Upload
dhananjay-dj-sampath
View
2.140
Download
3
Embed Size (px)
Citation preview
Docker Networking Meetup #2 - Mountain View
Docker NetworkingWeave and Flannel
Dhananjay DJ Sampathwifi: HD-Guestpass: hackerdojo
Docker Networking Meetup #2 - Mountain View
Weave● Weaveworks inc. (previously called Zettio)
● Network plane for Docker continers
● Previously built RabbitMQ
● Recently secured funding lead by Accel Venture Partners
Docker Networking Meetup #2 - Mountain View
What is Weave?
● Weave allows you to connect docker containers across multiple hosts together
● It gives you a flat network for your container environment independent of which host they are located (AWS, GCE etc.)
Docker Networking Meetup #2 - Mountain View
How do they do it?
Physical Host
veth 2
veth 1weave router
UID UID UID UID UID
MAC MAC MAC MAC MAC
Docker Networking Meetup #2 - Mountain View
Weave Encap● Router performs batching
● Name, meta-data is used for matching
● Weave peers don’t have to know all mac addresses (aggregation)
● No ARP explosion
All of this over TCP/IP and
through your firewalls
Docker Networking Meetup #2 - Mountain View
Crypto (NaCl libraries)● Encrypt data connections both TCP and UDP
● NaCl - Go implementation
● Diffie Hellman to exchange keys between hosts
● User provided password is SHA-256ed and added to the ephemeral session key
● Prevent basic sniffing, MITM attacks
Docker Networking Meetup #2 - Mountain View
DNS● Name based look up is available (recent commit)
● Distributed DNS service (like skydns, consul etc)
● Minimal config, Minimal Sync, Minimal app mods
Docker Networking Meetup #2 - Mountain View
Hands on - Basic Weave Topology
HOST 1$ weave launch$ C=$(weave run 10.0.1.1/24 -t -i ubuntu)HOST 2$ weave launch $HOST1$ C=$(weave run 10.0.1.2/24 -t -i ubuntu)$ ping 10.0.1.1 (from 10.0.1.2)
Host 1 Host 2
PORT: 6783TCP; UDP
Docker Networking Meetup #2 - Mountain View
Attaching weave to existing containers
Host 1 Host 2
PORT: 6783TCP; UDP
$ C=$(docker run -d -t -i ubuntu)$ weave attach 10.0.1.1/24 $C$ weave detach 10.0.1.1/24 $C
C1
C2
Docker Networking Meetup #2 - Mountain View
Services
Host 1 Host 2
PORT: 6783TCP; UDP
$ weave expose 10.0.1.102/24
Service export$ iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 2211 \ -j DNAT --to-destination 10.0.1.1:4422
C1
C2
Docker Networking Meetup #2 - Mountain View
Password based protection
$ weave launch -password wEaVe
Multi-cloud, Multi-hop, Container mobility, Fault tolerance and DNS are other features.
Docker Networking Meetup #2 - Mountain View
DNS
$ sudo weave launch
$ sudo weave launch-dns 10.1.0.3/16
$ sudo weave run 10.1.1.25/24 -ti -h shell.weave.local debian /bin/bash
$ SHELL2=$(sudo weave run 10.1.1.26/24 -ti -h shell2.weave.local debian
/bin/bash)
$ docker attach $SHELL2
# ping shell
Docker Networking Meetup #2 - Mountain View
Github/Codehttps://github.com/zettio/weave#readme
•Lightweight OS based on Gentoo Linux
•Has a distributed key-value store at the core
•Read-only rootfs. Writeable /etc
o All services are in containers
CoreOS
•One subnet per machine, like Kuberneteso Host 1: 10.10.10.0/24o Host 2: 10.10.11.0/24
•No Docker port-based mapping
•Containers reach each other through IP
•Packets encapsulated using UDP, and soon VxLAN
Flannel
18
1. Build flannel on each host
2. Set key in etcd for network config
3. Start flannel
4. Start container with appropriate IP
Instructions to Run Flannel
20
$ curl -L http://127.0.0.1:4001/v2/keys/coreos.com/network/config -XPUT -d value='{ "Network": "10.0.0.0/8", "SubnetLen": 20, "SubnetMin": "10.10.0.0", "SubnetMax": "10.99.0.0", "Backend": {"Type": "udp", "Port": 7890}}
$ source /run/flannel/subnet.env $ docker -d --bip=${FLANNEL_SUBNET} --mtu=${FLANNEL_MTU}
• Three CoreOS hosts
Our Setup
21
192.168.2.116192.168.2.112
flannelflannel
bashnginx
192.168.2.119
flannel
bash
•IP address overlap not possible
o VxLAN not used to create container groups
•User-space encapsulation and forwarding
o Potential performance bottleneck
Limitations
22
Docker Networking Meetup #2 - Mountain View
Hackathons● once every 2 months
● help folks get environments setup, discuss projects and start submitting bug fixes in the projects
● build out your open source portfolio on github
● connect with Bay Area NVirters, Go-Lang, Python groups to build skills and hack on the new infrastructure stack !
● Motivation: Cool projects, Free food ! Why not !? :D