Pipework: Software-Defined Network for Containers and Docker

•

20 likes•9,147 views

Pipework lets you connect together containers in arbitrarily complex scenarios. Pipework uses cgroups and namespaces and works with "plain" LXC containers (created with lxc-start), and with the awesome Docker. It's nothing less than Software-Defined Networking for Linux Containers! This is a short presentation about Pipework, given at the Docker Networking meet-up November 6th in Mountain View. More information: - https://github.com/jpetazzo/pipework - http://www.meetup.com/Docker-Networking/

Technology

Pipework
The little SDN container framework
that you should NOT use

Jérôme
Petazzoni
(@jpetazzo)
 Grumpy French DevOps
- Go away or I will replace you
with a very small shell script
 Runs everything in containers
- Docker-in-Docker
- VPN-in-Docker
- KVM-in-Docker
- Xorg-in-Docker
- ...

Use cases
● Performance
– Linux bridge, iptables, conntrack... Ohnoes!
● Integration into existing networks
– VLAN, bonding...
– IP addr management
● Work at L2/L3 instead of L4
– Ethernet/IP vs TCP, UDP

Modus Operandi
● Create network interfaces
● Move them to containers
(while they're running)
● Configure network interfaces
(from outside)
● Shell script

Upsides of /bin/sh
● Easy to understand
● Easy to rip out the bits you (don't) need
● Most things we do require exec anyway
(ip, route, brctl, etc)
● Complicated stuff is hard to implement
(avoid feature creep, e.g. IPAM)

Features
● Start a container:
docker run --name db mysql
● Give it an IP address:
pipework eth0 mysql 10.1.1.1/24

Features
● Start a container:
docker run --name db mysql
● Give it an IP address:
pipework eth0 mysql 10.1.1.1/24
^^^^
● Physical eth0 on the machine

Features
● Start a container:
docker run --name db mysql
● Give it an IP address:
pipework br0 mysql 10.1.1.1/24
^^^
● Pre-existing bridge

Features
● Start a container:
docker run --name db mysql
● Give it an IP address:
pipework ovsbr0 mysql 10.1.1.1/24
^^^^^^
● Open vSwitch bridge

Features
● Start a container:
docker run --name db mysql
● Give it an IP address:
pipework ovsbr0 mysql dhcp
^^^^
● DHCP

Features
● Start a container:
docker run --name db mysql
● Give it an IP address:
pipework ovsbr0 mysql dhcp @10
^^^
● VLAN

Features
● Fixed address or DHCP
● Random MAC or fixed MAC
● Change netmask, default route
● Linux bridges, OVS bridges
● IP over Infiniband
● Multiple interfaces

Pipework:
● Will not be integrated into Docker
(probably)
● Is not necessary anymore in many cases
(thanks to host networking)
● Is not actively maintained
(but I'll happily merge PRs)

What do?
● Use it as a big toolbox
● Understand how things work
● Possibly extract what you need
● Contribute to Docker instead

Possible improvements
● Don't require host-side tooling anymore
● Allow operation over Docker API
● A small POC is available at:
https://github.com/jpetazzo/plumber/

A brighter future
● Native Docker Multi-Host Networking
https://github.com/docker/docker/issues/8951
● Docker Network Drivers
https://github.com/docker/docker/issues/8952

This presentation reminds Docker networking, exposes Software Defined Network basic paradigms, and then proposes a mixed-up implementation taking benefits of a coupled use of these two technologies. Implementation model proposed could be a good starting point to create multi-tenant PaaS platforms. As a bonus, OpenStack Neutron internal design is presented. You can also have a look on our previous presentation related to enterprise patterns for Docker: http://fr.slideshare.net/ArnaudMAZIN/docker-meetup-paris-enterprise-docker

pipework - Advanced Docker Networking

saba syake

What's hot

Emprenedors a l'eso. curs 2015 2016.

Manel Villar (Institut Poeta Maragall)

Guió pràctica cèl·lula vegetal

lanovavila .

