networking in docker containers

Download Networking in Docker Containers

Post on 10-Jan-2017

818 views

Category:

Software

6 download

Embed Size (px)

TRANSCRIPT

Apache Ambari 1.7.0

Networking in ContainersAttila Kanto

Page # Hortonworks Inc. 2011 2015. All Rights Reserved

1

Agenda

How networking works in Docker

Container Network Model

Networking plugin

Page # Hortonworks Inc. 2011 2015. All Rights Reserved

2

Containers

Isolate and package applicationsResources (CPU, memory, IO)Namespaces (pid, users, network, uts, mnt)Storage (device mapper, overlayfs, aufs, btrfs)Security (capabilities)

Page # Hortonworks Inc. 2011 2015. All Rights ReservedContainers are application focused, and from high level they are isolate and package apllictaions

- Containers can limit resources available for application, cpu share, memoryIsolate processes, users, network, etc. this means that containers have processes, users, network stack that is not visible for other containersFilesystem is also separated, every container can have own root fs that is not visible Basic security, lik ecapabilities, e.g. NET_ADMIN

This presentation focus is on network3

Network

UTS namespaceisolate hostname

Network namespacenetwork interface(s)loopback devicerouting tableiptable rules

Page # Hortonworks Inc. 2011 2015. All Rights ReservedLinux kernel feature, (UNIX Timesharing System, historical reasonsOwn network stack, achived by using Network Namespace - It is a Linux kernel feature, - Network stack means that it has an own

4

Basic networking overview5

Page # Hortonworks Inc. 2011 2015. All Rights ReservedNetworking without Docker

eth0iptablesroute

Page # Hortonworks Inc. 2011 2015. All Rights ReservedLinux machine and one erhernet port Routing tableAnd iptable rulesWhat are this: Routing table,, it is a prefix matching table, containing an IP prefixes, if you have a destination IP, matching against this table and from there it can be figured out where to send it outYou can think of it as a packet filtering and modification tool. Iptables is a userland tool to modify the tables and rules netfilter module of kernel6

Networking without Docker

ifconfigeth0: flags=4163 mtu 1500 inet 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255 ether 33:83:5a:44:50:ff txqueuelen 0 (Ethernet)lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0

Page # Hortonworks Inc. 2011 2015. All Rights ReservedNetworking without Docker

ifconfigeth0: inet 192.168.1.100 ether 33:83:5a:44:50:ff

OSI Layers (1 4)

Page # Hortonworks Inc. 2011 2015. All Rights ReservedLayer 2 ethernet frameLayer 3 ip packetOversimplification, layer 2 ethernat frame contains source and dest mac addressOversimplification, layer 3 ethernat packet contains source and dest ip address

8

Networking without Docker

route -nDestination Gateway Genmask Iface0.0.0.0 192.168.1.1 0.0.0.0 eth0192.168.1.0 0.0.0.0 255.255.255.0 eth0

iptables -t nat -Ltarget prot opt source destination

Page # Hortonworks Inc. 2011 2015. All Rights ReservedRouting table table is prefix table, describes that how a layer 3 packet shall be forvarded based on ip address.9

Networking without Docker

eth0iptables

route192.168.1.0/24 -> eth00.0.0.0 -> 192.168.1.1 (eth0)

192.168.1.100

Page # Hortonworks Inc. 2011 2015. All Rights ReservedAdd the information what we have learned10

Networking with Docker11

Page # Hortonworks Inc. 2011 2015. All Rights ReservedInstall Docker

eth0iptablesMASQUERADE 172.17.0.0/16

route192.168.1.0/24 -> eth00.0.0.0 -> 192.168.1.1 (eth0)172.17.0.0/16 -> docker0

192.168.1.100172.17.0.1docker0

Page # Hortonworks Inc. 2011 2015. All Rights ReservedA bridge behaves like a virtual network switch, any real devices (e.g. eth0) and virtual devices (e.g. tap0) can be connected to it.Iptables rule which is related to Network address translation (NAT)This info can be figured out by using the rout ifconfig, iptablesNetwork address translation (NAT) is a methodology of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.[1]

12

Run container / bridged networkingDocker0 bridgealready there, created during installNetwork namespacecontainer netns needs to be createdVeth paircreated during the creation of containerconnects two network namespacesExternal communicationOnly through Network Address Translation (NAT)

Page # Hortonworks Inc. 2011 2015. All Rights ReservedDocker0 not to much thing is cahnged there

