Octo Talk Dockermulti Hostnetworking 151211120053
-
Upload
peter-shaw -
Category
Documents
-
view
223 -
download
0
Transcript of Octo Talk Dockermulti Hostnetworking 151211120053
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
1/29
Herve Leclerc@dt
DOCKER MULTI-HOST NETWORKING
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
2/29
ALTER WAY
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
3/29
LIBN
DOCKER
Herve Leclerc@dt
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
4/29
DOCKER LIBNETWORK
OPEN SOURCE SINCE APRIL 2015
Multiple OS
> 500 PR
> 500 !
Herve Leclerc@dt
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
5/29
DOCKER LIBNETWORK
Implements Container Network Model (CNM)
3 main components
Sandbox
Endpoint
Networknetwork
endpoint
sandbox
Herve Leclerc@dt
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
6/29
docker Container #1
Network Sandbox
endpoint
docker Container #2
Network Sandbox
docker
Ne
endpoint endendpoint
Backend Network Backend Network
Network SandboxAn isolated environment where the Networking configuration for a Docker Container
EndpointA network interface that can be used for communication over a specific network. Eexactly one network and multiple endpoints can exist within a single Network Sand
NetworkA network is a uniquely identifiable group of endpoints that are able to communic
other. You could create a Frontend and Backend network and they would be comp
CNM
Herve Leclerc@dt
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
7/29
The Network drivers
Implement the Driver API
Provide the specifics of how a network and en
implemented
Create Network
Create Container (attach to the network)
DOCKER LIBNETWORK
Herve Leclerc@dt
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
8/29
Create a linux Bridge for each network
Create a veth pair for each endpoint
One end attached to the bridge
the other as eth0 inside containers
iptables rules created for NAT
DOCKER LIBNETWORK : BRIDGE DRIVER
Herve Leclerc@dt
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
9/29
Create a separate network namespace for every n
Create a linux Bridge and VXLAN tunnels to ever
discovered host
Creates a veth pair for each endpoint
One is attached to the bridge
The other appears as eth0 inside container
Network namespace connected to host network usi
DOCKER LIBNETWORK : OVERLAY DRIVER
Herve Leclerc@dt
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
10/29
Implemented using lib network's remote driver
Use JSON-RPC transport
Can be written in any language
Can be deployed as a container
DOCKER LIBNETWORK : NETWORK PLUGINS
Herve Leclerc@dt
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
11/29
HOW DOCKER NETWORKS A CONTAINER ?
Docker Host
containerX
dock
er0
lo
eth0lo
vethXXXeth0
docker run :
--net=bridge (default)
--net=host
--net=container:NAME_or
--net=none
--net=overlay_name
Herve Leclerc@dt
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
12/29
HOW DOCKER NETWORKS A CONTAINER ?
