DCSF 19 Data Center Networking with Containers
3 likes526 views
The document discusses networking options for Docker containers, including various macvlan and transparent networking modes. It outlines use cases, comparisons of support, and caveats such as the limitations of Docker services and network encryption. Additionally, it provides command examples for setting up different networking configurations on both Linux and Windows servers.
DCSF 19 Data Center Networking with Containers
- 1. Shaker Gilbert Solution Engineer, Docker Data Center Networking with Containers
- 2. ● Common Use Case ● Comparisons of Support ● Caveats ● MACVLAN Modes ● Transparent Networking Modes ● Demo’s ● Q&A AGENDA
- 3. COMMON USE CASE Overlay and Bridge Networking is Preferred, but... VLAN_1 192.168.11.221 192.168.11.121 Traditional AppTraditional DB
- 4. COMMON USE CASE Overlay and Bridge Networking is Preferred, but... VLAN_1192.168.11.221 192.168.11.121 VLAN_1 host_net default_gw Traditional DB Container APP
- 5. Comparisons of Support Single and Bonded / Teamed Interfaces Bridge Mode (parent interface) Trunked Bridge Mode L2 Trunked Bridge (IPVLAN) Dual-Stacked MACVLAN Mode MultiCast IP Range Pools IP Address Exclusions Hyper-V Host Integrated Customized DNS Suffix and Servers IPv4 & IPv6 LINUX WINDOWS
- 6. Caveats â—Ź Docker Services are not supported (host mode) â—Ź Avoid IP address exhaustion and IP conflicts â—Ź Service Discovery is not supported â—Ź Network Encryption is not supported â—Ź Cloud providers block macvlan networking â—Ź Networking equipment; both physical and virtual, must support promiscuous mode Note: If multiple networks which use an external vSwitch for connectivity (e.g. Transparent, L2 Bridge, L2 Transparent) are created on the same container host, each of them requires its own network adapter.
- 8. Linux Server Supported Features â—Ź Single and Bonded / Teamed Interfaces â—Ź Bridge Mode (parent interface) â—Ź Trunked Bridge Mode 802.1q â—Ź IPVLAN Trunked Bridge 802.1q â—Ź Dual-Stacked MACVLAN Mode â—Ź IPv4 & IPv6 â—Ź MultiCast â—Ź IP Address Exclusions â—Ź IP Range Pools Requirements Host Native / Libnetwork MACVLAN Linux Kernel > v3.9
- 9. Bridge Mode Useful when containers need to access the same network resources that are shared by the host they are on. â—Ź Container has its own MAC address â—Ź Container appears to be physically connected on the host network â—Ź DHCP and Static IP Supported â—Ź All Containers on the bridge can communicate over layer 2. â—Ź Exclude Host IP from IPAM â—Ź Use IP Ranges docker network create --driver macvlan -- subnet=172.16.1.0/24 --gateway=172.16.1.1 --aux-address=172.16.1.52 --ip-range=172.16.1.0/24 -o parent=eth0 hostnet eth0 (default_net)
- 10. Trunked Bridge Mode (L3) Useful when containers need access to resources on traditional VLAN networks; isolation domains and security profiles. â—Ź Container has its own MAC Address â—Ź Appears on the same network (VLAN) to other network devices â—Ź Sub-Interfaces are automatically created â—Ź Sub-Interface assigns VLAN tagging docker network create --driver macvlan --subnet=192.168.11.0/24 --gateway=192.168.11.1 -o parent=eth1.10 vlan10 eth0 (default_net) .10 eth1 .20
- 11. Dual-Stack Bridge Useful when multiple networks are required and/or both IPv4 and IPv6 addresses are needed on the same VLAN. ● Container has its own MAC Address ● Containers appear to be physically connected on the host port ● Manual IP assignment on network ● Enable IPv6 in /etc/docker/daemon.json ○ “ipv6”: true docker network create --driver macvlan --subnet=192.168.10.0/24 --subnet=192.168.12.0/24 --gateway=192.168.10.1 --gateway=192.168.12.1 --subnet=2001:0db8:85a3:0000::/64 --gateway=2001:0db8:85a3:0000::10 -o parent=eth1.46 -o macvlan_mode=bridge vlan46 eth0 (default_net) .46 eth1
