1 00:00:00,210 --> 00:00:02,610 Hello and welcome to this lecture. In this lecture 2 00:00:02,610 --> 00:00:04,950 we look at networking in Docker. 3 00:00:05,040 --> 00:00:10,530 We will start with a basic networking options in Docker and then try and related to the concepts around 4 00:00:10,620 --> 00:00:11,910 networking name spaces. 5 00:00:11,970 --> 00:00:17,230 Let’s start with a single Docker Host. A server with Docker installed on it. 6 00:00:17,340 --> 00:00:23,240 It has an ethernet interface at eth0 that connects to the local network with the IP address 192.168.1.10. 7 00:00:23,280 --> 00:00:25,380 It has an ethernet interface at eth0 that connects to the local network with the IP address 192.168.1.10. 8 00:00:25,380 --> 00:00:29,700 When you run a container you have different networking options to choose from. 9 00:00:29,700 --> 00:00:32,970 First, let’s see the none network. With the None network, 10 00:00:33,000 --> 00:00:36,350 the docker container is not attached to any network. 11 00:00:36,390 --> 00:00:42,420 The container cannot reach the outside world and no one from the outside world can reach the container. 12 00:00:42,420 --> 00:00:48,360 If you run multiple containers they are all created without being part of any network and cannot talk 13 00:00:48,360 --> 00:00:51,270 to each other or to the outside world. 14 00:00:51,270 --> 00:00:54,330 Next is the Host network. With the host network, 15 00:00:54,330 --> 00:00:57,030 the container is attached to the host’s network. 16 00:00:57,030 --> 00:01:00,840 There is no network isolation between the host and the container. 17 00:01:00,870 --> 00:01:06,600 If you deploy a web application listening on port 80 in the container then the web application is available 18 00:01:06,630 --> 00:01:11,310 on port 80 on the host without having to do any additional port mapping. 19 00:01:11,310 --> 00:01:17,550 If you try to run another instance of the same container that listens on the same port it won't work 20 00:01:17,640 --> 00:01:23,460 as they share hosts networking and two processes cannot listen on the same port at the same time. 21 00:01:24,750 --> 00:01:30,930 The third networking option is the bridge. In this case, an internal private network is created which 22 00:01:30,930 --> 00:01:37,230 the docker host and containers attach to. The network has an address 172.17.0.0 23 00:01:37,230 --> 00:01:43,170 by default and each device connecting to this network get their own internal private network address 24 00:01:43,260 --> 00:01:44,880 on this network. 25 00:01:44,880 --> 00:01:51,660 This is the network that we are most interested in. So we will take a deeper look at how exactly docker 26 00:01:51,660 --> 00:01:55,000 creates and manages this network. 27 00:01:55,140 --> 00:02:01,590 When Docker is installed on the host it creates an internal private network called bridge by default. 28 00:02:01,590 --> 00:02:03,740 You can see this when you run the docker network 29 00:02:03,750 --> 00:02:09,960 ls command. Now, docker calls the network by the name “bridge”. But on the host the network is created 30 00:02:10,320 --> 00:02:12,480 by the name docker 0. 31 00:02:12,480 --> 00:02:18,630 You can see this in the output of the ip link command. Docker internally uses a technique similar to 32 00:02:18,630 --> 00:02:22,550 what we saw in the video on namespaces by running the IP link 33 00:02:22,600 --> 00:02:28,500 add command with the type set to bridge. So remember, the name bridge in the docket network ls output 34 00:02:28,500 --> 00:02:31,440 refers to the name docker 0 on the host. 35 00:02:31,500 --> 00:02:32,780 They are one and the same thing. 36 00:02:32,790 --> 00:02:37,100 Also note that the interface or network is currently down. 37 00:02:37,110 --> 00:02:43,070 Now, remember we said that the bridge network is like an interface to the host, but a switch to the 38 00:02:43,070 --> 00:02:45,590 namespaces or containers within the host. 39 00:02:45,660 --> 00:02:52,470 So the interface docker0 on the host is assigned an IP 172.17.0.1. 40 00:02:52,470 --> 00:02:56,270 You can see this in the output of the ip addr command. 41 00:02:56,610 --> 00:03:02,850 Whenever a container is created Docker creates a network namespace for it just like how we created 42 00:03:02,940 --> 00:03:03,340 network 43 00:03:03,360 --> 00:03:10,230 namespaces in the previous video. Run the ip netns command to list the namespace. 44 00:03:10,230 --> 00:03:16,080 Note that there is a minor hack to be done to get the ip netns command to list the namespaces 45 00:03:16,080 --> 00:03:17,660 created by Docker. 46 00:03:17,730 --> 00:03:21,710 Checkout the resources section of this lecture for information on that. 47 00:03:22,010 --> 00:03:26,160 The namespace has the name starting b3165. 48 00:03:26,160 --> 00:03:31,740 You can see the namespace associated with each container in the output of the docker inspect comment. 