Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Single Host Docker Networking


Published on

An overview of Single-Host Network features of Docker. Used at Docker-Barcelona on February 17th, 2015.

Published in: Technology
  • Be the first to comment

Single Host Docker Networking

  1. 1. Single-Host Networking @ Docker Barcelona By Jeff Nickoloff
  2. 2. Who Am I?  Jeff Nickoloff, author of Docker in Action  On Twitter and Medium: @allingeek  Engineer and a manager  Formerly with  Loves micro-services, API contracts, distributed systems, and thinking about failure modes.
  3. 3. Our Topic in Brief  Network Container Archetypes, Devices, and Topology  Closed  Bridged  Joined  Open  NET Namespace and ICC  Service Discovery  DNS  Container Linking
  4. 4. Network Container Archetypes Controlled by the --net flag
  5. 5. Closed Containers  --net none  No Virtual Ethernet Interface  No inbound network communication  No outbound network communication  Virtual Loopback Interface  All processes in the same closed container can communicate with each other.
  6. 6. Bridged Containers  [default] --net bridge  Virtual Loopback Interface  All processes in the same closed container can communicate with each other.  Virtual Ethernet Interface!  (really two interfaces)  Bound to the bridge network (docker0)  Bidirectional network access  Customize:  DNS, MAC
  7. 7. An Aside: docker0  Creates a network where all bridged containers are bound  Bridges the container network with the host’s network  What can you change about the bridge?  --bip  -b
  8. 8. Joined Containers  --net container:<container name|id>  Create a new container reusing the devices and namespace of an existing container.  A container could join a closed or bridged container.  Each container maintains other isolation mechanisms.  Uses:  IP(C)C on loopback  Kernel Tuning  Monitoring
  9. 9. Open Containers  --net host  No private devices  No read only copy of network related /proc and /sys  Direct access to host network resources  This includes virtual network devices for other containers  Access to modify network related Kernel settings  It is as though you are not running in a container at all
  10. 10. Routing Inbound Traffic  Containers with a virtual Ethernet device (bridged) can bind to ports on that interface.  Forwarding rules created at container creation time  -p=[], --publish=[]  ip:hostPort:containerPort  ip::containerPort  hostPort:containerPort  containerPort  -P, --publish-all  Rules based on the “exposed” ports (image metadata and --expose)
  11. 11. NET Namespace
  12. 12. NET Namespace  Closed and Bridged containers each have their own kernel network namespace  Joined containers reuse an existing namespace  Open containers have no network namespace (or operate in the host’s namespace)  This is important to remember if you wanted to tune your Kernel from a container (container only deployments)
  13. 13. Inter-Container Communication  By default inter-container network communication is wide open on the bridge network.  Any bridged container can reach any port on any container. Unless...  You can disable ICC on the command line when you start the docker daemon with “--icc=false”  It will create a DENY rule for all container to container traffic  See also:  Exploring Local Docker Bridge Networks  Safer Local Docker Networks  What if I want to communicate between containers?
  14. 14. Container Linking  --link <container name|id>:<link alias>  Links describe one-way dependencies  Enable two-way communication if ICC is disabled  ALLOW rules on dependency for exposed ports (--expose)  Weave address information in on named environment variables and hosts  Created at container creation time  Not updated with dependency termination / restarts (yet)
  15. 15. DNS  Links create hosts entries  Add one or more hosts entries at container creation time  --add-host=[]  Set DNS servers per container or as a default  --dns=[]  Set DNS Search Domains per container or as a default  --dns-search=[]
  16. 16. Questions and Follow Up  My articles on Docker –  Docker in Action –