- 13. Windows Server Supported Features â—Ź Single and Teamed Interfaces â—Ź Bridge Mode (parent interface) â—Ź Trunked Bridge Mode 802.1q â—Ź Layer 2 Bridge 802.1q â—Ź Libnetwork communicates with HNS â—Ź Hyper-V host integrated â—Ź Windows host firewall rules apply to container networks Requirements Host Native / Libnetwork Windows Server 2016 & 2019
- 14. Transparent Bridge Mode ● Container has its own MAC address ● Container appears to be physically connected on the host network ● IP assignment either static or DHCP ● Windows Firewall Rules Apply docker network create -d transparent -- subnet="172.16.1.0/24” --gateway="172.16.1.1" -o com.docker.network.windowsshim.interface="Ethernet0" -o com.docker.network.windowsshim.networkname="hostnet" hostnet Useful when containers need to access the same network resources that are shared by the host they are on. (hostnet) Ethernet0
- 15. Trunked Bridge Mode (L3) ● Container has its own MAC Address ● Appears on the same network (VLAN) to other network devices ● IP assignment either static or DHCP ● VLAN ID must be specified per network docker network create -d transparent -- subnet="192.168.11.0/24” --gateway="192.168.11.1" -o com.docker.network.windowsshim.interface="Ethernet1" -o com.docker.network.windowsshim.vlanid=”10” -o com.docker.network.windowsshim.networkname="vlan10" vlan10 Ethernet1 (hostnet) Ethernet0 (vlan10) Useful when containers need access to resources on traditional VLAN networks; isolation domains and security profiles.
- 16. Layer 2 Bridge Mode ● Container shares the host MAC address ● Container appears to be physically connected on the host network ● Static IP assignment required docker network create -d l2bridge --subnet="172.16.1.0/24” -- gateway="172.16.1.1" -o com.docker.network.windowsshim.interface="Ethernet0" -o com.docker.network.windowsshim.dnssuffix=”docker.ee” -o com.docker.network.windowsshim.dnsservers=”172.16.1.6” -o com.docker.network.windowsshim.networkname="corpnet" corpnet (hostnet) Ethernet0 Useful when the local switch restricts the total number of MAC addresses that it can manage.
- 17. Demo’s What could go wrong?
- 18. Review
- 19. Linux Demo’s host: mysqlx IP: 192.168.11.201 app: mysql database host: linux2.docker.ee IP: 172.16.1.52 app: wordpress network: macvlan.1 : 192.168.11.192/29 host: linux2.docker.ee IP: 172.16.1.52 app: nginx (default) network: macvlan.10 IP: 172.16.1.233 docker run -d -e 80 --rm --name wordpress --network=macvlan_vlan1 -e WORDPRESS_DB_HOST=192.168.11.201:3306 -e WORDPRESS_DB_USER=4linux -e WORDPRESS_DB_PASSWORD=4linux -e WORDPRESS_DB_NAME=4linux -v nfs_4linux:/var/www/html wordpress docker run -d --rm -e 80 --network=macvlan_10 --ip="172.16.1.233" nginx default network
- 20. Windows Demo’s host network IP: 172.16.1.0/24 host: windows2.docker.ee IP: 172.16.1.62 app: IIS (default) network: vlan10 IP: 172.16.1.234 docker run -d --rm --name iis --network=vlan10 -e 80 --ip="172.16.1.234 default network
- 21. Working Together, Yes we can! eth0 .1 eth1 Eth0 Eth1 default_net vlan1
- 22. â—Ź Limit Use Cases for MACVLAN & Transparent Networking â—Ź Used to Secure Layer 2 App Communication As Needed â—Ź Manage IP Segments and Subnets Carefully â—Ź Host Services (docker run) Need Special Handling Considerations
- 23. beta.docker.com Sign up for the Enterprise 3.0 Beta
- 24. Rate & Share Rate this session in the DockerCon App Tweet #DockerCon
- 25. Get Hands On Play With Docker Play With Kubernetes Free self-paced hands on labs to help you level up your docker knowledge. https://dockr.ly/pwd Learn the basic concepts of Kubernetes all within your browser https://dockr.ly/pwk
- 26. Questions?