Upload
cohesive-networks
View
130
Download
1
Tags:
Embed Size (px)
Citation preview
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
October 28-29, 2014
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Container Networks and Network Containment
Chris Swan CTO CohesiveFT
@cpswan
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Part 1 – Container Networking
3
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 4
TL;DR docker0 bridge is the heart of default networking Plus some iptables magic Docker can help link your containers (on a single host) But it’s easier with a compositing tool There are advanced options On a single host On multi hosts and advanced tools
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Do I first need to explain Docker and containers?
5
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Build, Ship > Run?
6
Image credit http://www.mediaagility.com/2014/docker-the-next-big-thing-on-cloud/
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Docker Hub
7
Image credit http://blog.docker.com/2014/06/announcing-docker-hub-and-official-repositories/
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Demo time
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Why me?
9
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Conceived last summer – released this April
10
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
The basics
11
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 12
Let’s start with a regular host eth0 10.0.1.1
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 13
Install Docker eth0 10.0.1.1 docker0 172.17.42.1
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 14
Start a container eth0 10.0.1.1 docker0 172.17.42.1
eth0 172.17.0.1
veth67ab
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 1
Start another container eth0 10.0.1.1 docker0 172.17.42.1
eth0 172.17.0.1
veth67ab
eth0 172.17.0.2
veth9c5d
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
iptables magic
16
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 1
Connecting to the outside world $ sudo iptables -t nat -L –n
...
Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 172.17.0.0/16 !172.17.0.0/16
...
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 18
Connecting from the outside world $ sudo docker run –dp 1880:1880 cpswan/node-red
$ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7696169d9438 cpswan/node-red:latest node red.js 2 weeks ago Up 2 weeks 0.0.0.0:1880->1880/tcp backstabbing_davinci
$ sudo iptables -t nat -L –n
...
Chain DOCKER (2 references) target prot opt source destination DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1880 to:172.17.0.7:1880
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Container linking
19
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 20
From the docker command line From the outside:
# start the database sudo docker run -dp 3306:3306 --name todomvcdb \ -v /data/mysql:/var/lib/mysql cpswan/todomvc.mysql
# start the app server sudo docker run -dp 4567:4567 --name todomvcapp \ --link todomvcdb:db cpswan/todomvc.sinatra
On the inside:
dburl = 'mysql://root:pa55Word@' + ENV['DB_PORT_3306_TCP_ADDR'] + '/todomvc'
DataMapper.setup(:default, dburl)
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 21
Simplify life with Fig fig.yml:
todomvcdb: image: cpswan/todomvc.mysql expose: - "3306" volumes: - /data/mysql:/var/lib/mysql todomvcapp: image: cpswan/todomvc.sinatra ports: - "4567:4567" links: - todomvcdb:db
I still need this on the inside:
dburl = 'mysql://root:pa55Word@' + ENV['DB_PORT_3306_TCP_ADDR'] + '/todomvc'
DataMapper.setup(:default, dburl)
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Other networking modes
22
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 23
--net=host eth0 10.0.1.1 docker0 172.17.42.1
eth0 172.17.0.1
veth67ab
eth0 172.17.0.2
veth9c5d
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 24
--net=container:$container2 eth0 10.0.1.1 docker0 172.17.42.1
eth0 172.17.0.1
veth67ab
eth0 172.17.0.2
veth9c5d
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 2
--net=none eth0 10.0.1.1 docker0 172.17.42.1
eth0 172.17.0.1
veth67ab
eth0 172.17.0.2
veth9c5d
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Connecting containers between machines
26
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 2
Marek Goldmann did this with OVS
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 28
A more generic approach (ODCA)
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Flocker
29
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Weave
30
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Still want more…
31
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 32
Pipework etc. Pipework: • Create bridges • Attach to container interfaces • Attach to host interfaces • and much more…
Tenus: • Golang package offering programmatic
network configuration along similar lines to Pipework
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
libchan ‘A low level component that we can use as a communication layer that we can use across the board for all the different aspects of communication within Docker’
Solomon Hykes – DockerCon 2014 (my emphasis)
What it is – Golang like channels over the network
‘A lightweight communication protocol for distributed systems’
What it does – yet to be revealed
33
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Gotchas
34
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 3
Our old enemy the network hub eth0 10.0.1.1 docker0 172.17.42.1
eth0 172.17.0.1
veth67ab
eth0 172.17.0.2
veth9c5d
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 36
A bit like a home network eth0 10.0.1.1 docker0 172.17.42.1
eth0 172.17.0.1
veth67ab
eth0 172.17.0.2
veth9c5d
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Host as router can be painful • VirtualBox requires specific network adaptors (in a specific configuration) to
play nicely with pipework
• Even with source/destination checks disabled pipework won’t play nicely on EC2
– Mileage may vary on other clouds, but some don’t even have the option to flick that bit (or make it very hard to get at)
3
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
The end of this part (nearly)
38
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Docker makes a great place to run L4-7 Network Application Services
39
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 40
TL;DR docker0 bridge is the heart of default networking Plus some iptables magic Docker can help link your containers (on a single host) But it’s easier with a compositing tool There are advanced options On a single host On multi hosts and advanced tools
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Part 2 –Network Containment
41
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 42
TL;DR Hard shell and soft centre has never served us well The pressure to move on is mounting Finer grained network segregation was too expensive in hardware Software makes it achievable We’re seeing the dawn of application centric networking and the Application Security Controller
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Enterprise networks and perimeters
43
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
The confectionary networking model
Hard crunchy perimeter Soft chewy centre
Image credit CC by Sandra Fauconnier https://www.flickr.com/photos/spinster/4369608/
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Pretty much everybody has a ‘demilitarized zone’
DMZ
Intranet
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Sophisticated organisations have an application server zone
DMZ
Intranet
ASZ
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Global scale makes things messy
DMZ
Intranet
ASZ
DMZ
ASZ
DMZ
ASZ
Europe Americas Asia
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Some even have a ‘domain zoning concept’
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
This is VERY expensive when done with hardware
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
But potentially cheap and flexible if done in software
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
‘Microsegmentation’ – the VMware view
Image credit http://vinfrastructure.it/2014/09/micro-segmentation-with-nsx/
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
What’s driving this?
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Are you being asked to look at this?
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
In particular this:
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Application centric networking
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
What’s the right granularity?
Microservice Service Service family
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
The sweet spot likely depends on containment of business data
Microservice Service Service family
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
To each their own
Encrypted overlay
Firewall
NIDS TLS
Cache
Load balancer
Proxy
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Using an ‘Application Security Controller’
Encrypted overlay
Firewall
NIDS TLS
Cache
Load balancer
Proxy
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Wrapping up
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution 61
TL;DR Hard shell and soft centre has never served us well The pressure to move on is mounting Finer grained network segregation was too expensive in hardware Software makes it achievable We’re seeing the dawn of application centric networking and the Application Security Controller
Copyright 2014 Open Networking User Group. All Rights Reserved Confidential Not For Distribution
Questions?
@cpswan