Table of Contents

Learning Docker Networking

Credits

About the Authors

About the Reviewer

www.PacktPub.com

eBooks, discount offers, and more

Why subscribe?

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Downloading the color images of this book

Errata

Piracy

Questions

1. Docker Networking Primer

Networking and Docker

Linux bridges

Open vSwitch

NAT

IPtables

AppArmor/SELinux

The docker0 bridge

The --net default mode

The --net=none mode

The --net=container:$container2 mode

The --net=host mode

Port mapping in Docker container

Docker OVS

Unix domain socket

Linking Docker containers

Links

What's new in Docker networking?

Sandbox

Endpoint

Network

The Docker CNM model

Summary

2. Docker Networking Internals

Configuring the IP stack for Docker

IPv4 support

IPv6 support

Configuring a DNS server

Communication between containers and external networks

Restricting SSH access from one container to another

Configuring the Docker bridge

Overlay networks and underlay networks

Summary

3. Building Your First Docker Network

Introduction to Pipework

Multiple containers over a single host

Weave your containers

Open vSwitch

Single host OVS

Creating an OVS bridge

Multiple host OVS

Networking with overlay networks – Flannel

Summary

4. Networking in a Docker Cluster

Docker Swarm

Docker Swarm setup

Docker Swarm networking

Kubernetes

Deploying Kubernetes on AWS

Kubernetes networking and its differences to Docker networking

Deploying the Kubernetes pod

Mesosphere

Docker containers

Deploying a web app using Docker

Deploying Mesos on AWS using DCOS

Summary

5. Security and QoS for Docker Containers

Filesystem restrictions

Read-only mount points

sysfs

procfs

/dev/pts

/sys/fs/cgroup

Copy-on-write

Linux capabilities

Securing containers in AWS ECS

Understanding Docker security I – kernel namespaces

pid namespace

net namespace

Basic network namespace management

Network namespace configuration

User namespace

Creating a new user namespace

Understanding Docker security II – cgroups

Defining cgroups

Why are cgroups required?

Creating a cgroup manually

Attaching processes to cgroups

Docker and cgroups

Using AppArmor to secure Docker containers

AppArmor and Docker

Docker security benchmark

Audit Docker daemon regularly

Create a user for the container

Do not mount sensitive host system directories on containers

Do not use privileged containers

Summary

6. Next Generation Networking Stack for Docker: libnetwork

Goal

Design

CNM objects

Sandbox

Endpoint

Network

Network controller

CNM attributes

CNM lifecycle

Driver

Bridge driver

Overlay network driver

Using overlay network with Vagrant

Overlay network deployment Vagrant setup

Overlay network with Docker Machine and Docker Swarm

Prerequisites

Key-value store installation

Create a Swarm cluster with two nodes

Creating an overlay network

Creating containers using an overlay network

Container network interface

CNI plugin

Network configuration

IP allocation

IP address management interface

Project Calico's libnetwork driver

Summary

Index

Learning Docker Networking

Learning Docker Networking

Copyright © 2016 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author(s), nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: February 2016

Production reference: 1190216

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham B3 2PB, UK.

ISBN 978-1-78528-095-5

www.packtpub.com

Credits

Authors

Rajdeep Dua

Vaibhav Kohli

Santosh Kumar Konduri

Reviewer

Jon Langemak

Commissioning Editor

Kunal Parikh

Acquisition Editor

Tushar Gupta

Content Development Editor

Mayur Pawanikar

Technical Editor

Dhiraj Chandanshive

Copy Editors

Joanna McMahon

Madhusudan Uchil

Project Coordinator

Nidhi Joshi

Proofreader

Safis Editing

Indexer

Rekha Nair

Graphics

Jason Monteiro

Production Coordinator

Aparna Bhagat

Cover Work

Aparna Bhagat

About the Authors

Rajdeep Dua has over 16 years of experience in distributed systems. He has worked in R&D and Developer Relation roles at Microsoft, Google, VMware, and Salesforce.com. He has exposure to multiple cloud platforms like Google App Engine, Heroku, Force.com, vSphere, and Google Compute Engine.

Rajdeep has been working on Docker and related container technologies for more than two years now. He did his MBA in IT from IIM Lucknow in the year 2000.

