Understand docker and its networking on high level
Partho Das
What is docker
Docker is a software or a container runtime, which can be installed over any operating system like windows, linux or mac. There are many questions now?
software?
- Yes, its a software which extends the capability of the underlying host machine.
container runtime?
- Yes, container is like an individual application running on the same host, but it isolates itself from the others.
What benifits Docker provides and who the docker is for?
- Docker is mainly used for application developed by the developers, which helps developers
Automate the deployment
Manage, scale, ship the application using lightweight containers
What are the key components that one need to remember
Container- Its a standalone packages that can be used to run any application. This includes the OS, the necessary libraries, packages for the application and the application code.image- When we talk about standalone container which is the actuall application, that can be kept in a repository or share with other collaborators as an image.Dockerfile- The reason the docker is widely used and it is easy for anyone to use because of its declaritive way of creation of image using some instructions and that instructions are written in that Dockerfile.Docker Hub: GitHub is a version control system for source code, similarly, Docker Hub is also used as a VCS for docker images, from where we can pull the lightweight image that we want and make use for building a container
So, is it not same as VM that we had previously
It is similar to VM, but not same, VM provided a layer of virtualisation over the host OS.
With that virtualisation, we can create another server with its own OS and libraries and over that we can have our software application running.
This was good, but it had the limitation as it shares the Host resources like CPU, RAM and if the application running on that VM hardly uses 20% of that VM resources, there were no much ways to dynamically reuse the resources,
though there were some mechanism to create a VM which consumes the resources based on the requirement.
Why do we need docker
Thats where the concept of Docker came, which allows to create an application with its own dependancies over the host OS and bundle that as a single entity.
This does not create any OS, rather it uses its own lighweight OS and build the application over it and combinely call it a conntainer.
Now that container can run on any other Host which has Docker installed.
Evolution of Docker as a container
Docker is very strong because of its networkinng as well
The moment we install docker on our local laptop, it automatically creates a virtual network called
docker0It acts as a virtual bridge between the Host OS Network interface and the containers to communicate among themselves.
During container creation & start, if no specific network is defined, then by default docker attach the container with
docker0networkDocker uses
NAT- Network Address Translation for containners to access & communicate with external network, Port mapping is also possible.docker0provides a default IP range in this subnet172.17.0.0/16To channge the default IP range we can go to
/etc/dockerdaemon.jsonmodify the bridge IP and restart the docker
Docker Network Driver
When a software wants to communicate with any underlying hardware, it ca not communicate directly, it needs the driver(
A apecial kind of software) which is designed in such a way that translates the message to hardware which the hardware can understand.Similarly, the docker also needs a driver to communicate with the network interfaces.
There are
3 maintypes of networkdriversavailable which docker uses to communicate with the network interface.BridgedriverThis is the default driver that docker uses out of the box
This creates a bridge between docker container and the host
This is one of the reasons, we promot the containers to be accessible on a specific port
-p 8080:8080[-p
host_port:container_port]we can create our own custom bridge network to isolate certain containers
docker network create -d app-net
hostdriverIt removes the network isolation between the docker containers and the host
This can be a security burden for some secure applications
when we run a container, we dont promote the container to use different port, it works on the same port as the host.
-p 8000:8000[X] This is not needed.ipV6is still not supported as of June 2024.
We can not create
hostnetworkbut we can run some container on
hostnetwork like thisdocker run -d --network host --name partho-container partho-image
OverlaydriverThis network driver makes the dockers of one host to communocate with the dockers of another host
So, the containes of cross docker hosts also can communicate
The
OS-levelrouting is not needed
There are other drivers also
ipvlan- IPvlan networks give users total control over both IPv4 and IPv6 addressing.macvlan- Macvlan networks allows assigning a MAC address to a container, making it appear as a physical device on your network. The Docker daemon routes traffic to containers by their MAC addresses.none- Completely isolate a container from the host and other containers.
More about docker networking can be read from here - https://docs.docker.com/network/drivers/
Docker commands to manage, maintain the docker network
Read- List the networks of docker on your host -docker network lsCreate- Create a user defined network -docker network create -d bridge my-net- define which driver to use - herebridgedriver is used - define the network name = heremy-netis the name of the networkRead- Get more detailed info about a particular network driver -docker network inspect bridge- This gives the vital info like - what are the containers are attached to this networkUpdate- Once the network is created, we canconnect&Disconnectthe containers into that networkcreate a host network :
docker network create -d host my-host-netconnect a container into that network -
docker network connect my-host-net partho-containerdisconnect -
docker network disconnect my-bridge-net partho-container
Delete- Deleting a single network rm -docker network rm my-bridge-net- Deleting multiple networks -docker network rm net1 net2 net3
Lets get more into the docker Networking:
list the networking -
docker network lsinspect all the 3 networks and take a look at the
IPAM configdocker network inspect bridgeIPAM.config should have value of network asdocker0"Subnet": "172.17.0.0/16", "Gateway": "172.17.0.1"docker network inspect hostnothing, because it maps the container nw with the host machine nwdocker network inspect noneThere is no networking, insecure
Prove that the containers in default bridge network can not communocate with container from a custom bridge network
Create a custom bridge network -
docker network create -d bridge isolate-netdocker network ls - This will list the newly created network under bridge driver
Now, create two containners
one with default bridge network
docker run -d --name default-nginx-container nginxispect the default bridge network and find the container IP
IP : 172.17.0.2/16
subnet : 172.17.0.0/16
gateway : 172.17.0.1
Go inside this container and install
ping-docker exec -it default-nginx-container /bin/bashapt-get install -y iputils-ping
create another container on the custom bridge network
run -d --network isolate-net --name isolate-nw-container nginxispect the custom isolate bridge network and find the container IP
IP : 172.18.0.2/16
subnet : 172.18.0.0/16
Gateway : 172.18.0.1
If we carefully see, both the containers are of totally two dofferent networks (one is at 17 network and another on 18 network) and so they can not communicate.
we can further ping
172.18.0.2from the default network containersThis shows that two containes of two different bridge network are totally isolated
Subscribe to my newsletter
Read articles from Partho Das directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by