This slidedeck covers overview of Docker Networking as of Docker 1.8, drawbacks of current Docker Networking and goals of Docker Experimental Networking.

1. DOCKER NETWORKING
Presenter Name: Sreenivas Makam
Presented at: Docker Meetup Bangalore
Presentation Date: August 22, 2015

2. About me
• Senior Engineering Manager at Cisco Systems
Data Center group
• Like to follow SDN and Cloud related
Opensource projects and write about it.
• Personal blog can be found at
https://sreeninet.wordpress.com/ and my hacky
code at https://github.com/smakam
• You can reach me on LinkedIn at
https://in.linkedin.com/in/sreenivasmakam

3. Agenda
• Why we need Container Networking?
• Current Docker Networking Internals
• Existing external networking options for
Docker – Pipework, Flannel, Weave
• Limitations of current Docker Networking
• What’s coming up Next
• Demo

4. Why we need Container Networking?
• Containers need to talk to external world.
• Reach Containers from external world to use
the services Containers provides.
• Containers need to talk to host machine.
• Inter-container connectivity in same host and
across hosts.

5. Basics
• Namespaces – Virtualize processes,
networks, file systems, users etc.
• Software switch – could be Linux bridge, OVS,
Cisco n1k, VMWare vswitch etc that resides
in hypervisor used to switch traffic between
VM, Container.
• Iptables – for NAT kind of functionality

6. Docker Networking options
• –net=bridge. This is the default option that Docker provides where
containers connect to the linux “docker” bridge.
• –net=host. In this option, there is no new network namespace
created for the container and the container shares the same
network namespace as host machine.
• –net=(container name or id). In this option, the new container
shares the same network namespace as the specified container in
the ‘net’ option. (Example: “sudo docker run -ti –name=ubuntu2
–net=container:ubuntu1 ubuntu:14.04 /bin/bash”. Here, ubuntu2
container shares same network namespace as ubuntu1 container)
• –net=none. In this option, container does not get allocated a new
network namespace. Only the loopback interface is created in this
case. This option is useful in scenarios where we want to create
our own networking options for the container.

7. Default Docker Networking
• Docker linux bridge(docker0) gets created on
the host machine. Default IP address is
172.17.42.1 with 16 bit subnet mask.
• Each Container has 2 network interface, eth0
gets IP address in 172.17.x.x network,
another is loopback interface.
• Host machine has veth* interface on the
linux bridge to which eth0 interface in the
container gets connected.

8. Docker Container Networking

9. External connectivity to Containers
• To reach Apache webserver container service
from outside.
docker run -d -p 8080:80
smakam/apachedocker
• Port 80 on the Container is mapped to port
8080 on localhost.

10. Linking 2 containers on same host –
Option 1
• 2 Containers Wordpress and mysql compose the
Wordpress application.
• Wordpress application needs to connect to mysql
container.
docker run --name some-mysql -e
MYSQL_ROOT_PASSWORD=mysql -d mysql
docker run --name some-wordpress -e
WORDPRESS_DB_PASSWORD=mysql -e
WORDPRESS_DB_HOST=172.17.0.16:3306 -p 8080:80 -d
wordpress
• Above, we need to specify IP address and environment
variable manually.

11. Linking 2 containers on same host –
Option 2
• In this option, we use Container linking mechanism to feed environment
variables automatically.
docker run --name mysql -e MYSQL_ROOT_PASSWORD=mysql -d mysql
docker run --name wordpress --link mysql:mysql -d -p 8080:80 wordpress
• Following environment variables automatically gets created in Wordpress
container.
root@ee066d135ca5:/var/www/html# set|grep MYSQL
MYSQL_ENV_MYSQL_MAJOR=5.6
MYSQL_ENV_MYSQL_ROOT_PASSWORD=mysql
MYSQL_ENV_MYSQL_VERSION=5.6.26
MYSQL_NAME=/wordpress/mysql
MYSQL_PORT=tcp://172.17.0.24:3306
MYSQL_PORT_3306_TCP=tcp://172.17.0.24:3306
MYSQL_PORT_3306_TCP_ADDR=172.17.0.24
MYSQL_PORT_3306_TCP_PORT=3306
MYSQL_PORT_3306_TCP_PROTO=tcp