Unitat 6

Raquel Ibáñez

4.3 estructures triangularspepporca

Esquema text narratiu

montseval

L'ordinador per dinsLaura Oliva Miron

Matriu extracel·lularJavier

03 estructures

rriera33

Tema 1-PUC FER-HO!

finamorenoo

Els cnidaris.alumnessise

La prehistòria

aquitawin

Dissecció pota-de-pollastrejfreixas

L'alimentació humana

Marta Barceló

Alimentació saludable

Míriam Redondo Díaz (Naturalsom)

Classificacio i nomeclatura éssers viusAnna Giro

Exercicis de transmissió de moviment amb politgesGlòria García García

Característiques dels éssers vius

sonia ruiz

El cor

primercicle

QUÈ ÉS I COM FER LA MEMÒRIA D'UN PROCÉS TECNOLÒGIC

Jordi Riba

Fermentació

zainy8

What's hot (20)

Emprenedors a l'eso. curs 2015 2016.

Guió pràctica cèl·lula vegetal

Unitat 6

4.3 estructures triangulars

Esquema text narratiu

L'ordinador per dins

Matriu extracel·lular

03 estructures

Tema 1-PUC FER-HO!

Els cnidaris.

La prehistòria

Dissecció pota-de-pollastre

L'alimentació humana

Alimentació saludable

Classificacio i nomeclatura éssers vius

Exercicis de transmissió de moviment amb politges

Característiques dels éssers vius

El cor

QUÈ ÉS I COM FER LA MEMÒRIA D'UN PROCÉS TECNOLÒGIC

Fermentació

Viewers also liked

Docker networking basics & coupling with Software Defined Networks

Adrien Blind

pipework - Advanced Docker Networking

saba syake

Building a network emulator with Docker and Open vSwitch

Goran Cetusic

Docker Networking - Current Status and goals of Experimental Networking

Sreenivas Makam

The 100 - {dive} : event

IRT b-com

Vagrant

Rob Kinyon

Dockerffm meetup 20150113_networking

Andreas Schmidt

Red Hat demo of OpenStack and ODL at ODL summit 2016

RedHatTelco

LinuxCon 2015 Stateful NAT with OVS

Thomas Graf

As containers are being deployed as part of multi tenant clusters, virtual multi layer switches become essential to interconnect containers while providing isolation guarantees. Assigning tenants their own private networks requires stateful network address translation (NAT) implemented in a scalable architecture to expose containers to public networks. Existing virtual switches integrated into the Linux kernel did not support stateful NAT so far. This presentation introduces a new virtual NAT service deployable as container built using existing kernel functionality such as network namespaces, routing rules and Netfilter to provide NAT services to existing virtual switches such as Open vSwitch and the Linux bridge but also the core L3 layer of Linux.

2015 FOSDEM - OVS Stateful Services

Thomas Graf

Netfilter: Making large iptables rulesets scale

brouer

Docker @ RelateIQ Presentation

John Fiedler

Docker 1.12 networking deep dive

Madhu Venugopal

Docker Networking (Libnetwork) - Lakshman Kumar

Neependra Khare

Open vSwitch - Stateful Connection Tracking & Stateful NAT

Thomas Graf

Virtualbox networkingChatchai Jantaraprim

Cilium - Fast IPv6 Container Networking with BPF and XDP

Thomas Graf

We present a new open source project which provides IPv6 networking for Linux Containers by generating programs for each individual container on the fly and then runs them as JITed BPF code in the kernel. By generating and compiling the code, the program is reduced to the minimally required feature set and then heavily optimised by the compiler as parameters become plain variables. The upcoming addition of the Express Data Plane (XDP) to the kernel will make this approach even more efficient as the programs will get invoked directly from the network driver.

Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)

Thomas Graf

Open vSwitch (OVS) has long been a critical component of the Neutron's reference implementation, offering reliable and flexible virtual switching for cloud environments. Being an early adopter of the OVS technology, Neutron's reference implementation made some compromises to stay within the early, stable featureset OVS exposed. In particular, Security Groups (SG) have been so far implemented by leveraging hybrid Linux Bridging and IPTables, which come at a significant performance overhead. However, thanks to recent developments and ongoing improvements within the OVS community, we are now able to implement feature-complete security groups directly within OVS. In this talk we will summarize the existing Security Groups implementation in Neutron and compare its performance with the Open vSwitch-only approach. We hope this analysis will form the foundation of future improvements to the Neutron Open vSwitch reference design.

