Currently in Migration - Jason Edelman's Old Blog
  • Home
  • About
  • Contact

Docker Networking

6/12/2014

5 Comments

 
There has been a ton of information out there on Docker over the last week.  Because the impact on networking is often overlooked for new technologies, I figured I’d get a head start to understand the basics of Docker Networking.  This post documents the steps I took to test docker analyzing the network constructs that are automatically configured during container creation.
First, I installed Docker using instructions for Ubuntu 12.04 (LTS) 64-bit.

Post install, but before a container was created, here is the output of my Ubuntu machine.  Two interfaces: eth3 (192.168.1.134) and lo (127.0.0.1).  This Ubuntu machine is running in virtual box and eth3 is bridged onto my home network of 192.168.1.0/24.
Picture
Creating my first Docker container. This took about a minute (maybe less) to download and start.  Pretty impressive.  Notice the last line in the screen shot below.  It takes you right into the container shown at ‘root@c7ad293f989:/#’ 
Picture
In a new bash prompt because the existing shell is now used for the container, check out an ‘ifconfig.’  Notice the two new additions: docker0 and veth068f.  docker0 is a Linux bridge and veth068f is an interface on that bridge.  Docker picks a subnet not currently in use on the machine and assigns an IP in that range to the docker0 bridge (these are just the default settings).
Picture
Going back into the container, let’s issue an ‘ifconfig’ there.  We can see ‘eth0’ was automatically created.  This seems to be a patch port that directly connects to veth068f in the docker0 bridge.  Notice the subnet is a /16 and still in range of the IP assigned to docker0.
Picture
At this point, pings are successful to the Internet.  See the screen shot below.  But how is this happening?
Picture
Let's check to see what the default gateway of the container is.  It is in fact the IP Address of the docker0 bridge.  This can be seen in the following traceroute.
Picture
But where is NAT is configured?  I don’t have NAT configured in virtual box.  As I said, this is a bridged Ethernet adapter on my Ubuntu VM running VBox.  It turns out Docker auto configures ip tables to allow outgoing connections and NATs them to the docker0 address.  You can see this in the ‘masquerade’ statement rule below.  
Picture
Few things worth noting:

  • No inbound connections are permitted by default
  • You can in fact remove docker0 and use your own bridge.  
  • Because you don't need to use docker0, it should be fairly *easy* to integrate with network virtualization solution that use a different bridge like ‘br-int’ as I talked about here.
  • Cloud Management Platforms such as OpenStack would just need to support Docker to give the right information to ‘neutron-server’ such as MAC address, port, IP, etc. in order to properly configure required overlay tunnels and interfaces
  • Follow this link for more advanced networking with docker. There is plenty more that has already been documented by Docker.



Below shows two more screen shots creating a second container and the testing of its network connectivity.  Because the container image was already downloaded, this container was literally created in under a second.
Picture
Notice the new interface on the docker0 bridge, veth392a.
Picture
Connectivity was successful between containers and from the new container to the Internet.

The goal here was to give a very high level overview of networking with Docker although there is plenty more that can be done.  In the future, I would like to test with OVS custom bridges and get more creative with the L2/L3 designs, but there is only so much time in the day!  Stay tuned for more!

Thanks,
Jason

@jedelman8

5 Comments
Finkregh
6/16/2014 06:20:04 pm

why would you create static screenshots when you could just copy the plain text from your terminal and embed it in your blog?

The font is not really readable and you are really screwing with the vision impaired ppl.

Reply
Jason Edelman link
6/17/2014 06:41:20 am

Dear Finkregh,

Please do not remain anon if you want a fix. I would be more than happy to email you the screen shots so you can zoom in. You can also download them and zoom in if you wish.

However, I do appreciate the feedback though.

Feel free to write in via the Contact section if you want me to email you the screen shots.

-Jason

Reply
Kirk Byers link
6/21/2014 02:11:09 pm

Jason, wouldn't it be NAT'd to eth3 and not docker0? Docker0 IP address is still unroutable in your setup (IP = 172.17.42.1).

Good stuff.

Reply
Jason Edelman link
6/22/2014 06:26:32 am

Kirk,

The way I understand it is this. The docker containers' first hop (as can be seen in the traceroute) is the docker0 interface, which is 172.17.42.1. All containers presumably get NAT'd to that IP Address, in the default configuration, and then get routed to the 192.168.1.0/24 subnet. As mentioned, it is bridged from vbox to my VM, so nothing should be NAT'd to the 192.168 address.

Reply
Paige Thompson
12/7/2014 01:31:27 am

no docker0, RIP

Reply



Leave a Reply.

    Author

    Jason Edelman, Founder of Network to Code, focused on training and services for emerging network technologies. CCIE 15394.  VCDX-NV 167.


    Enter your email address:

    Delivered by FeedBurner


    Top Posts

    The Future of Networking and the Network Engineer

    OpenFlow, vPath, and SDN

    Network Virtualization vs. SDN

    Nexus 7000 FAQ

    Possibilities of OpenFlow/SDN Applications 

    Loved, Hated, but Never Ignored #OpenFlow #SDN

    Software Defined Networking: Cisco Domination to Market Education

    OpenFlow, SDN, and Meraki

    CAPWAP and OpenFlow - thinking outside the box

    Introduction to OpenFlow...for Network Engineers


    Categories

    All
    1cloudroad
    2011
    2960
    40gbe
    7000
    Arista
    Aruba
    Big Switch
    Brocade
    Capwap
    Christmas
    Cisco
    Controller
    Data Center
    Dell Force10
    Embrane
    Extreme
    Fex
    Hadoop
    Hp
    Ibm
    Isr G2
    Juniper
    Limited Lifetime Warranty
    Meraki
    Multicast
    N7k
    Nexus
    Nicira
    Ons
    Opendaylight
    Openflow
    Openstack
    Presidio
    Qsfp
    Quick Facts
    Routeflow
    Sdn
    Sdn Ecosystem
    Security
    Ucs


    Archives

    May 2015
    April 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    June 2014
    May 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    June 2012
    May 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011


    RSS Feed


    View my profile on LinkedIn
Photo used under Creative Commons from NASA Goddard Photo and Video