12. Linking 2 containers on same host –
Option 3
• In this option, we use docker-compose to create and link both the containers.
Docker-compose.yml
wordpress:
image: wordpress
links:
- db:mysql
ports:
- 8080:80
db:
image: mysql
environment:
MYSQL_ROOT_PASSWORD: example
• We can execute “docker-compose up –d” to start the Wordpress application.

13. Native Docker Networking limitations
• Cannot create more than 1 interface in the
container.
• Multi-host containers are difficult to create.
• IP addressing scheme for the containers is
not flexible.
• Multi-tenant container solution is not
possible with enough isolation and security.
• Automatic service discovery is not possible.

14. Pipework
• Pipework is a script developed by Jerome Petazonni to
network Docker containers for complex environments.
• As mentioned by Jeremy himself, the script is a temporary
solution till a more permanent solution gets developed
natively in Docker.
• Following are some features that Pipework supports:
– Connect Containers across multiple hosts.
– Create any number of interfaces with arbitrary IP addresses.
– Allows use of ovs bridge instead of Linux bridge.
– Allows isolation of containers using vlans.
– Allows configuration of IP, mac, netmask, gateway.
Host 1:
sudo ovs-vsctl add-port ovsbr0 gre0 --
set interface gre0 type=gre
options:remote_ip=<host2 ip>
sudo ~/pipework/pipework ovsbr0
<cid> 11.1.1.1/24 @10
Host 2:
sudo ovs-vsctl add-port ovsbr0 gre0 --
set interface gre0 type=gre
options:remote_ip= <host1 ip>
sudo ~/pipework/pipework ovsbr0
<cid> 11.1.1.3/24 @10

15. Weave
• Weave creates a Weave bridge as well as a Weave router in the
host machine.
• Weave router establishes both tcp and udp connection across
hosts to other Weave routers. TCP connection is used for
discovery and protocol related exchange. UDP is used for data
encapsulation. Encryption can be done if needed.
• The Weave bridge is configured to sniff the packets that needs to
be sent across hosts and redirect to the Weave router. For local
switching, weave router is not used.

16. Flannel
• Flannel creates an Overlay network using either
udp or vxlan encapsulation.
• Flannel links itself to the Docker bridge to which
the containers are attached and creates the
overlay.
• Flannel is closely integrated with CoreOS, can be
used as standalone as well.

17. What’s ahead -
Docker Experimental Networking
• Docker Experimental Networking addresses
majority of the problems mentioned above.
• Current approach taken is batteries-included
approach where Docker provides a default
Networking solution that customers can
substitute with other Networking plugins based
on their need.
• Docker 1.8 experimental release provides a good
taste of the Networking features that will be
coming soon.

18. References
• https://docs.docker.com/
• https://github.com/docker/docker/tree/mast
er/experimental
• https://sreeninet.wordpress.com/category/d
ocker/

19. QUESTIONS?

20. Linking 2 containers on same host
Web server container connecting to Database container:
$ sudo docker run -d --name db training/postgres
$ sudo docker run -d -p 8080:80 --name web --link db:dblink
smakam/apachedocker
• Webserver container gets environment variables of DB container
using which it connects to database. Following environment
variables gets imported automatically.
# set|grep DBLINK DBLINK_ENV_PG_VERSION=9.3
DBLINK_NAME=/web/dblink DBLINK_PORT=tcp://172.17.0.3:5432
DBLINK_PORT_5432_TCP=tcp://172.17.0.3:5432
DBLINK_PORT_5432_TCP_ADDR=172.17.0.3
DBLINK_PORT_5432_TCP_PORT=5432
DBLINK_PORT_5432_TCP_PROTO=tcp