Networking in virtual machines

LINE+

Virtualbox step by step guide

Hock Leng PUAH

Viewers also liked (20)

Docker networking basics & coupling with Software Defined Networks

pipework - Advanced Docker Networking

Building a network emulator with Docker and Open vSwitch

Docker Networking - Current Status and goals of Experimental Networking

The 100 - {dive} : event

Vagrant

Dockerffm meetup 20150113_networking

Red Hat demo of OpenStack and ODL at ODL summit 2016

LinuxCon 2015 Stateful NAT with OVS

2015 FOSDEM - OVS Stateful Services

Netfilter: Making large iptables rulesets scale

Docker @ RelateIQ Presentation

Docker 1.12 networking deep dive

Docker Networking (Libnetwork) - Lakshman Kumar

Open vSwitch - Stateful Connection Tracking & Stateful NAT

Virtualbox networking

Cilium - Fast IPv6 Container Networking with BPF and XDP

Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)

Networking in virtual machines

Virtualbox step by step guide

Similar to Pipework: Software-Defined Network for Containers and Docker

Docker 0.11 at MaxCDN meetup in Los Angeles

Jérôme Petazzoni

Introduction to Docker at the Azure Meet-up in New York

Jérôme Petazzoni

Shipping Applications to Production in Containers with Docker

Jérôme Petazzoni

Docker is an Open Source engine to build, run, and manage Linux Containers. Containers use less resources than virtual machines, they boot faster, but they have similar guarantees of portability and repeatability for Linux applications. Those features made Docker and Linux Containers extremely popular for development and testing environments. But what does it take to use Docker and Containers for production workloads?

Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition

Jérôme Petazzoni

Docker, the Open Source container Engine, lets you build, ship and run, any app, anywhere. This is the presentation which was shown in December 2014 for the last stop of the "Tour de France" in Bordeaux. It is slightly different from the presentation which was shown in the other cities (http://www.slideshare.net/jpetazzo/introduction-to-docker-december-2014-tour-de-france-edition), and includes a detailed history of dotCloud and Docker and a few other differences. Special thanks to https://twitter.com/LilliJane and https://twitter.com/zirkome, who gave me the necessary motivation to put together this slightly different presentation, since they had already seen the other presentation in Paris :-)

Introduction to Docker, December 2014 "Tour de France" Edition

Jérôme Petazzoni

Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni

TheFamily

Introduction to Docker (and a bit more) at LSPE meetup Sunnyvale

Jérôme Petazzoni

Docker Online Meetup #3: Docker in ProductionDocker, Inc.

Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...

Jérôme Petazzoni

If you're not familiar yet with Docker, here is your chance to catch up. This presentation includes a quick overview of the Open Source Docker Engine, and its associated services delivered through the Docker Hub. Recent features are listed, as well as a glimpse at what's next in the Docker world. This presentation was given during OSCON, at a meet-up hosted by New Relic, with co-presentations from CoreOS and Rackspace OnMetal.

Docker SDN (software-defined-networking) JUG

Piotr Kieszczyński

Docker and-containers-for-development-and-deployment-scale12x

rkr10

LXC Docker and the Future of Software DeliveryDocker, Inc.

LXC, Docker, and the future of software delivery | LinuxCon 2013

dotCloud

Introduction to Docker at Glidewell Laboratories in Orange County

Jérôme Petazzoni

Sheep it

lxfontes

Automating Complex Setups with Puppet

Kris Buytaert

Docker Insight

Tiago Pires

How Linux Processes Your Network Packet - Elazar Leibovich

DevOpsDays Tel Aviv

With buzz on eBPF, XDP, bpfilter etc,, it's important to get the basics right. We will show the route of a networ packet from kernel driver to TCP/IP stack to userspace socket and explain how and where it's processed en route. Modern environment uses a lot of the Linux networking stack capability. Every docker container requires a dedicated bridge, usually a few iptables entries to expose port, and a dnsmasq daemon, and masquarading to allow internet access. It is hence important to understand Linux network fundumentals. From the driver interrupt/NAPI, to the network stack, the various filters it passes through and the various hooks you have at your disposal to alter and view the network packets flow. We will first review the theory, and then present useful tools to apply the theory and debug problems in common situations. We will survey common containers situations and see how packets move from the hardware to the container's veth.

