -d l2bridge --subnet="172.16.1.0/24” -- gateway="172.16.1.1" -o com.docker.network.windowsshim.interface="Ethernet0" -o com.docker.network.windowsshim.dnssuffix=”docker.ee” -o com.docker.network.windowsshim.dnsservers=”172.16.1.6” -o com.docker.network.windowsshim.networkname="corpnet" corpnet (hostnet) Ethernet0 Useful when the local switch restricts the total number of MAC addresses that it can manage.
  17. 17. Demo’s What could go wrong?
  18. 18. Review
  19. 19. Linux Demo’s host: mysqlx IP: 192.168.11.201 app: mysql database host: linux2.docker.ee IP: 172.16.1.52 app: wordpress network: macvlan.1 : 192.168.11.192/29 host: linux2.docker.ee IP: 172.16.1.52 app: nginx (default) network: macvlan.10 IP: 172.16.1.233 docker run -d -e 80 --rm --name wordpress --network=macvlan_vlan1 -e WORDPRESS_DB_HOST=192.168.11.201:3306 -e WORDPRESS_DB_USER=4linux -e WORDPRESS_DB_PASSWORD=4linux -e WORDPRESS_DB_NAME=4linux -v nfs_4linux:/var/www/html wordpress docker run -d --rm -e 80 --network=macvlan_10 --ip="172.16.1.233" nginx default network
  20. 20. Windows Demo’s host network IP: 172.16.1.0/24 host: windows2.docker.ee IP: 172.16.1.62 app: IIS (default) network: vlan10 IP: 172.16.1.234 docker run -d --rm --name iis --network=vlan10 -e 80 --ip="172.16.1.234 default network
  21. 21. Working Together, Yes we can! eth0 .1 eth1 Eth0 Eth1 default_net vlan1
  22. 22. ● Limit Use Cases for MACVLAN & Transparent Networking ● Used to Secure Layer 2 App Communication As Needed ● Manage IP Segments and Subnets Carefully ● Host Services (docker run) Need Special Handling Considerations
  23. 23. beta.docker.com Sign up for the Enterprise 3.0 Beta
  24. 24. Rate & Share Rate this session in the DockerCon App Tweet #DockerCon
  25. 25. Get Hands On Play With Docker Play With Kubernetes Free self-paced hands on labs to help you level up your docker knowledge. https://dockr.ly/pwd Learn the basic concepts of Kubernetes all within your browser https://dockr.ly/pwk
  26. 26. Questions?

×