Explore the correct posture of Docker bridge, pro-test effective!

Last round, little white toss the Docker architecture, iron to be hot I began to learn Docker container network. The mood at the moment, is excited, is also uneasy. Excitement is because finally to face the first mountain of Docker: network, unease is because the network problem has always been small white soft rib, those years we have learned the network knowledge, now ...

Bite the bullet to open the "Docker Advanced and actual combat" began Docker network, which tells the Docker container network of several models. One of the "bridge" model successfully attracted my attention. Bridge mode, commonly known as bridging mode, about its definition of small white long forgotten, but it is not difficult to understand the role of bridges can connect different things.

In the early two-tier network, bridge could connect different LAN networks, as shown in the following illustration. When Host 1 emits a packet, the other hosts and Network Bridge BR0 for LAN 1 receive the packet. The bridge then copies the packet from the entry side to the other port (in this case, another port). As a result, hosts on LAN 2 also receive packets from host A that enable the communication of all hosts on different LAN networks.

With the development of network technology, traditional bridge has derived a model which is suitable for different application scenarios, the most typical of which is Linux bridge mode, which is an important part of Linux Kernel Network module, which can guarantee the communication between different virtual machines, or the communication between virtual machine and host hosts. , as shown in the following illustration:

According to gourd painting scoop, Docker Bridge is used to connect different containers, or connect the container and host.

With doubt, I quickly browsed this chapter, the result is very surprised from morning to night, the book is more complicated than I expected, the Docker bridge model not only uses the Veth pair technology, but also uses the network namespace technology, even to my surprise, Docker Bridge The NAT is used in the mode. Docker Bridge and the Linux Bridge both, at first look the same, and then look very far apart, it is silly to know. I did not think of my container network learning program, just started to encounter Waterloo.

It was impossible to see the difference between Docker Bridge and Linux Bridge before it was clear. According to the experience of small white, foggy when the basic concept of the most effective, first from the basic Linux Bridge mode of work, and then from the Docker Bridge model under the "Black Technology" (Veth pair, network namespace technology, NAT), may be able to find some clues. To suppress the anger inside, I opened the "deep understanding of LINUX Network Technology Insider", looking for these key words footprints. Linux Bridge Mode

Linux bridge mode, Linux Kernel will create a virtual network bridges, to achieve the host network interface and virtual network interface communication between. Functionally, the Linux Bridge is like a virtual switch, and all bridging virtual machines are connected to one interface of the switch, and the interfaces can be accessed and not interfered with each other, as is the case for physical hosts.

Under the bridge, the virtual bridge will transmit the network traffic received by the host network interface to the virtual network interface, and the latter can receive the DHCP (Dynamic Host Setting protocol, which is used to obtain the LAN IP) information and route update from the router. This workflow is also applicable to communication between different virtual network interfaces. The specific implementation is as follows:

Virtual machine and host host communication: Users can manually configure the virtual machine IP address, subnet mask, the IP needs and host IP in the same network segment, so that the virtual machine can communicate with host hosts.

The virtual machine communicates with the outside world: if the virtual machine needs to be networked, you need to manually configure the gateway for it, and the gateway will be consistent with the host gateway.

In addition, there is a simpler way, that is, the virtual machine through DHCP automatic access to IP, and host or host to the world outside the communication, small white parental test effective. Docker Bridge mode

After the general understanding of the Linux Bridge mode, and then look at the Docker bridge model, small white also have confidence. Again open "Docker Advanced and actual combat", carefully read small white to understand that in the bridge mode, Docker Daemon will create a virtual network called DOCKER0, used to connect host and container, or to connect different containers, book introduction and small white before the fake Also coincide with the establishment.

Using the veth pair [annotation 1] technology, Docker created two virtual network interfaces on the host Veth0 and Veth1 (Veth pair Technology's features ensure that no matter which Veth received the network message, will unconditionally transfer to the other side).

Container and Host communication: In the bridge mode, Docker Daemon will veth0 attached to the Docker0 bridge, to ensure that the host message can be sent to the Veth0. Add veth1 to the Docker container's network namespace [Note 2] to ensure that the host's network message is sent to the Veth0 can be immediately veth1 received.

The container communicates with the outside world: if the container needs to be networked, the NAT [annotation 2] method is required. To be exact, the NATP (network address port conversion) approach. NATP contains two modes of conversion: SNAT and Dnat. Destination NAT (Destination Nat,dnat): Modifies the destination address of the packet.

When a world outside the host hosts needs to access the container, the flow of the packet is shown in the following illustration:

Because the container's IP and port are not visible, the destination of the packet is the host's IP and port, for 192.168.1.10:24.

The packet passes through the router to the host eth0, which is then forwarded to the Docker0 Bridge via Eth0. Because of the existence of the Dnat rule, the destination address of the packet is converted to the IP and port of the container, which is 172.17.0.n:24.

The DOCKER0 Network Bridge on the host identifies the container IP and port, and sends the packet to the Veth0 interface on the Docker0 Bridge, Veth0 the interface and packages the data to the Veth1 interface inside the container, and the container receives the packet and responds.

SOURCE NAT (Nat,snat): Modifies the source address of a packet.

When a container needs to access a world other than the host, the flow of the packet is shown in the following illustration:

At this time the source address of the packet is the IP and port of the container, for the 172.17.0.n:24, the Veth1 interface of the container sends the packet to the Veth0 interface to reach the DOCKER0 Network Bridge.

The DOCKER0 Network Bridge on the host finds that the destination of the packet is the IP and port of the outside world, and the packet is forwarded to eth0 and sent from the eth0. Because there is a SNAT rule, the source address of the packet is converted to the host's IP and port, which is 192.168.1.10:24.

Because the router can recognize the host's IP address, the packet is then forwarded to the outside world, where the packet is received and responded to. At this time, in the outside world, this packet is from the 192.168.1.10:24, Docker container external is not visible.

Summary

Small white Container Network learning just opened the head, unexpectedly also can toss out so many play Italy, have Veth pair, have network namespace, and NAT. Although the Docker bridge model is only the tip of the container network, the road of learning is still and arduous, but small white also mastered a number of learning experience, it is the face of the intricate network model, the first need to know its bones and muscles to win meat, grasp the essential meaning. Small white is with the understanding of bridge, only launched a series of bold assumptions, with questions finally in the book to be verified. Disappointing, but not fatal.

[Note 1] veth pair is used for communication between different network namespace, Veth pair sends one network namespace data to another network namespace.

[Note 2] The network namespace is used to isolate network resources (/proc/net, IP addresses, network adapters, routes, and so on). Because a physical network device is stored in a single network namespace, the purpose of communication can be achieved by Veth pair to create channels in different network namespaces.

[Note 3] NAT is the abbreviation for Network address translation (network addressing translation), which is a technique for rewriting the source IP address or destination IP address when an IP packet is passed through a router or firewall. Author Introduction | Evelyn

Daocloud Container Technology Open Source team member, has been in the Intel DCG department as Cloud Engineering, the distributed scheduling framework Mesos have in-depth learning, the cluster resource management has some experience, is currently committed to Docker container technology research and practice. Evelyn is in the container technology open source Team, in Daocloud is mainly responsible for the container ecological open source work.