Monday, August 17, 2015

A New Chapter in Docker Networking

Docker networking is entering a new chapter.

Networking is one of the pillar for modern day IT infrastructure and lots of work are done by various networking equipment vendor to provide a stable and fast network.  Recently, there is also the movement of Software Defined Network (SDN) as well as the Network Function Virtualization (NFV). 

In the traditional client and server model, the traffic pattern is mostly "north-south traffic" (between the server and the clients). 

With Docker where most of the time it is being used to deploy Micro-Services, there is a need for the containers to talk to one another both within the same host or across multiple hosts.  This changed the traffic pattern and the demand for the network is changed to add "east-west traffic" (traffic between hosts).

Docker Inc has done a good job on Docker in packaging container but the networking support is a bit primitive. I had a blog post on Docker Networking options last year and before that I had another post describing what Docker container is and that VMware is not against but embracing this container technologies.   And of course there is Project Bonneville that is in technology preview state where VMware is making Docker containers to work just like a virtual machine in the vSphere environment so as to take advantage of the "enterprise ready" features of vSphere such as Distributed Resource Scheduler, vMotion and the benefit of the lightweight, fast provisioning characteristic of Docker container.

Native Docker Networking
  • On startup Docker creates a Ethernet Bridge docker0 on the Linux Kernel
  • docker0 creates a virtual subnet on the Docker host
  • Docker creates a pair of virtual Ethernet interface on each container
  • One of the Ethernet interface is the eth0 in the container
  • Another Ethernet interface will have a unique name in the form of veth* (e.g.vethABI3IC) and is bind to docker0
  • User can customize docker0
  • Advanced Docker networking can be found here
image source: http://www.infrabricks.de/assets/images/docker_network_basics1.png

The native Docker networking was simple and is designed as a single-host solution. Native Docker networking does not scale well which is against Docker container use cases. 

Docker Networking from 3rd parties

As mentioned on my blog post from last year there are solutions/projects in development to solve or to improve Docker networking.  These solutions are:
  • Weave
  • Kubernetes
  • Flannel
  • Pipework
  • SocketPlane <-now part of Docker Inc.
For detail description of these solutions you can take a look at here or here

While these solutions are useful and has its use cases, they are all external to Docker.

Docker's latest Networking Solution
On April 30, 2015, Docker announced an open source project - libnetwork.

libnetwork
Libnetwork is an open source project and can be found in GitHub here.

This "libnetwork" is a library that can provide native support for Docker container and its function is to connect containers.  This library is written in the Go language.  According to GitHub, "libnetwork project will follow Docker and Linux philosophy of developing small, highly modular and composable tools that works well independently. Libnetwork aims to satisfy that composable need for Networking in Containers."

Libnetwork implements the Container Network Model is is the work of various networking partners of Docker Inc such as Cisco, IBM, Microsoft, Joynet, Rancher, VMware and Weave.

The most important aspect for libnetwork is that it uses a driver/plugin model.  In the pass, Docker networking is handle by libcontainer and Docker Engine and now with libnetwork it can provide a single interface via the form of an API. 

Container Network Model
This model has 3 main components:
  1. SandBox
  2. Endpoint
  3. Network
 image source: https://blog.docker.com/media/2015/04/cnm-model.jpg

This architecture diagram of Container Network Model is pretty self-explanatory.  Again, GitHub has good information about what these 3 elements are:

Sandbox
A Sandbox contains the configuration of a container's network stack. This includes management of the container's interfaces, routing table and DNS settings. An implementation of a Sandbox could be a Linux Network Namespace, a FreeBSD Jail or other similar concept. A Sandbox may contain many endpoints from multiple networks.

Endpoint
An Endpoint joins a Sandbox to a Network. An implementation of an Endpoint could be a veth pair, an Open vSwitch internal port or similar. An Endpoint can belong to only one network but may only belong to one Sandbox.

Network
A Network is a group of Endpoints that are able to communicate with each-other directly. An implementation of a Network could be a Linux bridge, a VLAN, etc. Networks consist of many endpoints.

Why is libnetwork so special?

Libnetwork is indeed very special that I called this a new chapter for Docker networking.

We have seen that libnetwork provides a single interface for networking. The significant of a single interface is that libnetwork can be present a plugin for external networking solutions. This is similar to the Neutron project for OpenStack where 3rd party networking solutions can be use.  

Both VMware and Cisco has already jump into this band wagon with their respective NSX and ACI networking solution to provide a robust networking solution for mulit-host container communication.  

Beside a robust networking solution, being able to use 3rd party networking solutions is also able to provide Docker containers security and layer 4 - 7 network functions features such as firewall and load-balancer.  

Security is an important aspect for all deployment in any environment. Both VMware's NSX and Cisco's ACI implements Micro-segmentation which is to provide a distributed firewall with extended rules.  These extended firewall rules allows user to define security policies beyond the traditional network attributes based rules.  My next post will be on Micro-segmentation.

Note: libnetwork is still under heavy development and is listed as experimental in Docker 1.7.  Please check GitHub for the latest status as things are going in a fact pace.

Reference:
https://github.com/docker/libnetwork/blob/master/docs/design.md
"Docker/libnetwork." GitHub. N.p., n.d. Web. 17 Aug. 2015.

7 comments:

  1. The information you have given here is truly helpful to me. CCNA- It’s a certification program based on routing & switching for starting level network engineers that helps improve your investment in knowledge of networking & increase the value of employer’s network.
    Regards,
    ccna training in Chennai|ccna training institute in Chennai

    ReplyDelete
  2. Thanks for sharing this niche useful informative post to our knowledge, Actually SAP is ERP software that can be used in many companies for their day to day business activities it has great scope in future.
    Regards,
    SAP Training in Chennai|SAP Course in Chennai|sap training in Chennai|SAP courses in chennai

    ReplyDelete
  3. The usage of third party storage system for the data storage can be avoided in cloud computing and we can store, access the data through internet.
    cloud computing training in chennai | cloud computing courses in chennai

    ReplyDelete
  4. Thanks for sharing the very useful info about DevOps and please keep updating........
    DevOps Training
    DevOps Online Training
    DevOps Training in Ameerpet

    ReplyDelete