Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
VMware / Lightboards - Intro to Containers / 16 May 2017
VMware / Lightboards - Intro to Containers / 16 May 2017
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Docker Networking Options

Description

In this lightboard talk, Nathan Ness walks through the networking options in Docker.

For more information, please visit the VMware’s Cloud-Native Apps website:
https://cloud.vmware.com/cloud-native-apps

A

Hi I'm Nathan F I'm from the cloud native applications business unit and today we're going to talk about the different networking options within docker. So the first one would be the default docker bridge.

A

With the default docker bridge, you have some type of container host. This container host is going to have an Ethernet adapter and then it's going to go into the IP tables of the Linux kernel.

A

Which is also going to perform an app function.

A

After that, we're going to draw the default docker bridge, this is usually called docker 0 within the dr. 0. We can hang containers off that provision, containers container, 1, container 2 so anytime. These containers are going to talk, outbound or external to the hosts they're going to be NAT 'add at the iptables level and have a source address of whatever IP addresses at the container host, and so inbound connectivity is going to require a D net rule.

A

When you start the docker container, it's going to require that you expose port, 80 or map a port on the host side to the port on the container side, and this can be any arbitrary port to a specific port on the container 1 and so maybe I might have 8080 mapped to 80 on the backend. So this would be the host port and then it's going to go back to port 80 on container 1, but just know that the default behavior of docker is going to be net outbound and inbound communication.

A

So this is going to actually perform both D net and s net for outbound and inbound communication container to container communication. So container one talking to container two- this would happen over the dr0 bridge and that communication will be inherently allowed. Okay, the next option that we have is user, specific bridges or what are call user-defined bridges.

A

So this is a very similar model to the default docker bridge. So we have our doctor container host with e0.

A

Again, we're going to have IP tables in here also performing net and below this we're going to actually be able to make user-defined bridges. So this could be BR net two over here we could put BR net one.

A

And then we can have containers hanging off of each of these different bridges, and you would do this with the net command when you start the dr container. So what this allows you to do is have some isolation between containers, so by default, these two containers cannot talk to each other and then the same inbound and outbound behavior remains the same.

A

It's still going to use IP tables to net outbound, and it's also going to use the D net rules to map inbound as well, so you're still going to require that if you're going to go host a host to container to container across your docker host environment- and so really, this is really meant for the isolation of containers on the same host to provide some type of segmentation between them.

A

The next method of this is to use a overlay networking this become. This has become default in docker as well, which is included, and so when we have an overlay network. What happens here is this time I'm going draw two hosts with the e to zero and then we'll also draw our iptables.

A

And our bridge.

A

Okay and I'll hang a container off of that and it will draw one more host so again, we'll draw Ethernet 0, that's going to go down to iptables.

A

Doctor 0 and will draw one container off of their container 2 this time now we're going to add in what's called an overlay Network and an overlay network is used for encapsulation across your physical network, and this allows typically VMs or containers or whatever you're hooking into this to be on the same layer to segment, which is exactly what this is going to do. So here we have our containers connected to our overlay, and this allows container to container communication over a multi host Network without using network address translation.

A

So any container to container communication will be able to use the overlay and instead of being netted across and managing complexity of port numbers, they can actually use the overlay and just communicate over layer two, and so here's really your three options for using docker networking with the the default docker implementation.