21 Days of Docker-Day 19 -Docker Networking Deep Dive

On Day 9, Day 10 and Day 11 I discussed Docker Networking, let go one level down and dig deeper into it.

What is Container Networking Model(CNM) and Libnetwork?

  • The CNM is an open-source container networking specification that contributed to the community by Docker Inc.
  • Docker’s libnetwork is a library that provides an implementation for CNM.
  • However, third-party plugins can be used to replace the built-in Docker driver.
  • Libnetwork is cross-platform and open-source.
  • CNM has interfaces for both IPAM plugins and network plugin. The IPAM plugin APIs can be used to create/delete address pools and allocate/deallocate container IP addresses. The network plugin APIs are used to create/delete networks and add/remove containers from networks.

Docker Networking on Linux

  • Docker networking uses the Linux Kernel extensive networking capabilities(eg: TCP/IP stack, VXLAN, DNS)
  • Docker networking utilizes many Linux Kernel networking features(network namespaces, bridges, iptables, veth pairs…)
  • Linux Bridges: L2 virtual switches implemented in the kernel
  • Network namespaces: Used for isolating container network stacks
  • veth pairs: Connecting containers to container networks
  • iptables: Used for port mapping, load balancing, network isolation

Docker Overlay Driver

  • The overlay network driver creates a distributed network among multiple Docker daemon hosts. This network sits on top of (overlays) the host-specific networks, allowing containers connected to it (including swarm service containers) to communicate securely. Docker transparently handles routing of each packet to and from the correct Docker daemon host and the correct destination container.

How does it works?

  • The overlay driver uses VXLAN technology to build the network
  • A VXLAN tunnel is created through the underlay network(s)

Network Troubleshooting

  • The first step in any troubleshooting is to check the container logs
docker container logs <container id>
  • If you want to check docker daemon logs
sudo journalctl -u docker
  • Let discuss one handy tool called netshoot
  • Docker network troubleshooting can become complex. With a proper understanding of how Docker networking works and the right set of tools, you can troubleshoot and resolve these networking issues. The netshoot container has a set of powerful networking troubleshooting tools that can be used to troubleshoot Docker networking issues.
  • If you’re having networking issues with your application’s container, you can launch netshoot with that container’s network namespace.
  • netshoot includes a set of powerful tools
apache2-utils
bash
bind-tools
bird
bridge-utils
busybox-extras
calicoctl
conntrack-tools
ctop
curl
dhcping
drill
ethtool
file
fping
iftop
iperf
iproute2
ipset
  • To illustrate that let’s take a simple example
  • Let create a custom bridge network
$ docker network create my-custom-net
b56567c0609dda35f8312c08b6c974875217447e6d3618ea9d63256e3013d2cf
  • Run and attach a container to this network
$ docker container run -dt --name my-nginx --network my-custom-net -p 80:80 nginx
0564f1f854c004911ea42edd0d7492a8c5f32cafba72993022ec99d36e0c8c33
  • Let say we are facing some issue in connecting to the nginx container, now to check that
 docker container run --rm --network my-custom-net nicolaka/netshoot curl my-nginx:80
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
100   612  100   612    0     0  76500      0 --:--:-- --:--:-- --:--:-- 87428
  • One of the most powerful features of netshoot, if you’re having networking issues with your application’s container, you can launch netshoot with that container’s network namespace like this :

$ docker run -it --net container:<container_name> nicolaka/netshoot

  • The case we have discussed above, we can do it
$ docker container run --rm -it --net container:my-nginx nicolaka/netshoot curl localhost:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

For more info

https://github.com/nicolaka/netshoot

Please follow me with my Journey

This time to make learning more interactive, I am adding

  • Slack
  • Meetup

Please feel free to join this group.

Slack: 

https://100daysofdevops.slack.com/join/shared_invite/enQtNzg1MjUzMzQzMzgxLWM4Yjk0ZWJiMjY4ZWE3ODBjZjgyYTllZmUxNzFkNTgxZjQ4NDlmZjkzODAwNDczOTYwOTM2MzlhZDNkM2FkMDA

Meetup Group

If you are in the bay area, please join this meetup group https://www.meetup.com/100daysofdevops/