Docker Host
containerbabase
d
oc
ker0
lo
eth0lo
vethXXXeth0
# docker run -tid --name babase -e database=mabase
# docker run -tid --link babase:babase --name fron
# docker exec frontend env
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/
HOSTNAME=e83cfafdbca0
TERM=xterm
BABASE_NAME=/frontend/babase
BABASE_ENV_database=mabase
HOME=/root
# docker exec cat /etc/hosts
172.17.0.5 e83cfafdbca0
172.17.0.4 babase fa10fbead100# docker exec frontend ping babase
PING babase (172.17.0.4): 56 data bytes
64 bytes from 172.17.0.4: seq=0 ttl=64 time=0.0
containerfrontend
vethXXX
lo
eth0
Herve Leclerc@dt
netstat -rn
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
13/29
eth010.0.0.2
02:42:0A:00:00:02
eth1172.18.0.2
02:42:AC:12:00:02
overlaybr010.0.0.1
vethXX
vxlan1
eth1192.168.99.103
eth010.0.2.15
docker0172.17.0.1
docker_gwbridge172.18.0.1
iptables(masquerade)
iptables -t nat -L -vnChain PREROUTING (policy ACCEPT 427 packets, 54721 bytes)pkts bytes target prot opt in out source destination431 26098 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 425 packets, 54618 bytes)pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 391 packets, 28774 bytes)pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 391 packets, 28774 bytes)
pkts bytes target prot opt in out source destination2 103 MASQUERADE all -- * !docker_gwbridge 172.18.0.0/16 0.0.0.0/04 240 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
vethXX
netstat rnKernel IP routing tableDestination Gateway Genmask 0.0.0.0 172.18.0.1 0.0.0.0 10.0.0.0 0.0.0.0 255.255.255.0 172.18.0.0 0.0.0.0 255.255.0.0
ip netns exec 3-2eb093042e ip a2: br0: mtu group default
link/ether 36:89:6b:73:b9:7d brd ff:ff:ff:inet 10.0.0.1/24 scope global br0
valid_lft forever preferred_lft foreverinet6 fe80::4cc0:d1ff:fe82:4730/64 scope lvalid_lft forever preferred_lft forever
19: vxlan1: master br0 state UNKNOWN group default
link/ether 42:d5:16:ca:78:11 brd ff:ff:ff:inet6 fe80::40d5:16ff:feca:7811/64 scope l
valid_lft forever preferred_lft forever21: veth2@if20:
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
14/29
eth010.0.0.2
02:42:0A:00:00:02
eth1172.18.0.2
02:42:AC:12:00:02
overlaybr010.0.0.1
vethXX
vxlan1
eth1192.168.99.103
eth010.0.2.15
docker0172.17.0.1
docker_gwbridge172.18.0.1
iptables(masquerade)
vethXX
eth010.0.0.3
02:42:0A:00:00:02
eth1172.18.0.2
02:42:AC:12:00:02
overlaybr010.0.0.1
vethXX
vxlan1
eth1192.168.99.102
TunnelVXLAN OverlaV
Herve Leclerc@dt
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
15/29
OVS bridge
vRouter
midone
u
ipsec
LibNetwork Alternatives
Herve Leclerc@dt
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
16/29
!"#$%&'()*$+,-& //+ -#"&(0
!"#$%&' -&12#'% 3/!"#$%&' )* !+," *&)-"&
./.012113450 6768 69::;;7?@885AA3BA2
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
17/29
!"#$%&'()*$+,-& //+ -#"&(4
!"#$%&' -&12#'% 3/!"#$%&' )* !+," *&)-"&
FB0.3A7?@
Herve Leclerc@dt
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
18/29
!"#$%&'()*$+,-& //+ -#"&(0!"#$%&' -&12#'% $'&*1& (" #5&'3*6 /%6-&1.8243=4/.80FG/.34.50/
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
19/29
!"#$%&' '7- (1," ((-*)& $0 ((-&1 /%6-&1 *38,-& */+
!"#$%&' -&12#'% 3/!"#$%&' )* !+," *&)-"&
.8243=4/.80F ?HI68@ 7J8C:0IG45AB5831B== 6768 69::58./A37?@ >7?@A5/44=45;//0 B7FH8CKEL2CDBE8 2CDBE8FB0.3A
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
20/29
