One 、Docker The Internet

Docker Concept and default network

What is? Docker What about the Internet ？ in general , Containers in the network can communicate with each other , Those outside the network cannot access these containers . say concretely , In a network , It is a collection of containers , A container in this concept , It will pass through the container IP Direct communication , It can also ensure that some containers outside this set cannot pass through this container IP To communicate , Can achieve network isolation . The concept of network is created by the drive of network 、 Managed . Network drivers are divided into global and local , The overall situation means that this network can cross hosts , There is no need to say that my two containers must be on the same host to communicate through this network , I can use containers on different hosts IP Mutual communication .

Local network

First, let's look at a local network , In this picture, there is a host , There are four containers on it , Distributed in two networks , One is NET1, One is NET2.NET1 The two containers inside can pass through each other IP communication , however NET1 Inside the container and NET2 The container inside is isolated , This is the Docker A network concept of .

Global network

Global network means , Containers in a network can span hosts .C1 The container can be connected with the host 2 Upper C3 Containers , Through them IP Direct communication , It doesn't matter where the host is . We can also see a detail in this figure , The same container can be added to two networks , such as C4 It can be connected with the network 1 The two containers inside communicate , You can also connect with the network 2 Inside C5 communicate , In this way, we can realize some more complex combinations . such as C5 It is a container of database , I don't want this data to be used by the previous WEB Applications or other applications to access , I just want my middle key application to access . In this way, you can add the middle key application to a background network 、 A combination of foreground networks to realize this interconnection and network control .

Web service discovery

stay 1.10 Web service discovery has been added in version , What does that mean ？ such as , One of my networks has two containers , We can go straight through IP communicate , But my container may have knelt down for some time , It may restart after kneeling down , I don't know its IP 了 , Or as soon as it closes , I can't feel it on my side , This will trigger many complex processing processes . stay 1.10 When it does such a thing , It has a built-in DNS Server for , On the server RUN Up to then , Will write a container name , Or an alias of this container and it IP An analysis of . External container to access my DB When the container , It can go through DB This name resolves to DB Container of IP Address , In this way DB After the container restarts , This analysis will be dynamically adjusted , You can realize the discovery of a service .

Docker Default network driver

Docker There will be some network drivers by default , There are several local network drivers .none Network driven means , I create a container , But there are some network configurations without it , A single namespace , It cannot communicate with other containers , You can't access the Internet .host The network driver and host share the network stack 、 It sees the same interface as the host , Including its own exposed ports , Both are in the same cyberspace as the host .

bridge Network driven , It is a local network driver , In the above figure, there are two bridge The Internet , It's actually through Linux Of bridge To drive , Mount a network card in the container , The corresponding one is on the host veth, The request of the container will be forwarded directly to this veth above ,bridge The request will be flooded above , It can reach another container in the network .

Empathy , Another network , It is not on the same bridge as the container in this network , So they can't communicate with each other .bridge The driver will also realize another function , for instance C1 The container of , He wants to visit the public network , It passes through bridge When I went out , He finally reached the interface of the host , He can do a network address conversion , Put the container IP Convert to host IP, In this way, you can access the public network . Or my container may want to map services to the outside , Let other machines or other public services access , He can make one DNAT A rule , For example, my container is Nginx, Inside it is 80 port , I want to map to a host 9080, It can be directly through the host 9080 To visit , He can do one DNAT Configuration of , This is a bridge The driver . 

Docker There's another one by default overlay The driver , It is mainly to realize cross host communication , It will pass between hosts vxlan The way to make a tunnel , Implement the container on my host to access the container on the host , It will eventually be converted into a vxlan Communication inside .

Docker Cross host network

When there is no cross host network , For example, an application has two services , Two services cannot be deployed on the same machine , There is no way to achieve high availability , The host is connected , All the above services have been suspended . If you deploy it to two hosts , But the container on the two hosts IP You can't see it outside the host . So we can only put the container IP Converted to a host IP, Or an access endpoint of the host , To allow external hosts to access . therefore , The previous way is through port mapping , Map a port of the container to a port of the host , Let another host and this host map to this container to communicate . What problems will this bring ？

First, I use port mapping , For example, I map to 8090 port , I think of another container . He has to map to another port , Because there is only one host 8090 port , It can't say share this port , So when a host lifts a container , List of management ports required .

After mapping, there is a port of the host , So this port is exposed , Maybe we need to control , This port can only be said to be accessed by the host , In this way, we need to do some safe configuration , So the whole architecture is very complex . stay Docker1.9 after , Added cross host network , It can pass directly through the container IP To communicate , It is isolated from it through the outside , In this way, it can be safe , I can even lift another container , Its container IP Ports will not conflict .

Packet mode

Packet mode , such as overlay drive , It is to use VXLAN To encapsulate requests between containers into VXLAN Request , Encapsulate the Ethernet packet of the link layer into UDP Transmission in packets .

