Docker, Inc., profile picture
Uploaded byDocker, Inc.
PPTX, PDF8,058 views

Docker Networking: Control plane and Data plane

The document discusses Docker networking and provides an overview of its control plane and data plane components. The control plane uses a gossip-based protocol for decentralized event dissemination and failure detection across nodes. The data plane uses overlay networking with Linux bridges and VXLAN interfaces to provide network connectivity between containers on different Docker hosts. Load balancing for internal and external traffic is implemented using IPVS for virtual IP addresses associated with Docker services.

Downloaded 318 times
Docker Networking @MadhuVenugopal @mrjana Control-plane & Data-plane
•Docker Networking •Features •Control plane & Data plane •Deep Dive •Control plane •Data plane •Q & A Agenda
Docker Networking 1.7 1.8 1.9 1.10 1.11 - Libnetwork - CNM - Migrated Bridge, host, none drivers to CNM - Overlay Driver - Network Plugins - IPAM Plugins - Network UX/API Service Discovery (using /etc/hosts) Distributed DNS - Aliases - DNS Round Robin LB 1.12 - Load Balancing - Encrypted Control and data plane - Routing Mesh - Built-in Swarm-mode networking
Networking planes Management plane Control plane Data plane UX, CLI, REST-API, SNMP, … Distributed (OSPF, BGP, Gossip-based), Centralized(OpenFlow, OVSDB) User/Operator/Tools managing Network Infrastructure Signaling between network entities to exchange reachability states Actual movement of application data packets IPTables, IPVS, OVS-DP, DPDK, BPF, Routing Tables, …
Docker networking planes Management plane Control plane Data plane Network-Scoped Gossip, Service-Discovery, Encryption key distribution Docker network UX, APIs and Network mgmt plugins Network plugins and built-in drivers Bridge, Overlay, macvlan, ipvlan, host, all other plugins… Libnetwork core & swarmkit allocator
Deep Dive - Control Plane
Control plane components • Centralized resources and policies • De-centralized events
Centralized resources and policies Manager Network Create Orchestrator Allocator Scheduler Dispatcher Service Create Task Create Task Dispatch Task Dispatch Gossip Worker1 Worker2 Engine Libnetwork Engine Libnetwork • Resources and policies are defined centrally • Networks are a definition of policy • Central resource allocation (IP Subnets, Addresses, VNIs) • Can mutate state as long as managers are available
• State is learned through de- centralized dissemination of events • Gossip based protocol • Fast convergence • Highly scalable • Continues to function even if all managers are Down De-centralized events Swarm Scope Gossip W1 W2 W3 W1 W5 W4 Network Scope Gossip Network Scope Gossip
• Completely de-centralized discovery of cluster nodes • Cluster membership is discovered using an implementation of Scalable Weakly-consistent Infection-style Process Group Membership Protocol (SWIM) • Two kinds of cluster membership: • Swarm level • Network level • Sequentially consistent state dissemination ordered by a lamport clock • Single writer at a record/entry level • Convergence time roughly has a O(logn) asymptotic time complexity Gossip in detail
Failure detection Node A Periodic probe node based on randomized round robin Node BXRandom node fails to ack Random Node C Random Node D Random Node E Suspect Node B Suspect Timeout Dead Node B 9 More nodes receive rebroadcast Rebroadcast Entire cluster receives rebroadcast Rebroadcast
