dockercon eu 2015: docker networking deep dive
TRANSCRIPT
Docker Networking Deep DiveDave TuckerProduct Manager
Jana RadhakrishnanSenior Software Engineer
Agenda
What's Next?IPv6 Service Discovery Security
Better togetherDeploying an app using Swarm, Compose and Networking
What's in 1.9Overview Bridge Driver Overlay Driver Default Gateway service
Use CasesMicrosegmentation Multi-Tenancy Cloud portability
What's in 1.9?Lot's of networking awesomeness
— Moby Dock
“Transform networking, like Docker did for compute”
4
5
• New top-level UX & API: docker network • Multiple micro-segmented networks • Connect containers to multiple networks • Multi-host networking • Pluggable
• Network driver plugins • IP Address Management plugins
Features available in 1.9
6
• A Network... • Interconnects a set of containers • Provides isolation for these containers
• Every network is backed by a driver • Networks are scoped as Local or Global • Scope is chosen based on negotiated
driver scope
Networks and Scopes
7
docker network create
mrjana@dev-1:~$ docker network create --help
Usage: docker network create [OPTIONS] NETWORK-NAME
Creates a new network with a name specified by the user
--aux-address=map[] auxiliary ipv4 or ipv6 addresses used by Network driver -d, --driver=bridge Driver to manage the Network --gateway=[] ipv4 or ipv6 Gateway for the master subnet --help=false Print usage --ip-range=[] allocate container ip from a sub-range --ipam-driver=default IP Address Management Driver -o, --opt=map[] set driver specific options --subnet=[] subnet in CIDR format that represents a network segment
Bridge Network Driver
8
C1
Docker0 br-ee40a8236479
Host NIC
X
Docker Host
C2
C3
C4
C5
C6
Multi-host Networking
KV Store
Docker Host Docker Host Docker Host
C1
C2
C3C4
C5
C6C7
C8
C9
Overlay Network Driver
10
C1
C2
C3
C5
C4
br0
Veth
Veth
Veth
Host NIC
VXLAN
Host NIC
br0
Veth
Veth
VXLAN
Docker Host 1 Docker Host 2
Overlay Control Plane
11
KV STORE
Serf
IP Address allocation VXLAN ID allocation
(Network, subnet) -> VXLAN ID
Populate Neighbor Table entries Populate L2 FDB entries Populate Neighbor Table entries
Populate L2 FDB entries
Docker Host 1 Docker Host 2
Default gateway service
12
C2 Overlay Network 2
default_gwbridge
C1Overlay Network 1
ICC=false
Port Mapping & NAT Happens here
Use CasesHow to use Docker's new networking
Use Case: Multi-Tenancy
14
Network "Foo"
Network "Bar"
C1 C2
Use Case: Microsegmentation
15
Network "frontend"
Network "backend"
App DB1
DB
Use Case: Cloud Portability
16
Network "ubercloud"
aws do
What's Next?More awesome, coming soon
Better IPv6 Support- IPv6 that just works out of the box
- IPv6 address allocation
- Static public address assignments
- Bridge Network and Overlay Network
- Support for AAAA record resolution
Service Discovery- DNS based service discovery
- Register one or more containers as providing a "service" within a network
- Provide DNS records to allow the service to be discovered
Security- Encryption for the Overlay Network
- Official "proxy" container for tying networks together
- Like in the micro-segmentation use case
- "Offline" networks
Better togetherDeploying an application with networking
— Dave Tucker
“Taking Kitematic's Minecraft Demo and turning
it up to eleven ”
22
The problem statement
- Deploy a Minecraft server
- Support multiple worlds, one for each mode of play
- Central lobby
- Survival world
- Creative world
The Application
LobbySurvival Creative
Infrastructure
Overlay Network
See it in action!
Q&A
Backup
Day in the life of packet
30
C1 ARP Request br0Flood
ARP RequestSrc
VXLAN Interface
Proxy ARP Response C1 br0
Full IP packet with L2 header
Flood IP packet
Src VXLAN
InterfaceLookup FDB Send VXLAN
packet
Src Host NICSend on the
wire
Dst Host NICProcess
VXLAN Encap
Dst VXLAN
InterfaceSend original
IP packet over bridge
br0
Flood IP packet
C2
Classic three tier application
App WebDB Front End Network
Back End Network