A Gentle Introduction to Docker and ContainersDocker, Inc.

[KubeCon NA 2020] containerd: Rootless Containers 2020

Akihiro Suda

Rootless Containers means running the container runtimes (e.g. runc, containerd, and kubelet) as well as the containers without the host root privileges. The most significant advantage of Rootless Containers is that it can mitigate potential container-breakout vulnerability of the runtimes, but it is also useful for isolating multi-user environments on HPC hosts. This talk will contain the introduction to rootless containers and deep-dive topics about the recent updates such as Seccomp User Notification. The main focus will be on containerd (CNCF Graduated Project) and its consumer projects including Kubernetes and Docker/Moby, but topics about other runtimes will be discussed as well. https://sched.co/fGWc

Similar to Pipework: Software-Defined Network for Containers and Docker (20)

Docker 0.11 at MaxCDN meetup in Los Angeles

Introduction to Docker at the Azure Meet-up in New York

Shipping Applications to Production in Containers with Docker

Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition

Introduction to Docker, December 2014 "Tour de France" Edition

Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni

Introduction to Docker (and a bit more) at LSPE meetup Sunnyvale

Docker Online Meetup #3: Docker in Production

Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...

Docker SDN (software-defined-networking) JUG

Docker and-containers-for-development-and-deployment-scale12x

LXC Docker and the Future of Software Delivery

LXC, Docker, and the future of software delivery | LinuxCon 2013

Introduction to Docker at Glidewell Laboratories in Orange County

Sheep it

Automating Complex Setups with Puppet

Docker Insight

How Linux Processes Your Network Packet - Elazar Leibovich

A Gentle Introduction to Docker and Containers

[KubeCon NA 2020] containerd: Rootless Containers 2020

More from Jérôme Petazzoni

Use the Source or Join the Dark Side: differences between Docker Community an...

Jérôme Petazzoni

The Docker Project delivers a complete open source platform to “build, ship, and run” any application, anywhere, using containers. The Docker Engine and the other main components (Compose, Machine, and the SwarmKit orchestration system) are free; but Docker Inc. (the company who started the Docker Project) also has a complete commercial offering named “Docker EE” (for Enterprise Edition) that adds an extra set of features geared at larger organizations, as well as an extended support and release cycle. In this talk, I will explain (and show with demos) what you can do using exclusively Docker CE (community, free edition) and which features are added by Docker EE. This talk is for you if you are in the process of selecting a container platform; or if you’re just curious, and want to know exactly what you can do (and cannot do) with Docker CE and EE.

Orchestration for the rest of us

Jérôme Petazzoni

Orchestration, resource scheduling…What does that mean? Is this only relevant for data centers with thousands of nodes? Should I care about Mesos, Kubernetes, Swarm, when all I have is a handful of virtual machines? The motto of public cloud IAAS is "pay for what you use," so in theory, if I deploy my apps there, I'm already getting the best "resource utilization" aka "bang for my buck," right? In this talk, we will answer those questions, and a few more. We will define orchestration, scheduling, and others, and show what it's like to use a scheduler to run containerized applications there.

Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...

Jérôme Petazzoni

Docker : quels enjeux pour le stockage et réseau ? Paris Open Source Summit ...

Jérôme Petazzoni

Making DevOps Secure with Docker on Solaris (Oracle Open World, with Jesse Bu...

Jérôme Petazzoni

$Containers, docker, and security: state of the union (Bay Area Infracoders Me...$ $Containers, docker, and security: state of the union (Bay Area Infracoders Me...$

Containers, docker, and security: state of the union (Bay Area Infracoders Me...