Here is a simple diagram to introduce the packet mode , Let's start with an example , from C1 Go to the host C2 The container of , Through the first C1 After sending this package , It first packets , To find centralized storage C2 On which host , What I found is on this host , Just package the requested package into the package between the host , Send this package to the corresponding host , Then through a certain agreement to unpack , Finally, it is forwarded to a container on another host .

The disadvantage is that the loss of bandwidth is relatively large , Because when you see here, go to the bag , It must have added another layer of package to the package of this container , There must be some occupation on this bag , Generally, it is like packet mode ,MTU Eventually, it will be smaller than that between the host computers MTU, It will also cause some resource occupation .

For example, when you go to pack in this place , It may occupy CPU Go and do the packet operation , It will also occupy CPU To unpack , So it will increase the load on the host , But its advantage is that it has relatively low requirements for infrastructure , It only needs three layers of interworking between two host computers .

Now let's Docker Of overlay Driver to introduce the implementation of the next packet , Its packaging method is based on VXLAN. The above figure is its needle format ,VXLAN Put a two-layer bag inside 、 A request in the link layer is encapsulated into a VXLAN A package , There will be an agreed message , such as VXLAN ID, There is also an external UDP The head of the , Will eventually pass this package UDP Send it to the corresponding host , The corresponding host will do VXLINE Unpacking .Docker And do IP Address management and network information synchronization .

Routing mode

Pictured above , such as , host 1 The container on wants to access the host 2 The container of , First of all, there is no host on this machine 2 Of IP Address , It leaves the machine and arrives at the router , Then through the routing table on the router , Forward the corresponding request to the corresponding host 2 above , host 2 There is this container on it IP, So it can achieve cross host communication of this container .

Its advantage is that it has no packets , So its performance is very good , But it has some requirements for infrastructure , For example, my infrastructure should support 、 This routing table can be configured , If you use Linux Routing should support layer-2 forwarding . 

VPC The network driver is Alibaba cloud VPC On the basis of , A scheme that can realize container interworking . First, in the Docker DM Startup time , Or when creating a network , From a centralized storage of each machine , Get two of your own network terminals , For example, the network terminal on this machine , For example, the network end on the left host is 172.19.1.1/24, It passes Alibaba cloud openapi Configure this forwarding table , Forward the address of the network end to the host .

When the other host starts , Take it to an available network end , Configure a routing table of Alibaba cloud , Forward the request of this network end to your host , For example, a container on my side wants to access the host 2 On C2 The container of , It finally arrived , adopt vSwitch Arrive at Alibaba cloud VPC Of vRouter when , Forward the real-time request packets to the host by querying the routing table 2 above , Final realization C1 and C2 Communication for .

Comparison of cross host network solutions

The advantage of the packet mode is that the requirements for infrastructure are relatively low , But its performance loss is relatively large , The routing mode has no packets , So its performance is better , But there are certain requirements for infrastructure , For example, support routing tables , Or support layer-2 forwarding .

Two 、 Alibaba cloud service network solution

There are now two kinds of clusters on Container Services , One is Alibaba cloud's ECS colony , The nodes of this cluster are all in the same region or the same VPC Below ECS, Or a hybrid cloud cluster , Alibaba cloud's hybrid cloud cluster node is in the user's own computer room , Or distributed on different cloud providers .

In Alibaba cloud ECS Above the cluster , The network architecture is like this , Communication between containers , Or through overlay drive , Its advantage is that it has relatively low requirements for infrastructure , So it only needs the interworking between hosts , Container to access the Internet , Or the container wants to expose the port to the external network through a gateway_bridge The bridge 、 A local driver , This is the port mapping for the container to access the Internet and the container .

stay ECS Above the cluster ,VPC The Internet is through VPC The driven routing table forwards the corresponding request to the machine where the container is located , It accesses the Internet and does port mapping as just introduced overlay It's the same .

Hybrid cloud clusters are combined with Alibaba cloud VPC Technology to realize the network interworking between containers .

In the mixed cluster, it is through the way of special lines , Forward the request of the corresponding data center to my data center , Or access the request of the data center VPC Of , A route through the dedicated line can also be forwarded to VPC Inside , Then forward the request of the container to the corresponding host through the routing table , The final way to realize it is to put me VPC The containers inside are interconnected with those in the data center .

Just now we introduced the communication between containers , We can avoid port conflicts without port mapping , How can I achieve when I want external access , It can also achieve a load balancing , How to deploy multiple containers on one machine , Then the ports do not conflict ？

At this time, Alibaba cloud provides such a load balancing scheme . For example, my website has two domain names , One is the domain name of shopping , One is paying , But I only have three machines in total , Each service should be highly available , So there are many containers , In this way, it needs to be handled on the same host , How to make it ensure that no single conflict , Container service is to provide such a solution , We will deploy a set of routing services in the cluster , First request , For example, the universal resolution of my company domain name will be resolved to my routing service , The routing service then passes the requested domain name Host, Forward this request directly to the container , Finally, one of my requests can be forwarded to the container , But my container doesn't map ports , There is no need to solve the problem of port conflict .