State dissemination Node A Broadcast state change to unto 3 nodes which participate in the network that this entry belongs to Random Node C Random Node D Random Node E 9 More nodes receive rebroadcast Rebroadcast Entire cluster receives rebroadcast Rebroadcast Accept state update only if entry’s lamport time is greater than the lamport time of existing entry Random Node F Periodic bulk sync of the entire state for a single network to a random node participating in that network
Deep Dive - Data Plane Overlay driver
Overlay Networking Under the Hood • Virtual eXtensible Local Area Network(VXLAN) data transport • L2 Network over an L3 network ( overlay ) • RFC7348 • Host as VXLAN Tunnel End Point (VTEP) • Point-to-Multi-Point Tunnels • Proxy-ARP
Overlay Networking Under the Hood • A Linux Bridge per Subnet per Overlay Network per Host • A VXLAN interface per Subnet per Overlay Network per Host • 1 Linux Bridge per Host for default traffic (docker_gwbridge) • Lazy creation ( Only if container is attached to network)
Overlay Networking Under the Hood C1 C2 C3 C5 C4 br0 Veth Veth Veth Host NIC VXLAN Host NIC br0 Veth Veth VXLAN Docker Host 1 Docker Host 2
Linux Kernel NetFilter dataflow
Service , Port-Publish & Network iptables eth0 Host1 default_gwbridge ingress-sbox eth1 ingress-overlay-bridge Ingress- Network eth0 vxlan tunnel to host2 - vni-100vxlan tunnel to host3 - vni-100 eth0 Container-sbox eth1 eth2 mynet mynet-br vxlan tunnel to host2 - vni-101 docker service create —name=test —network=mynet -p 8080:80 —replicas=2 xxx iptables ipvs iptables ipvs Host1: 8080 DNS Resolver daemon embedded DNS server service -> VIP
Day in life of a packet - Internal LB eth0 Host1 container-sbox (service1) eth1 iptables MANGLE table OUTPUT MARK : VIP -> <fw-mark-id> IPVS Match <fw-mark-id> -> Masq {RR across container-IPs) mynet-overlay-bridge mynet eth2 Host2 mynet-overlay-bridgevxlan tunnel with vni mynet eth2 Container-sbox (service2) Application looks up service2 (using embedded-DNS @ 127.0.0.11) DNS Resolver daemon embedded DNS server service2 -> VIP2 vxlan tunnel with vni
• Builtin routing mesh for edge routing • Worker nodes themselves participate in ingress routing mesh • All worker nodes accept connection requests on PublishedPort • Port translation happens at the worker node • Same internal load balancing mechanism used to load balance external requests Routing mesh External Loadbalancer (optional) Task1 ServiceA Task1 ServiceA Task1 ServiceA Worker1 Worker2 Ingress Network 8080 8080 VIP LB VIP LB 8080->80 8080->80 8080->80
Day in life of a packet - Routing Mesh & Ingress LB iptables NAT table DOCKER-INGRESS DNAT : Published-Port -> ingress-sbox eth0 Host1 default_gwbridge ingress-sboxeth1 iptables MANGLE table PREROUTING MARK : Published-Port -> <fw-mark-id> IPVS Match <fw-mark-id> -> Masq {RR across container-IPs) ingress-overlay-bridge Ingress- Network eth0 iptables NAT table DOCKER-INGRESS DNAT : Published-Port -> ingress-sbox eth0 Host2 default_gwbridge ingress-sbox eth1 ingress-overlay-bridge eth0 vxlan tunnel with vni Ingress- Network eth0 Container-sbox (backs a task/service) eth1 iptables NAT table PREROUTING Redirect -> target-port
Q&A