Vaibhav Kohli has around 3 years of working experience in the research and development department of VMware, and he has been teaching computer engineering for a year at the esteemed Mumbai University. He has published many research papers and filed three patents from VMware in the container domain. He has also conducted workshops in various companies and meetups on container technology (Docker) and Kubernetes.

Santosh Kumar Konduri has around 5 years of IT experience. He is an expert OpenStack administrator with 3 years of experience.

About the Reviewer

Jon Langemak has over 10 years of experience in designing, building, and maintaining high-performance networks. He's currently employed as a network architect at a Minnesota-based company, where he focuses on disruptive technologies and the impact they have on network operations. Outside of work, Jon blogs at www.dasblinkenlichten.com and enjoys collaborating with others in the networking community on new ideas and concepts.

www.PacktPub.com

eBooks, discount offers, and more

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www2.packtpub.com/books/subscription/packtlib

Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Preface

This book helps the reader to learn, create, deploy, and provide administration steps for Docker networking. Docker is a Linux container implementation that enables the creation of light-weight portable development and production-quality environments. These environments can be updated incrementally. Docker achieves this by leveraging containment principles, such as cgroups and Linux namespaces, along with overlay filesystem-based portable images.

Docker provides the networking primitives that allow administrators to specify how different containers network with each application, connect to each of their components, then distribute them across a large number of servers, and ensure coordination between them irrespective of the host or the VM that they are running on. This book aggregates all the latest Docker networking technology and provides great in depth explanation with setup details.

What this book covers

Chapter 1, Docker Networking Primer, explains the essential components of Docker networking, which have evolved from coupling simple Docker abstractions and powerful network components, such as Linux bridges, Open vSwitch, and so on. This chapter also explains how Docker containers can be created with various modes. In the default mode, port mapping helps us through the use of iptables NAT rules, allowing traffic arriving at the host to reach containers. Later in this chapter, basic linking of the container is covered and the next generation of Docker networking, which is libnetwork, is also discussed.

Chapter 2, Docker Networking Internals, discusses Docker's internal networking architecture. We will learn about IPv4, IPv6, and DNS configurations in Docker. Later in this chapter, Docker bridge and communication between containers in single host and multihost is covered. This chapter also explains overlay tunneling and different methods that are implemented on Docker networking, such as OVS, Flannel, and Weave.

Chapter 3, Building Your First Docker Network, shows how Docker containers communicate from multiple hosts using different networking options, such as Weave, OVS, and Flannel. Pipework uses legacy Linux bridge, Weave creates a virtual network, OVS uses GRE tunneling technology, and Flannel provides a separate subnet to each host to connect containers on multiple hosts. Some of the implementations, such as Pipework, are legacy and will become obsolete over a period of time, while others are designed to be used in the context of specific OSes, such as Flannel with CoreOS. Basic comparisons of Docker networking options are also covered in this chapter.

Chapter 4, Networking in a Docker Cluster, explains Docker networking in depth using various frameworks, such as native Docker Swarm, where using the libnetwork or the out-of the-box overlay network, Swarm, provides the multihost networking features. Kubernetes, on the other hand, has a different perspective from Docker, where each pod will get a unique IP address and communication between pods can occur with the help of services. Using Open vSwitch or IP-forwarding advanced routing rules, the Kubernetes networking can be enhanced to provide connectivity between pods on different subnets across hosts and expose the pods to the external world. In the case of Mesosphere, we can see that Marathon is used as a backend for the networking of the deployed containers. In the case of DCOS of the Mesosphere, the entire deployed stack of machines is treated as one machine to provide a rich-networking experience between deployed container services.

Chapter 5, Security and QoS for Docker Containers, takes a dive into Docker security by referring to kernel and cgroups namespaces. We will also visit some of the aspects of filesystems and various Linux capabilities, which containers leverage in order to provide more features, such as the privileged container but at the cost of exposing itself more on the threat side. We will also see how containers can be deployed in a secured environment in AWS ECS using proxy containers to restrict the vulnerable traffic. We will also talk about how AppArmor is also provided with a rich set of Mandatory Access Control (MAC) system, which provides kernel-enhancement features in order to confine applications to a limited set of resources. Leveraging their benefits to Docker containers helps us deploy them in a secured environment. In the last section, we take a quick dive into Docker security benchmarks and some of the important recommendations that can be followed during auditing and Docker deployment in a production environment.

Chapter 6, Next Generation Networking Stack for