Jérôme Petazzoni

Docker is two years old. While security has always been at the core of the questions revolving around Docker, the nature of those questions has changed. Last year, the main concern was "can I safely colocate containers on the same machine?" and it elicited various responses. Dan Walsh, SELinux expert, notoriously said: "containers do not contain!", and at last year's LinuxCon, Jérôme delivered a presentation detailing how to harden Docker and containers to isolate them better. Today, people have new concerns. They include image transport, vulnerability mitigation, and more. After a recap about the current state of container security, Jérôme will explain why those new questions showed up, and most importantly, how to address them and safely deploy containers in general, and Docker in particular.

From development environments to production deployments with Docker, Compose,...

Jérôme Petazzoni

In this session, we will learn how to define and run multi-container applications with Docker Compose. Then, we will show how to deploy and scale them seamlessly to a cluster with Docker Swarm; and how Amazon EC2 Container Service (ECS) eliminates the need to install,operate, and scale your own cluster management infrastructure. We will also walk through some best practice patterns used by customers for running their microservices platforms or batch jobs. Sample code and Compose templates will be provided on GitHub afterwards.

How to contribute to large open source projects like Docker (LinuxCon 2015)

Jérôme Petazzoni

Contributing to a large open source project can seem daunting at first; but fear not! You too can join thousands of successful contributors. First, you don't have to be an expert in Golang, Python, or C, to contribute to Docker, OpenStack, or the Linux Kernel. Many projects also need help with documentation, translation, testing, triaging issues, and more. Very often, just going through bug reports to reproduce them and confirm "this also happens on my setup, with version XYZ" is extremely helpful. If you decide to take the leap and propose a change (be it code or documentation), each open source project has different contribution guidelines and workflows. In this talk, Arnaud and Jérôme will explain some of those workflows, how maintainers review your patches, and highlight the details that make your changes more likely to be merged into the project.

Containers, Docker, and Security: State Of The Union (LinuxCon and ContainerC...

Jérôme Petazzoni

Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon

Jérôme Petazzoni

Containers are everywhere. But what exactly is a container? What are they made from? What's the difference between LXC, butts-nspawn, Docker, and the other container systems out there? And why should we bother about specific filesystems? In this talk, Jérôme will show the individual roles and behaviors of the components making up a container: namespaces, control groups, and copy-on-write systems. Then, he will use them to assemble a container from scratch, and highlight the differences (and likelinesses) with existing container systems.

Microservices. Microservices everywhere! (At OSCON 2015)Jérôme Petazzoni

Deploy microservices in containers with Docker and friends - KCDC2015

Jérôme Petazzoni

Docker lets us build, ship, and run any Linux application, on any platform. It found many early adopters in the CI/CD industry, long before it reached the symbolic 1.0 milestone and was considered "production-ready." Since then, its stability and features attracted enterprise users in many different fields, including very demanding ones like finance, banking, or intelligence agencies. We will see how Docker is particularly suited to the deployment of distributed applications, and why it is an ideal platform for microservice architectures. In particular, we will look into three Docker related projects that have been announced at DockerCon Europe last December: Machine, Swarm, and Compose, and we will explain how they improve the way we build, deploy, and scale distributed applications.

Containers: from development to production at DevNation 2015

Jérôme Petazzoni

In Docker, applications are shipped using a lightweight format, managed with a high-level API, and run within software containers which abstract the host environment. Operating details like distributions, versions, and network setup no longer matter to the application developer. Thanks to this abstraction level, we can use the same container across all steps of the life cycle of an application, from development to production. This eliminates problems stemming from discrepancies between those environments. Even so, these environments will always have different requirements. If our quality assurance (QA) and production systems use different logging systems, how can we still ship the same container to both? How can we satisfy the backup and security requirements of our production stack without bloating our development stack? In this sess, you will learn about the unique features in containers that allow you to cleanly decouple system administrator tasks from the core of your application. We’ll show you how this decoupling results in smaller, simpler containers, and gives you more flexibility when building, managing, and evolving your application stacks.