More Related Content

PDF
Kubernetes Introduction
byPeng Xiao
 
PPTX
Prometheus design and philosophy
byDocker, Inc.
 
PDF
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
byShapeBlue
 
PDF
Infrastructure & System Monitoring using Prometheus
byMarco Pas
 
PPTX
Kubernetes PPT.pptx
byssuser0cc9131
 
PDF
Docker Introduction
byPeng Xiao
 
PPTX
Introduction to Docker - 2017
byDocker, Inc.
 
PPTX
Springboot Microservices
byNexThoughts Technologies
 
Kubernetes Introduction
byPeng Xiao
 
Prometheus design and philosophy
byDocker, Inc.
 
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
byShapeBlue
 
Infrastructure & System Monitoring using Prometheus
byMarco Pas
 
Kubernetes PPT.pptx
byssuser0cc9131
 
Docker Introduction
byPeng Xiao
 
Introduction to Docker - 2017
byDocker, Inc.
 
Springboot Microservices
byNexThoughts Technologies
 

What's hot

PDF
Grafana introduction
byRico Chen
 
PPTX
CICD with Jenkins
byMoogleLabs default
 
PDF
What is Puppet | Puppet Tutorial for Beginners | Puppet Configuration Managem...
byEdureka!
 
PPTX
OVN DBs HA with scale test
byAliasgar Ginwala
 
PDF
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
byGuido Schmutz
 
PPT
Introduction to SSH
byHemant Shah
 
PPT
Monitoring using Prometheus and Grafana
byArvind Kumar G.S
 
PPTX
Building secure applications with keycloak
byAbhishek Koserwal
 
PDF
Cloud Monitoring tool Grafana
byDhrubaji Mandal ♛
 
PPTX
Grafana
byNoelMc Grath
 
PDF
SSH - Secure Shell
byPeter R. Egli
 
PPT
Jenkins Overview
byAhmed M. Gomaa
 
PDF
Monitoring Kubernetes with Prometheus
byGrafana Labs
 
PDF
Cloud Native Identity with SPIFFE
byPrabath Siriwardena
 
PDF
Open vSwitch 패킷 처리 구조
bySeung-Hoon Baek
 
PDF
[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링
byOpenStack Korea Community
 
PDF
OpenStack Networking
byIlya Shakhat
 
PDF
Server monitoring using grafana and prometheus
byCeline George
 
PPTX
Hashicorp Vault ppt
byShrey Agarwal
 
PPTX
Integrated Tools in OSSIM
byAlienVault
 
Grafana introduction
byRico Chen
 
CICD with Jenkins
byMoogleLabs default
 
What is Puppet | Puppet Tutorial for Beginners | Puppet Configuration Managem...
byEdureka!
 
OVN DBs HA with scale test
byAliasgar Ginwala
 
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
byGuido Schmutz
 
Introduction to SSH
byHemant Shah
 
Monitoring using Prometheus and Grafana
byArvind Kumar G.S
 
Building secure applications with keycloak
byAbhishek Koserwal
 
Cloud Monitoring tool Grafana
byDhrubaji Mandal ♛
 
Grafana
byNoelMc Grath
 
SSH - Secure Shell
byPeter R. Egli
 
Jenkins Overview
byAhmed M. Gomaa
 
Monitoring Kubernetes with Prometheus
byGrafana Labs
 
Cloud Native Identity with SPIFFE
byPrabath Siriwardena
 
Open vSwitch 패킷 처리 구조
bySeung-Hoon Baek
 
[OpenInfra Days Korea 2018] (Track 4) - Grafana를 이용한 OpenStack 클라우드 성능 모니터링
byOpenStack Korea Community
 
OpenStack Networking
byIlya Shakhat
 
Server monitoring using grafana and prometheus
byCeline George
 
Hashicorp Vault ppt
byShrey Agarwal
 
Integrated Tools in OSSIM
byAlienVault
 

Viewers also liked

PDF
Docker Networking Deep Dive
byDocker, Inc.
 
PDF
containerd and CRI
byDocker, Inc.
 
PPTX
Docker 101 - Nov 2016
byDocker, Inc.
 
PPTX
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
byDocker, Inc.
 
PPTX
Docker Online Meetup: Announcing Docker CE + EE
byDocker, Inc.
 
PPTX
Containerd - core container runtime component
byDocker, Inc.
 
PDF
Persistent storage tailored for containers
byDocker, Inc.
 
PPTX
Docker networking Tutorial 101
byLorisPack Project
 
PDF
Driving containerd operations with gRPC
byDocker, Inc.
 
PPTX
Docker Roadshow 2016
byDocker, Inc.
 
PDF
Online Meetup: What's new in docker 1.13.0
byDocker, Inc.
 
PPTX
Docker networking basics & coupling with Software Defined Networks
byAdrien Blind
 
PDF
Heart of the SwarmKit: Store, Topology & Object Model
byDocker, Inc.
 
PDF
Unikernels: the rise of the library hypervisor in MirageOS
byDocker, Inc.
 
PDF
'The History of Metrics According to me' by Stephen Day
byDocker, Inc.
 
PDF
Talking TUF: Securing Software Distribution
byDocker, Inc.
 
PDF
Docker Online Meetup: Infrakit update and Q&A
byDocker, Inc.
 
PDF
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
byDocker, Inc.
 
PPTX
Orchestrating Least Privilege by Diogo Monica
byDocker, Inc.
 
PDF
containerd summit - Deep Dive into containerd
byDocker, Inc.
 
Docker Networking Deep Dive
byDocker, Inc.
 
containerd and CRI
byDocker, Inc.
 
Docker 101 - Nov 2016
byDocker, Inc.
 
Docker and Microsoft - Windows Server 2016 Technical Deep Dive
byDocker, Inc.
 
Docker Online Meetup: Announcing Docker CE + EE
byDocker, Inc.
 
Containerd - core container runtime component
byDocker, Inc.
 
Persistent storage tailored for containers
byDocker, Inc.
 
Docker networking Tutorial 101
byLorisPack Project
 
Driving containerd operations with gRPC
byDocker, Inc.
 
