04 - Docker Advanced Usage - Docker Networking
we're going to discuss Docker networking. How Docker connects your containers to the rest of the internet and to other containers and what you can do to edit and configure those connections.
How to configure your Docker networking
First, we'll look at some of the configurations that can be controlled from the Docker run command line. That is when you start a new container or you start a process in a container and you type usually "sudo," then "docker," then "run" and then you might type ". -I, -t," the container name. There are some arguments you can add to this command.
First of all, "--net=" will determine how the container will look for its Docker networking configuration. If "--net=bridge" that would look to the docker daemon bridge that existed before the container was started and provides network connectivity through what is usually a 176.17. X. X IP address range. This is the default. If you don't set "--net" at all, this is the behavior that your container will follow.
If you choose "--net=host" then the container will adopt the configuration of the host computer. If you choose "--net= container:name," which refers to another container hosted by your computer's Docker instance. Then the networking configuration of this new container will work beneath and as part of the configuration of this new linked container.
"--net=none" will provide no networking configuration at all and allow you to manually configure the whole thing.
Docker and DNS
Setting DNS is also done from the Docker run command line "-h" or "--hostname=" allows you to create your own container host name. This will determine what the contents of the etc/host name and etc/host files is and will determine things like the way your computer, your container will identify itself to other networked computers and also the host name that will appear on the command prompt within your container.
The argument "--DNS=IP address," let's say, "--DNS=8.8.8.8," which is the Google.com DNS server will set the DNS lookup address where your system will look to translate IP addresses into FQDNs and back again. "--DNS-search= a particular domain" adds a local and often a local domain prefix to requests. These are normally the task of Resolve.com etc/resolve.com and in fact what this argument does is populates the etc/resolve.com file. If there's nothing, the system will default to the host computers etc/resolve.com.
Docker routing
Port forwarding again invoke that "docker run" on the command line. "-P" will map every port which is identified within an exposed line in the Docker file to a port in the 49,000 to 49,900 range. That's a little bit inconvenient sometimes because you first have to go into the container to figure out exactly which of those ports your servers has been given. So you might therefore want to use "-p" which will allow you to map your service to specified ports. Let's say, "-p 0.0.0.0" will allow any source IP access as long as it's coming in on port 49150 as an example, if that's what you set to be forwarded to port 80. Therefore if you have a web server let's say that is working on your container and expecting traffic to port 80 that would usually be browser HTTP traffic. You can tell any incoming client to use port 49150 and that Docker will remap to port 80.
If you want to specify only specific IP addresses have access, you would use lowercase "p" and let's say, 192.168.0.45 as the only IP address from which you'll accept this traffic and it will come in only when it uses port 49150 and it will be remapped or forwarded to port 80.
Communication between Docker containers can be controlled at the daemon startup. That is the values that docker will employ are defined in the etc/default/dockerfile.
There for instance you can set the value "--iptables=false" to restrict Docker from making any changes to your host computer's IP tables.
If you don't have that "iptables=false," if you have it equaling "true" or "no iptable equals argument of any sort," then by default Docker will assign forward the value of "accept" that is any traffic on the computer from one container to another that is forwarding traffic will be accepted by any other device.
Docker network bridge
In case Docker's default network range doesn't work for you, perhaps it's a conflict with another device you have working in your network. You may want to create your own network bridge to manage Docker's containers. To do that we'll first have to bring Docker down. You can't do any of these changes without removing Docker from the live system. Now "sudo ip link set dev docker0 down" will bring the network interface the current bridge Docker zero down. But it's not good enough because it's still on the system and part of the system configuration so we have to B-R-C-T-L-D-E I'm so sorry. I should say, B-R-C-T-L-D-E-L-B-R, that is delete the bridge. Which bridge? Docker zero.
Delete that existing bridge. Now, let's create using "brctl add bridge," set let's say "bridge0". And let's configure the bridge "sudo ip addr," that is we're going to give an address to this device by adding let's say 192.168.168.6.1/24. That means this new bridge will offer DHCP addresses. In the 192.168.6 network and we will assign that network configuration to bridge zero to our new bridge. Now that it's configured and it exists we can bring it up. "Sudo ip link set dev bridge0 up." And the bridge now exists.
Let's go to etc/default and using "sudo" we'll edit the file Docker and we will add the line "docker aux= -b =bridge0," quotation mark. Which effectively tells Docker that there is a bridge called bridge zero and that it should use this bridge in its networking.
"Control X" to exit. "Y" to save the file and we're done except that we now have to restart Docker to get it up and going again. S-T-A-R-T, start and we seem to be running.
Let's run a container "sudo docker run -i -t" say, "apache -a" using "/bin/bash." We're in. Let's run "ifconfig" and in fact, our DHCP address is 192.168.6.2 which is in the range we ordered.