!3- (/ 95*'9'7-9"#$%&'9-&1-/90(4&:;4& 95*'9'7-9-&1-/90(4&:;4&MDN 68@ :[email protected]=4/.8
DN 68@6? 8P8F AO.8243=4/.8 DN 0AQ 3#Q RS%%TU+V'WXTWS%$"&KXTY Z@9 ;GG=; [BD?F 67[9898 ?@0@8 X!'!%$! EC79N B8109:@:D6H\:77N20FH 44Q44Q44Q44Q44Q44 2CB 44Q44Q44Q44Q44Q44D68@ A.5]4]4]A\< ?F7N8 >7?@ :7
J0:DBK:1@ 17C8J8C NC818CC8BK:1@ 17C8J8CD68@; QQA\A.< ?F7N8 >7?@
J0:DBK:1@ 17C8J8C NC818CC8BK:1@ 17C8J8C.Q :';Q RU&%+*V+^#W,XS#)V+^#WXTWS%$"&KXTY Z@9 A/G4 [BD?F 67[9898 ?@0@8 XT EC79N B8109:@
:D6H\8@>8C .;Q3AQA5Q8C 3.QG0Q4;Q8
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
21/29
!,8 -&1-/ &?&$ 0(4&:;4& ,8 (" 3,-% /+#2 5?3*-0A/Q JP:06AQ RU&%+*V+^#W,XS#)V+^#WXTWS%$"&KXTY Z@9 AG44 [BD?F 67[Z0?@8C 2C4 ?@0@8 X!'!%$! Z7B8 *"_+XS# EC79N B8109:@
:D6H\8@>8C 40Q/
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
22/29
!-&1/1*1 (-*178 B C'&8 7"89BN 4 4 4]4]4]4Q>DE
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
23/29
M FB \X?8C?\>:8F:8CF\B8J\NC7a8@?\*%V'"&\b96V76?9:\NC7a8F@M E96 B8J QQ [email protected]/BF5
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
24/29
Overlay Network / SWARM / CONSUL
b skynet skynet skynebh h
c1 c2 c3
ping c2ping c3.skynet
docker run --ti -d --net=skynet alpine
8500
libkv
libkv consul
Herve Leclerc@dt
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
25/29
Herve Leclerc@dt
Overlay network demo #2
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
26/29
Overlay network demo #2(d1) docker run -ti -d --name=A1alpine /bin/sh(d1) docker run -ti -d --name=A2alpine /bin/sh(d1) inspect --format '{{ .NetworkSettings.IPAddress }}' A1(d1) inspect --format '{{ .NetworkSettings.IPAddress }}' A2(d1) docker attach A2(d1) cat /etc/hosts # (on note quil ny a pas de mise jour du fichier)(d1) ping [IP de A1]------------------------------------------------------------------------------------------------------------------------------------------------------------------ (d1) docker network create d1net(d1) docker run -ti -d --name=B1--net=d1netalpine /bin/sh(d1) docker run -ti -d --name=B2--net=d1net alpine /bin/sh(d1) docker attach B2(d1) cat /etc/hosts # (on note quil ny a une mise jour du fichier avec b1 et b1.d1.net)(d1) ping [IP de A1] (pas de rponse)
(d1) ping B1.d1net(ping OK) # Attention les casse est importante avec alpine:(------------------------------------------------------------------------------------------------------------------------------------------------------------------ (d1) docker network create skynet(d2) docker network ls(d1) docker run -ti -d --name=C1--net=skynetalpine /bin/sh(d2) docker run -ti -d --name=C2--net=skynet alpine /bin/sh(d2) docker attach C2(d2) cat /etc/hosts # (on note quil ny a une mise jour du fichier avec C1et C1.skynet)(d2) ping [IP de A1] (pas de rponse)
(d2) ping B1.d1net(pas de rponse)
(d2) ping C1.skynet(ping ok)
Herve Leclerc@dt
Overlay network demo #3
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
27/29
Overlay network demo #3Orchestrer le dploiement et lutilisation dune stack lamp
skynet
http
Docker #1
Docker #2
mysql
php-fpm
NFSGlusterFS
EC2...
/var/www
/var/lib/mysql
80bridge
Herve Leclerc@dt
"#$%&'($#)8#/&G)3
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
28/29
+118"Q>7?@60Z8Q >@@NBOB8Z7OLNDZ0E8Q 0:@8CL0I\>@@NBQ.]/86JK1D:8QO ]\>@@NB]86JO ]\N>N1NZ]86J
68@Q hc!"#$%&'eN7C@?QO
-
7/25/2019 Octo Talk Dockermulti Hostnetworking 151211120053
29/29