Veth pair connection

What happens when we run a container and expose the port 8080 to 9090

- Container would like to talk other container connected todocker0 then it goes through bridge13

Run container / bridged networking / 8080 -> 9090

eth0iptablesMASQUERADE 172.17.0.0/16DNAT dpt:9090 to:172.17.0.2:8080

route192.168.1.0/24 -> eth00.0.0.0 -> 192.168.1.1 (eth0)172.17.0.0/16 -> docker0

192.168.1.100172.17.0.1docker0container1nseth0vxxveth172.17.0.2route

SRCDSTClient Port9090Client IP192.168.1.100Client MACMAC of eth0

SRCDSTClient Port8080Client IP172.17.0.2

SRCDSTClient Port8080Client IP172.17.0.2MAC of docker0MAC of eth0

Page # Hortonworks Inc. 2011 2015. All Rights ReservedNetwork address translation (NAT) is a methodology of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.[1]14

Overlay networking with Docker15

Page # Hortonworks Inc. 2011 2015. All Rights ReservedAn overlay network is a computer network that is built on top of another network.Not a good name in Docker networking, since they created a vxlan based overlay network.15

Run container / overlay networkingBridgesdocker_gwbridge created if does not existbr0 in a hidden namespace associated with the overlay networkNetwork namespacecontainer netns needs to be createdVeth pairsconnects br0 and and eth0 of containerconnects docker_gwbridge and eth1 of containerExternal communicationThrough Network Address Translation (NAT)Through VXLAN (other container using the same overlay network)

Page # Hortonworks Inc. 2011 2015. All Rights ReservedAn overlay network is a computer network that is built on top of another network16

Install Docker (again)

eth0iptablesMASQUERADE 172.17.0.0/16

route192.168.1.0/24 -> eth00.0.0.0 -> 192.168.1.1 (eth0)172.17.0.0/16 -> docker0

192.168.1.100172.17.0.1docker0

Page # Hortonworks Inc. 2011 2015. All Rights ReservedA bridge behaves like a virtual network switch, any real devices (e.g. eth0) and virtual devices (e.g. tap0) can be connected to it.Iptables rule which is related to Network address translation (NAT)This info can be figured out by using the rout ifconfig, iptablesNetwork address translation (NAT) is a methodology of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.[1]

17

Run container / overlay networking

eth0iptables

route

192.168.1.100172.18.0.1docker_gwcontainer1nseth1vxxveth172.18.0.2172.17.0.1docker0nsbr0eth0vyyveth10.10.10.210.10.10.1VXLANroute

Page # Hortonworks Inc. 2011 2015. All Rights ReservedSuppose network was alreadt created with docker network create , 10.10.10.0/24VXLAN, what role does it play? We need to step back a little bit. Ton understand this we need to explain what is SDN, Softer Defined Networking is

18

Software-defined networking (SDN)

Separation control and data plane of network

Control planemakes decisions about where traffic is sent

Data planeforward traffic to the selected destination

Page # Hortonworks Inc. 2011 2015. All Rights ReservedBasic concept of Software-defined networking is to Separate control and data plane of network. 19

Data Plane (in Docker overlay)Virtual Extensible LAN (VXLAN)overlay technologyencapsulates L2 frames as UDP packetsVTEP VXLAN Tunnel End Pointoriginator and/or terminator of VXLAN tunnelVNI VXLAN Network Identifierpart of the VXLAN Headersimilar to VLAN ID

Page # Hortonworks Inc. 2011 2015. All Rights ReservedOvertlay technology, whcih can be translated that a network teachnology om the top ofanother network

Main parts of it.20

Data Plane (in Docker overlay)Container sends a packetARP (neighbor) table is checked for destination container IP -> MAC interface mappingL2 FDB (forwarding database) is checked to determine IP of destination VTEP for destination MAC on source VTEPpacket is encapsulated for destination VTEP with configured VNI and sent to destinationdestination VTEP de-capsulates the packet inner packet is received by the destination container

Page # Hortonworks Inc. 2011 2015. All Rights ReservedFew things what are missing from the puzzle21

Network Control Plane (in Docker overlay)

Page # Hortonworks Inc. 2011 2015. All Rights ReservedSerf is decentralised solution, for cluster membership, faliure detection, orchestration. Use efficient and lightweight gossip/epidemic protocol is used to communicate with other nodes. Serf can detect node failures and notify the rest of the cluster propagating changes to configuration to relevant nodes.

22

Container Network Model23

Pa