How to configure your Docker networking
First, we'll look at some of the configurations that can be controlled from the Docker run command line. That is when you start a new container or you start a process in a container and you type usually "sudo," then "docker," then "run" and then you might type ". -I, -t," the container name. There are some arguments you can add to this command.
First of all, "--net=" will determine how the container will look for its Docker networking configuration. If "--net=bridge" that would look to the docker daemon bridge that existed before the container was started and provides network connectivity through what is usually a 176.17. X. X IP address range. This is the default. If you don't set "--net" at all, this is the behavior that your container will follow.
If you choose "--net=host" then the container will adopt the configuration of the host computer. If you choose "--net= container:name," which refers to another container hosted by your computer's Docker instance. Then the networking configuration of this new container will work beneath and as part of the configuration of this new linked container.
"--net=none" will provide no networking configuration at all and allow you to manually configure the whole thing.
Docker and DNS
Setting DNS is also done from the Docker run command line "-h" or "--hostname=" allows you to create your own container host name. This will determine what the contents of the etc/host name and etc/host files is and will determine things like the way your computer, your container will identify itself to other networked computers and also the host name that will appear on the command prompt within your container.
The argument "--DNS=IP address," let's say, "--DNS=8.8.8.8," which is the Google.com DNS server will set the DNS lookup address where your system will look to translate IP addresses into FQDNs and back again. "--DNS-search= a particular domain" adds a local and often a local domain prefix to requests. These are normally the task of Resolve.com etc/resolve.com and in fact what this argument does is populates the etc/resolve.com file. If there's nothing, the system will default to the host computers etc/resolve.com.
Docker routing
Port forwarding again invoke that "docker run" on the command line. "-P" will map every port which is identified within an exposed line in the Docker file to a port in the 49,000 to 49,900 range. That's a little bit inconvenient sometimes because you first have to go into the container to figure out exactly which of those ports your servers has been given. So you might therefore want to use "-p" which will allow you to map your service to specified ports. Let's say, "-p 0.0.0.0" will allow any source IP access as long as it's coming in on port 49150 as an example, if that's what you set to be forwarded to port 80. Therefore if you have a web server let's say that is working on your container and expecting traffic to port 80 that would usually be browser HTTP traffic. You can tell any incoming client to use port 49150 and that Docker will remap to port 80.
If you want to specify only specific IP addresses have access, you would use lowercase "p" and let's say, 192.168.0.45 as the only IP address from which you'll accept this traffic and it will come in only when it uses port 49150 and it will be remapped or forwarded to port 80.
Communication between Docker containers can be controlled at the daemon startup. That is the values that docker will employ are defined in the etc/default/dockerfile.
There for instance you can set the value "--iptables=false" to restrict Docker from making any changes to your host computer's IP tables.
If you don't have that "iptables=false," if you have it equaling "true" or "no iptable equals argument of any sort," then by default Docker will assign forward the value of "accept" that is any traffic on the computer from one container to another that is forwarding traffic will be accepted by any other device.
Docker network bridge
In case Docker's default network range doesn't work for you, perhaps it's a conflict with another device you have working in your network. You may want to create your own network bridge to manage Docker's containers. To do that we'll first have to bring Docker down. You can't do any of these changes without removing Docker from the live system. Now "sudo ip link set dev docker0 down" will bring the network interface the current bridge Docker zero down. But it's not good enough because it's still on the system and part of the system configuration so we have to B-R-C-T-L-D-E I'm so sorry. I should say, B-R-C-T-L-D-E-L-B-R, that is delete the bridge. Which bridge? Docker zero.
Delete that existing bridge. Now, let's create using "brctl add bridge," set let's say "bridge0". And let's configure the bridge "sudo ip addr," that is we're going to give an address to this device by adding let's say 192.168.168.6.1/24. That means this new bridge will offer DHCP addresses. In the 192.168.6 network and we will assign that network configuration to bridge zero to our new bridge. Now that it's configured and it exists we can bring it up. "Sudo ip link set dev bridge0 up." And the bridge now exists.
Let's go to etc/default and using "sudo" we'll edit the file Docker and we will add the line "docker aux= -b =bridge0," quotation mark. Which effectively tells Docker that there is a bridge called bridge zero and that it should use this bridge in its networking.
"Control X" to exit. "Y" to save the file and we're done except that we now have to restart Docker to get it up and going again. S-T-A-R-T, start and we seem to be running.
Let's run a container "sudo docker run -i -t" say, "apache -a" using "/bin/bash." We're in. Let's run "ifconfig" and in fact, our DHCP address is 192.168.6.2 which is in the range we ordered.
Comments
Post a Comment