Book Image

Learning Docker Networking

By : Rajdeep Dua, Vaibhav Kohli, Santosh Kumar Konduri
Book Image

Learning Docker Networking

By: Rajdeep Dua, Vaibhav Kohli, Santosh Kumar Konduri

Overview of this book

<p>Docker is a Linux container implementation that enables the creation of light weight portable development and production environments. These environments can be updated incrementally. Docker achieves this by leveraging containment principles like cgroups and Linux namespaces along with Overlay filesystem based portable images. Docker provides the networking primitives that allow administrators to specify how different containers network with each application and connect each of its components, then distribute them across a large number of servers and ensure coordination between them irrespective of the host or VM they are running in.</p> <p>This book will show you how to create, deploy, and manage a virtual network for connecting containers spanning single or multiple hosts.</p>

Related Content you might be interested in

Current Title:

Small book image
Learning Docker Networking
Rajdeep Dua | Vaibhav Kohli | Santosh Kumar Konduri
Feb, 2016 | 176 pages
No titles found
Table of Contents (13 chapters)
Learning Docker Networking
Learning Docker Networking
Credits
Credits
About the Authors
About the Authors
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Docker Networking Primer
Docker Networking Primer
Networking and Docker
The docker0 bridge
Docker OVS
Unix domain socket
Linking Docker containers
What's new in Docker networking?
The Docker CNM model
Summary
2
Docker Networking Internals
Docker Networking Internals
Configuring the IP stack for Docker
Configuring a DNS server
Configuring the Docker bridge
Overlay networks and underlay networks
Summary
3
Building Your First Docker Network
Building Your First Docker Network
Introduction to Pipework
Multiple containers over a single host
Open vSwitch
Networking with overlay networks – Flannel
Summary
4
Networking in a Docker Cluster
Networking in a Docker Cluster
Docker Swarm
Kubernetes
Mesosphere
Summary
5
Security and QoS for Docker Containers
Security and QoS for Docker Containers
Filesystem restrictions
Linux capabilities
Securing containers in AWS ECS
Understanding Docker security I – kernel namespaces
Understanding Docker security II – cgroups
Using AppArmor to secure Docker containers
Summary
6
Next Generation Networking Stack for Docker: libnetwork
Next Generation Networking Stack for Docker: libnetwork
Goal
Design
CNM objects
Driver
Using overlay network with Vagrant
Overlay network with Docker Machine and Docker Swarm
Creating containers using an overlay network
CNI plugin
Project Calico's libnetwork driver
Summary
Index
Index

Linux capabilities

Docker containers before 1.2 could either be given complete capabilities under privileged mode, or they can all follow a whitelist of allowed capabilities while dropping all others. If the flag --privileged is used, it will grant all capabilities to the container. This was not recommended for production use because it's really unsafe; it allowed Docker all privileges as a process under the direct host.

With Docker 1.2, two flags have been introduced with docker run:

  • --cap-add

  • --cap-drop

These two flags provide fine-grain control to a container, for example, as follows:

  • Change the status of the Docker container's interface:

    docker run --cap-add=NET_ADMIN busybox sh -c "ip link eth0 down"

  • Prevent any chown in the Docker container:

    docker run --cap-drop=CHOWN ...

  • Allow all capabilities except mknod:

    docker run --cap-add=ALL --cap-drop=MKNOD ...

    Docker starts containers with a restricted set of capabilities by default. Capabilities convert a binary mode of root and non-root...

Previous Section
End of Section 3
Next Section