Docker Roadshow 2016
byDocker, Inc.
 
Online Meetup: What's new in docker 1.13.0
byDocker, Inc.
 
Docker networking basics & coupling with Software Defined Networks
byAdrien Blind
 
Heart of the SwarmKit: Store, Topology & Object Model
byDocker, Inc.
 
Unikernels: the rise of the library hypervisor in MirageOS
byDocker, Inc.
 
'The History of Metrics According to me' by Stephen Day
byDocker, Inc.
 
Talking TUF: Securing Software Distribution
byDocker, Inc.
 
Docker Online Meetup: Infrakit update and Q&A
byDocker, Inc.
 
Using Docker Swarm Mode to Deploy Service Without Loss by Dongluo Chen & Nish...
byDocker, Inc.
 
Orchestrating Least Privilege by Diogo Monica
byDocker, Inc.
 
containerd summit - Deep Dive into containerd
byDocker, Inc.
 

Similar to Docker Networking: Control plane and Data plane

PDF
Docker 1.12 networking deep dive
byMadhu Venugopal
 
PDF
Osnug meetup-tungsten fabric - overview.pptx
byM.Qasim Arham
 
PPTX
DCUS17 : Docker networking deep dive
byMadhu Venugopal
 
PPTX
Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...
byCloud Native Day Tel Aviv
 
PPTX
Dragonflow 01 2016 TLV meetup
byEran Gampel
 
PDF
Demystfying container-networking
byBalasundaram Natarajan
 
PPT
CloudStack and SDN
bySebastien Goasguen
 
PDF
Openstack Networking Internals - first part
bylilliput12
 
PDF
Hungary Usergroup - Midonet overlay programming
byMarton Kiss
 
PPTX
Harmonia open iris_basic_v0.1
byYongyoon Shin
 
PDF
rtnetlink
byTaku Fukushima
 
PDF
Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...
byAjeet Singh Raina
 
PDF
Docker Multihost Networking
byNicola Kabar
 
PDF
LinuxCon 2015 Stateful NAT with OVS
byThomas Graf
 
PDF
2015 FOSDEM - OVS Stateful Services
byThomas Graf
 
PDF
Netforce: extending neutron to support routed networks at scale in ebay
byAliasgar Ginwala
 
PDF
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
byShixiong Shang
 
PPTX
Open stackaustinmeetupsept21
byBrent Doncaster
 
PPTX
Network and Service Virtualization tutorial at ONUG Spring 2015
bySDN Hub
 
PPTX
BRKDCT-2445 Agile OpenStack Networking with Cisco Solutions - Cisco Live! US ...
byRohit Agarwalla
 
Docker 1.12 networking deep dive
byMadhu Venugopal
 
Osnug meetup-tungsten fabric - overview.pptx
byM.Qasim Arham
 
DCUS17 : Docker networking deep dive
byMadhu Venugopal
 
Scaling OpenStack Networking Beyond 4000 Nodes with Dragonflow - Eshed Gal-Or...
byCloud Native Day Tel Aviv
 
Dragonflow 01 2016 TLV meetup
byEran Gampel
 
Demystfying container-networking
byBalasundaram Natarajan
 
CloudStack and SDN
bySebastien Goasguen
 
Openstack Networking Internals - first part
bylilliput12
 
Hungary Usergroup - Midonet overlay programming
byMarton Kiss
 
Harmonia open iris_basic_v0.1
byYongyoon Shin
 
rtnetlink
byTaku Fukushima
 
Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...
byAjeet Singh Raina
 
Docker Multihost Networking
byNicola Kabar
 
LinuxCon 2015 Stateful NAT with OVS
byThomas Graf
 
2015 FOSDEM - OVS Stateful Services
byThomas Graf
 
Netforce: extending neutron to support routed networks at scale in ebay
byAliasgar Ginwala
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
byShixiong Shang
 
Open stackaustinmeetupsept21
byBrent Doncaster
 
Network and Service Virtualization tutorial at ONUG Spring 2015
bySDN Hub
 
BRKDCT-2445 Agile OpenStack Networking with Cisco Solutions - Cisco Live! US ...
byRohit Agarwalla
 

More from Docker, Inc.

PDF
Containerize Your Game Server for the Best Multiplayer Experience
byDocker, Inc.
 
PDF
How to Improve Your Image Builds Using Advance Docker Build
byDocker, Inc.
 
PDF
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
PDF
Securing Your Containerized Applications with NGINX
byDocker, Inc.
 
