Pages

Sunday, August 5, 2018

Container Networking - 2

In the second page of container networking, we will see the network modes in docker and also see how things happen actually.
Bridge - In order to avoid the Port Clash that we faced in the host mode , we can use the Bridge
networking mode.  In this mode we can put the container on a complete separate network stack.

In order to provide a complete new network stack to the container ,dockerO works in a different
way. The dockerO will be installed by default when we install docker. dockerO is a bridge network
mode. If you check the  ifconfig command in linux ,we can see the dockerO bridge assigned with
ip address
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
       inet 172.17.0.1  netmask 255.255.0.0  broadcast 0.0.0.0

Whenever we create a container with the network mode as bridge, the container will be created

and an IP address is allocated to the container from the dockerO bridge. Lets see how this works,
[root@manja17-I13330 ~]# docker run -it  docker.io/jagadesh1982/testing-service /bin/bash
root@f0b0b8651d78:/usr/src/app# hostname -I
172.17.0.2
root@f0b0b8651d78:/usr/src/app# exit
exit
We can see that the container is started and allocated with an IP address that is in the range of IP
address that is defined for the dockerO bridge. So how does accessing a container works?
If we see the above picture we can see that 2 containers “testing-service” are created that run on
the 9876 port. When both containers are created in the Bridge mode every container will have its
own network space which means new IP address as well as complete port stack. Now our job is to
publish or expose the ports that being used inside the container to the host name space which we
do with the “-p” argument when running the container. It can be done as,
docker run -d -p 19999:9876 docker.io/jagadesh1982/testing-service

In the above we are exposing the 9876 port to the host machine and also mapping that to the

host port 19999. Now we can access the application running inside the container on port 9876
with localhost:19999/info

When we try to access this , the request first goes to the internal ethO interface which will then
analyzed by the Iptables which will do the network translation from a public address to the private
container address. Then the request is passed to the dockerO which will then be passed to the
exact container with that Ip address.Docker runtime will take care of adding the ip table rules
when for transferring the requests to the private container address.
This mode allows container to have their own private network space as well as port space without
any clash with other containers.Now that we have seen how the basic network communication
happens in the bridge mode,  lets see how this happens exactly,

When ever we create a container , Docker creates and attaches virtual ethernet device ( also
called as veth ) and assigns network namespaces  to the container. Veth always comes with
2 parts, one will be in the container network space and another one will be attached to the docker
bridge namespace (dockerO).  These network namespace will also have a ethO interface created
inside the container.

When the traffic comes into the host network, it will be routed into the bridge ( dockerO). The
packet will be dispatched to its veth and will go into the namespace of the container.Lets create
a container and see how the network space are connected,
[root@manja17-I13330 ~]# docker run -it docker.io/jagadesh1982/pingpong-java /bin/bash
root@45ee66ee9e6a:/# ip link list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
86: eth0@if87: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
   link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff

The important one here is eth0@if87 with the Id 86.  The number after if here ( 87 ) is the id for
the other network interface in the veth pair. If we run the same command on the host while
keeping the container running ,we have
Ip link list
************
87: veth7301875@if86: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT
   link/ether aa:18:b8:80:68:8a brd ff:ff:ff:ff:ff:ff link-netnsid 1
We can see that the network interface with id 87 is the other part in the veth pair for the above
container.  This is actually using the dockerO bridge and uses the host eth0 for accessing the
internet.

No comments :

Post a Comment