Immutable infrastructure with Docker and containers (GlueCon 2015)

Jérôme Petazzoni

"Never upgrade a server again. Never update your code. Instead, create new servers, and throw away the old ones!" That's the idea of immutable servers, or immutable infrastructure. This makes many things easier: rollbacks (you can always bring back the old servers), A/B testing (put old and new servers side by side), security (use the latest and safest base system at each deploy), and more. However, throwing in a bunch of new servers at each one-line CSS change is going to be complicated, not to mention costly. Containers to the rescue! Creating container "golden images" is easy, fast, dare I say painless. Replacing your old containers with new ones is also easy to do; much easier than virtual machines, let alone physical ones. In this talk, we'll quickly recap the pros (and cons) of immutable servers; then explain how to implement that pattern with containers. We will use Docker as an example, but the technique can easily be adapted to Rocket or even plain LXC containers.

The Docker ecosystem and the future of application deployment

Jérôme Petazzoni

Ten years ago, virtualization ignited a revolution which gave birth to the Cloud and the DevOps initiative. Today, with containers, we are at the dawn of a similar breakthrough. How can we capture the value of containers? How can we use their features to implement microservices and immutable infrastructures, while retaining as much as possible of our existing practices? The answer is in the rich ecosystem that developed around Docker, an open-source platform to build, ship, and run applications in containers. In this keynote we’ll explore what the applications of tomorrow will look like, how they’ll be deployed and distributed – and how to leverage those tools today.

Docker: automation for the rest of us

Jérôme Petazzoni

Docker landed almost two years ago, making it possible to build, ship, and run any Linux application, on any platform, it was quickly adopted by developers and ops, like no other tool before. The CI/CD industry even took it to production long before it was stamped "production-ready." Why does everyone (or almost!) love Docker? Because it puts powerful automation abilities within the hands of normal developers. Automation almost always involves building distribution packages, virtual machine images, or writing configuration management manifests. With Docker, those tasks are radically transformed: sometimes they're far easier than before, other times they're no longer needed at all. Either way, the intervention of a seasoned sysadmin guru is no longer required.

Docker Non Technical Presentation

Jérôme Petazzoni

Containers, Docker, and Microservices: the Terrific Trio

Jérôme Petazzoni

One of the upsides of Microservices is the ability to deploy often,at arbitrary schedules, and independently of other services, instead of requiring synchronized deployments happening on a fixed time. But to really leverage this advantage, we need fast, efficient, and reliable deployment processes. That's one of the value propositions of Containers in general, and Docker in particular. Docker offers a new, lightweight approach to application portability.It can build applications using easy-to-write, repeatable, efficient recipes; then it can ship them across environments using a common container format; and it can run them within isolated namespaces which abstract the operating environment, independently of the distribution,versions, network setup, and other details of this environment. But Docker can do way more than deploy your apps. Docker also enables you to generalize Microservices principles and apply them on operational tasks like logging, remote access, backups, and troubleshooting.This decoupling results in independent, smaller, simpler moving parts.

Containerization is more than the new Virtualization: enabling separation of ...

Jérôme Petazzoni

Docker offers a new, lightweight approach to application portability. Applications are shipped using a common container format, and managed with a high-level API. Their processes run within isolated namespaces which abstract the operating environment, independently of the distribution, versions, network setup, and other details of this environment. This "containerization" has often been nicknamed "the new virtualization". But containers are more than lightweight virtual machines. Beyond their smaller footprint, shorter boot times, and higher consolidation factors, they also bring a lot of new features and use cases which were not possible with classical virtual machines. We will focus on one of those features: separation of operational concerns. Specifically, we will demonstrate how some fundamental tasks like logging, remote access, backups, and troubleshooting can be entirely decoupled from the deployment of applications and services. This decoupling results in independent, smaller, simpler moving parts; just like microservice architectures break down large monolithic apps in more manageable components.

Docker Tips And Tricks at the Docker Beijing Meetup

Jérôme Petazzoni

More from Jérôme Petazzoni (20)