Monday, July 25, 2016

Docker Network Demo - Part 5



A couple of useful links:

https://github.com/wsargent/docker-cheat-sheet

https://blog.docker.com/2013/10/docker-0-6-5-links-container-naming-advanced-port-redirects-host-integration/

Also figured out where the interesting docker names come from:

https://github.com/docker/docker/blob/master/pkg/namesgenerator/names-generator.go

BTW, there is a lot of REM in the file with some Easter Egg kind of info in it.

https://docs.docker.com/engine/reference/commandline/attach/

You can create your own names using --name foo as in "docker run --name test -it alpine /bin/sh".

Resuming from Part 4….

First thing, I just simply didn't have it in me to continue to use a complete /16. So:


docker network create -d bridge --subnet 172.16.2.0/24 docker2

nelson@lab1:~$ docker network ls
NETWORK ID          NAME                DRIVER
5ef6f5f7f40f        bridge              bridge
11f4ac20d39d        docker1             bridge
5d150019b8a9        docker2             bridge
d1a03332c0c1        host                host
91b70cf2593b        none                null

I feel so much better…..

Also, I updated the Ubuntu system and rebooted it, so I'm going to need to recreate the containers I'm playing with.

Now that I know how to name the docker containers, I can re-create the lab setup rapidly with the following commands:

docker run --name=test1 --net=docker1 -it alpine /bin/sh

docker run --name=test2 --net=docker1 -it alpine /bin/sh

docker run --name=test3 --net=docker2 -it alpine /bin/sh


nelson@lab1:~$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
9f9a5604108b        alpine              "/bin/sh"           2 minutes ago       Up 2 minutes                            test3
61acf893dac5        alpine              "/bin/sh"           2 minutes ago       Up 2 minutes                            test2
b501988db295        alpine              "/bin/sh"           3 minutes ago       Up 2 minutes                            test1

Docker revised containers and networks

Let's look at the connectivity again. The vSwitch isn't allowing the traffic to pass from one bridge to the other.

From test1 to test3


/ # ping 172.16.2.2
PING 172.16.2.2 (172.16.2.2): 56 data bytes
^C
--- 172.16.2.2 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss

From test3 to test1

/ # ping 172.16.1.2
PING 172.16.1.2 (172.16.1.2): 56 data bytes
^C
--- 172.16.1.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

What does it take to get the containers to be able to talk to each other.

https://docs.docker.com/v1.8/articles/networking/ -> Search "Communication between containers"

There's a nice section on the rules here, but basically it can be turned off if --iptables=false is evoked at docker start.

Be aware: This is not considered a secure way of allowing containers to communicate. Look up --icc=true and https://docs.docker.com/v1.8/userguide/dockerlinks/

Before:


nelson@lab1:/etc/default$ sudo iptables -L -n
[sudo] password for nelson:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (3 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0


Insert the following rule in /etc/default/docker using your favorite editor

#nelson - remove iptables remove masquerade

DOCKER_OPTS="--iptables=false --ip-masq=false"


Rebooting - in too much of a hurry to figure out iptables right now

     update:  sudo iptables -F -t nat  -- flushes the nat table
                     sudo iptables -F -t filter  -- flushes the filter table

Then re-start and re-attach the containers in each putty window


/ # nelson@lab1:~$ docker start test1
test3
nelson@lab1:~$ docker attach test1
/ #
/ # ifconfig -a
eth0      Link encap:Ethernet  HWaddr 02:42:AC:10:01:02
          inet addr:172.16.1.2  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fe80::42:acff:fe10:102%32734/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:5361 (5.2 KiB)  TX bytes:648 (648.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1%32734/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

After Docker default change.

nelson@lab1:~$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Ping test1 to test3

/ # ping 172.16.2.2
PING 172.16.2.2 (172.16.2.2): 56 data bytes
64 bytes from 172.16.2.2: seq=0 ttl=63 time=0.163 ms
64 bytes from 172.16.2.2: seq=1 ttl=63 time=0.138 ms
64 bytes from 172.16.2.2: seq=2 ttl=63 time=0.133 ms
^C
--- 172.16.2.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.133/0.144/0.163 ms

Ping test3 to test1

/ # ping 172.16.1.2
PING 172.16.1.2 (172.16.1.2): 56 data bytes
64 bytes from 172.16.1.2: seq=0 ttl=63 time=0.280 ms
64 bytes from 172.16.1.2: seq=1 ttl=63 time=0.126 ms
64 bytes from 172.16.1.2: seq=2 ttl=63 time=0.136 ms
64 bytes from 172.16.1.2: seq=3 ttl=63 time=0.129 ms
64 bytes from 172.16.1.2: seq=4 ttl=63 time=0.139 ms
^C
--- 172.16.1.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.126/0.162/0.280 ms

What you should probably be thinking now, OMG what have I done!

     Update:  from here, all isolation rules must be made specifically in iptables
                      make sure the FORWARD-DROP rules provide all of the required isolation
                           think direction AND address range

                      this method may be very useful if the network area is behind a sufficient perimeter

                      host routes for specific networks could be applied for connectivity

                      a routing function on the host would be used for communicating with the
                      outside world.  Look at:
                      http://www.admin-magazine.com/Articles/Routing-with-Quagga 


#-REM out the statement in the default docker file and rebooted

Once again all is right with the world.


nelson@lab1:~$ sudo iptables -L -n
[sudo] password for nelson:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (3 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
nelson@lab1:~$

1 comment:

  1. I found it really hard to understand, I need to check for more details or consult my mentor to get this stuff. Anyways, thanks for sharing it here

    ReplyDelete