PDF
How To Build and Run Node Apps with Docker and Compose
byDocker, Inc.
 
PDF
Hands-on Helm
byDocker, Inc.
 
PDF
Distributed Deep Learning with Docker at Salesforce
byDocker, Inc.
 
PDF
The First 10M Pulls: Building The Official Curl Image for Docker Hub
byDocker, Inc.
 
PDF
Monitoring in a Microservices World
byDocker, Inc.
 
PDF
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
byDocker, Inc.
 
PDF
Predicting Space Weather with Docker
byDocker, Inc.
 
PDF
Become a Docker Power User With Microsoft Visual Studio Code
byDocker, Inc.
 
PDF
How to Use Mirroring and Caching to Optimize your Container Registry
byDocker, Inc.
 
PDF
Monolithic to Microservices + Docker = SDLC on Steroids!
byDocker, Inc.
 
PDF
Kubernetes at Datadog Scale
byDocker, Inc.
 
PDF
Labels, Labels, Labels
byDocker, Inc.
 
PDF
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
byDocker, Inc.
 
PDF
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
PDF
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
byDocker, Inc.
 
PDF
Developing with Docker for the Arm Architecture
byDocker, Inc.
 
Containerize Your Game Server for the Best Multiplayer Experience
byDocker, Inc.
 
How to Improve Your Image Builds Using Advance Docker Build
byDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
Securing Your Containerized Applications with NGINX
byDocker, Inc.
 
How To Build and Run Node Apps with Docker and Compose
byDocker, Inc.
 
Hands-on Helm
byDocker, Inc.
 
Distributed Deep Learning with Docker at Salesforce
byDocker, Inc.
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
byDocker, Inc.
 
Monitoring in a Microservices World
byDocker, Inc.
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
byDocker, Inc.
 
Predicting Space Weather with Docker
byDocker, Inc.
 
Become a Docker Power User With Microsoft Visual Studio Code
byDocker, Inc.
 
How to Use Mirroring and Caching to Optimize your Container Registry
byDocker, Inc.
 
Monolithic to Microservices + Docker = SDLC on Steroids!
byDocker, Inc.
 
Kubernetes at Datadog Scale
byDocker, Inc.
 
Labels, Labels, Labels
byDocker, Inc.
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
byDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
byDocker, Inc.
 
Developing with Docker for the Arm Architecture
byDocker, Inc.
 

Recently uploaded

PDF
AI assisted software — Cathedral or Bazaar?.pdf
byMindtrek
 
PDF
A SEA of Energy Efficiency Opportunities!
byMemoori
 
PPTX
Building Europe with Open LLMs - Manu Setälä.pptx
byMindtrek
 
PPTX
⚡Level Up Your Slack Game: Workflows & Conditional Branching🎉
bySanjeetMishra29
 
PDF
Tilannekatsaus tekoälytoimintaan Suomessa.pdf
byMindtrek
 
PDF
Unit 3 DS - Distributed Data Storage and Retrieval - PowerPoint Content.pdf
byayesha butalia
 
PDF
Session 3 - Specialized AI Associate Series: AI Powered Automation through sp...
byDianaGray10
 
PDF
Artificial Intelligence and YOU - Thinking Thoughtfully about AI
byMicah Melling
 
PDF
2025 October Patch Tuesday
byIvanti
 
PPTX
This Could Have Been a Slack Message: Diagnosing and Treating Bad Meetings
byMike Clement
 
PDF
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 
PDF
TrustArc Webinar - The Future of Third-Party Privacy Risk: Trends, Tactics & ...
byTrustArc
 
PDF
Towards efficient vision representation and coding standards for superior emb...
byTouradj Ebrahimi
 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
PPTX
TechVerse Kent (Combining Tech, AI, Innovation and Creativity)
byKritarthDevli
 
PDF
The Role of Human Experiences (HX) in GenAI Adoption
byDr. Tathagat Varma
 
PDF
Manage VMs on Kubernetes - Introduction to KubeVirt - Meetup MUC 10.2025
byTobias Schneck
 
PDF
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
PDF
A business case for open source: From lock-in to value.pdf
byMindtrek
 
PDF
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
AI assisted software — Cathedral or Bazaar?.pdf
byMindtrek
 