49 00:03:32,010 --> 00:03:37,920 So how does docker attach the container or its network namespace to the bridge network? For the remainder 50 00:03:37,920 --> 00:03:38,810 of this lecture. 51 00:03:38,840 --> 00:03:44,060 container and network namespace mean the same thing. When I say container 52 00:03:44,100 --> 00:03:47,880 I'm referring to the network namespace created by Docker for that container. 53 00:03:48,480 --> 00:03:53,010 So how does docker attach the container to the bridge? As we did before 54 00:03:53,010 --> 00:03:58,350 it creates a cable, a VIRTUAL cable, with two interfaces on each end. 55 00:03:58,980 --> 00:04:01,570 Let's find out what Docker has created here. 56 00:04:01,620 --> 00:04:07,170 If you run the ip link command on the docker host you see one end of the interface which is attached to 57 00:04:07,170 --> 00:04:08,880 the local bridge Docker zero. 58 00:04:09,510 --> 00:04:15,450 If you run the same command again this time with the –n option with the namespace, then it lists 59 00:04:15,480 --> 00:04:19,630 the other end of the interface within the container namespace. 60 00:04:19,680 --> 00:04:23,180 The interface also gets an IP assigned within the network. 61 00:04:23,280 --> 00:04:29,430 You can view this by running the ip addr command but within the container's namespace. The container 62 00:04:29,460 --> 00:04:33,210 gets assigned 172.17.0.3. 63 00:04:33,240 --> 00:04:38,470 You can also view this by attaching to the container and looking at the IP address assigned to it that 64 00:04:38,480 --> 00:04:38,730 way. 65 00:04:39,750 --> 00:04:45,990 The same procedure is followed every time a new container is created. Docker creates a namespace. Creates 66 00:04:45,990 --> 00:04:52,230 a pair of interfaces. Attaches one end to the container and another end to the present. The interface 67 00:04:52,230 --> 00:04:54,710 pairs can be identified using their numbers. 68 00:04:54,870 --> 00:04:58,810 Odd and even former pair 9 and 10 are one pair. 69 00:04:58,810 --> 00:05:02,910 7 and 8 are another and 11 and 12 are one pair. 70 00:05:02,910 --> 00:05:07,970 The containers are all part of the network now they can all communicate with each other. 71 00:05:08,130 --> 00:05:14,900 Let us look at port mapping now. The container we created is nginx, so it’s a web application serving 72 00:05:14,910 --> 00:05:21,080 web page on port 80. Since our container is within a private network inside the host. 73 00:05:21,330 --> 00:05:26,280 Only other containers in the same network or the host itself can access this Web page. 74 00:05:26,640 --> 00:05:32,550 If you tried to access the web page using curl with the IP of the container from within Docker host 75 00:05:32,640 --> 00:05:36,290 on port 80 you will see the web page. 76 00:05:36,300 --> 00:05:42,210 If you try to do the same thing outside the host, you cannot view the web page. To allow external users 77 00:05:42,210 --> 00:05:45,630 to access the applications hosted on containers. 78 00:05:45,630 --> 00:05:50,860 Docker provides a port publishing or port mapping option. When you run containers 79 00:05:50,940 --> 00:05:57,310 Tell Docker to map port 8080 on the Docker host to port 80 on the container. 80 00:05:57,390 --> 00:06:03,720 With that done, you could access the web application using the IP of the docker host and port 8080. 81 00:06:04,110 --> 00:06:10,380 Any traffic to port 8080 on the docker host will be forwarded to port 80 on the container. 82 00:06:10,390 --> 00:06:17,430 Now all of your external users and other applications or service can use this Url to access the application 83 00:06:17,460 --> 00:06:19,160 deployed on the host. 84 00:06:19,320 --> 00:06:21,060 But how does docker do that? 85 00:06:21,120 --> 00:06:24,730 How does it forward traffic from one port to another? 86 00:06:24,880 --> 00:06:25,740 What would you do? 87 00:06:26,430 --> 00:06:29,520 Let's forget about Docker and everything else for a second. 88 00:06:29,520 --> 00:06:36,000 The requirement is to forward traffic coming in on one port to another port on the server. 89 00:06:36,060 --> 00:06:39,260 We talked about it in one of our prerequisite lectures. 90 00:06:39,270 --> 00:06:46,050 We create a NAT rule for that. Using iptables we create an entry into the NAT table, to append a rule 91 00:06:46,080 --> 00:06:54,240 to the PREROUTING chain to change the destination port from 8080 to 80. Docker does it the same way. Docker 92 00:06:54,300 --> 00:07:01,630 adds the rule to the docker chain and sets destination to include the containers IP as well you can 93 00:07:01,630 --> 00:07:06,020 see the rule docker creates when you list the rules in iptables. 94 00:07:07,520 --> 00:07:10,040 Well that's it for this lecture in the next lecture. 95 00:07:10,040 --> 00:07:15,200 We will talk about CNI and what container networking interface is.