A SEA of Energy Efficiency Opportunities!
byMemoori
 
Building Europe with Open LLMs - Manu Setälä.pptx
byMindtrek
 
⚡Level Up Your Slack Game: Workflows & Conditional Branching🎉
bySanjeetMishra29
 
Tilannekatsaus tekoälytoimintaan Suomessa.pdf
byMindtrek
 
Unit 3 DS - Distributed Data Storage and Retrieval - PowerPoint Content.pdf
byayesha butalia
 
Session 3 - Specialized AI Associate Series: AI Powered Automation through sp...
byDianaGray10
 
Artificial Intelligence and YOU - Thinking Thoughtfully about AI
byMicah Melling
 
2025 October Patch Tuesday
byIvanti
 
This Could Have Been a Slack Message: Diagnosing and Treating Bad Meetings
byMike Clement
 
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 
TrustArc Webinar - The Future of Third-Party Privacy Risk: Trends, Tactics & ...
byTrustArc
 
Towards efficient vision representation and coding standards for superior emb...
byTouradj Ebrahimi
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
TechVerse Kent (Combining Tech, AI, Innovation and Creativity)
byKritarthDevli
 
The Role of Human Experiences (HX) in GenAI Adoption
byDr. Tathagat Varma
 
Manage VMs on Kubernetes - Introduction to KubeVirt - Meetup MUC 10.2025
byTobias Schneck
 
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
A business case for open source: From lock-in to value.pdf
byMindtrek
 
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
In this document
Powered by AI

Overview of Docker Networking concepts, including Control-plane and Data-plane definitions and a detailed agenda for the presentation.

Highlights various features like Libnetwork, CNM, drivers and plugins, IPAM, service discovery, load balancing, and built-in Swarm-mode networking.

In-depth exploration of the control plane, including centralized resources, policies, decentralized events, and the gossip protocol for node communication.

Examination of the data plane, focusing on overlay networking, Linux kernel operations, and the flow of packets.

Built-in routing mechanics for edge routing, ingress load balancing, and internal load balancing mechanisms for service operations.

Open floor for audience questions to clarify Docker Networking concepts discussed.

Docker Networking: Control plane and Data plane

  • 1.
  • 2.
    •Docker Networking •Features •Control plane& Data plane •Deep Dive •Control plane •Data plane •Q & A Agenda
  • 3.
    Docker Networking 1.7 1.81.9 1.10 1.11 - Libnetwork - CNM - Migrated Bridge, host, none drivers to CNM - Overlay Driver - Network Plugins - IPAM Plugins - Network UX/API Service Discovery (using /etc/hosts) Distributed DNS - Aliases - DNS Round Robin LB 1.12 - Load Balancing - Encrypted Control and data plane - Routing Mesh - Built-in Swarm-mode networking
  • 4.
    Networking planes Management plane Controlplane Data plane UX, CLI, REST-API, SNMP, … Distributed (OSPF, BGP, Gossip-based), Centralized(OpenFlow, OVSDB) User/Operator/Tools managing Network Infrastructure Signaling between network entities to exchange reachability states Actual movement of application data packets IPTables, IPVS, OVS-DP, DPDK, BPF, Routing Tables, …
  • 5.
    Docker networking planes Managementplane Control plane Data plane Network-Scoped Gossip, Service-Discovery, Encryption key distribution Docker network UX, APIs and Network mgmt plugins Network plugins and built-in drivers Bridge, Overlay, macvlan, ipvlan, host, all other plugins… Libnetwork core & swarmkit allocator
  • 6.
    Deep Dive -Control Plane
  • 7.
    Control plane components •Centralized resources and policies • De-centralized events
  • 8.
    Centralized resources andpolicies Manager Network Create Orchestrator Allocator Scheduler Dispatcher Service Create Task Create Task Dispatch Task Dispatch Gossip Worker1 Worker2 Engine Libnetwork Engine Libnetwork • Resources and policies are defined centrally • Networks are a definition of policy • Central resource allocation (IP Subnets, Addresses, VNIs) • Can mutate state as long as managers are available
  • 9.
    • State islearned through de- centralized dissemination of events • Gossip based protocol • Fast convergence • Highly scalable • Continues to function even if all managers are Down De-centralized events Swarm Scope Gossip W1 W2 W3 W1 W5 W4 Network Scope Gossip Network Scope Gossip
  • 10.
    • Completely de-centralizeddiscovery of cluster nodes • Cluster membership is discovered using an implementation of Scalable Weakly-consistent Infection-style Process Group Membership Protocol (SWIM) • Two kinds of cluster membership: • Swarm level • Network level • Sequentially consistent state dissemination ordered by a lamport clock • Single writer at a record/entry level • Convergence time roughly has a O(logn) asymptotic time complexity Gossip in detail
  • 11.
    Failure detection Node A Periodicprobe node based on randomized round robin Node BXRandom node fails to ack Random Node C Random Node D Random Node E Suspect Node B Suspect Timeout Dead Node B 9 More nodes receive rebroadcast Rebroadcast Entire cluster receives rebroadcast Rebroadcast
  • 12.
    State dissemination Node A Broadcaststate change to unto 3 nodes which participate in the network that this entry belongs to Random Node C Random Node D Random Node E 9 More nodes receive rebroadcast Rebroadcast Entire cluster receives rebroadcast Rebroadcast Accept state update only if entry’s lamport time is greater than the lamport time of existing entry Random Node F Periodic bulk sync of the entire state for a single network to a random node participating in that network
  • 13.
    Deep Dive -Data Plane Overlay driver
  • 14.
    Overlay Networking Underthe Hood • Virtual eXtensible Local Area Network(VXLAN) data transport • L2 Network over an L3 network ( overlay ) • RFC7348 • Host as VXLAN Tunnel End Point (VTEP) • Point-to-Multi-Point Tunnels • Proxy-ARP
  • 15.
    Overlay Networking Underthe Hood • A Linux Bridge per Subnet per Overlay Network per Host • A VXLAN interface per Subnet per Overlay Network per Host • 1 Linux Bridge per Host for default traffic (docker_gwbridge) • Lazy creation ( Only if container is attached to network)
  • 16.
    Overlay Networking Underthe Hood C1 C2 C3 C5 C4 br0 Veth Veth Veth Host NIC VXLAN Host NIC br0 Veth Veth VXLAN Docker Host 1 Docker Host 2
  • 17.
  • 18.
    Service , Port-Publish& Network iptables eth0 Host1 default_gwbridge ingress-sbox eth1 ingress-overlay-bridge Ingress- Network eth0 vxlan tunnel to host2 - vni-100vxlan tunnel to host3 - vni-100 eth0 Container-sbox eth1 eth2 mynet mynet-br vxlan tunnel to host2 - vni-101 docker service create —name=test —network=mynet -p 8080:80 —replicas=2 xxx iptables ipvs iptables ipvs Host1: 8080 DNS Resolver daemon embedded DNS server service -> VIP
  • 19.
    Day in lifeof a packet - Internal LB eth0 Host1 container-sbox (service1) eth1 iptables MANGLE table OUTPUT MARK : VIP -> <fw-mark-id> IPVS Match <fw-mark-id> -> Masq {RR across container-IPs) mynet-overlay-bridge mynet eth2 Host2 mynet-overlay-bridgevxlan tunnel with vni mynet eth2 Container-sbox (service2) Application looks up service2 (using embedded-DNS @ 127.0.0.11) DNS Resolver daemon embedded DNS server service2 -> VIP2 vxlan tunnel with vni
  • 20.
    • Builtin routingmesh for edge routing • Worker nodes themselves participate in ingress routing mesh • All worker nodes accept connection requests on PublishedPort • Port translation happens at the worker node • Same internal load balancing mechanism used to load balance external requests Routing mesh External Loadbalancer (optional) Task1 ServiceA Task1 ServiceA Task1 ServiceA Worker1 Worker2 Ingress Network 8080 8080 VIP LB VIP LB 8080->80 8080->80 8080->80
  • 21.
    Day in lifeof a packet - Routing Mesh & Ingress LB iptables NAT table DOCKER-INGRESS DNAT : Published-Port -> ingress-sbox eth0 Host1 default_gwbridge ingress-sboxeth1 iptables MANGLE table PREROUTING MARK : Published-Port -> <fw-mark-id> IPVS Match <fw-mark-id> -> Masq {RR across container-IPs) ingress-overlay-bridge Ingress- Network eth0 iptables NAT table DOCKER-INGRESS DNAT : Published-Port -> ingress-sbox eth0 Host2 default_gwbridge ingress-sbox eth1 ingress-overlay-bridge eth0 vxlan tunnel with vni Ingress- Network eth0 Container-sbox (backs a task/service) eth1 iptables NAT table PREROUTING Redirect -> target-port
  • 22.