Docker container communication between hosts: direct routing

Desktop

An overview of the

In terms of the current default network of Docker itself, different Docker containers on a single host can communicate directly with the help of the Docker0 bridge, which is fine, while Docker containers on different hosts can only communicate with each other through the method of port mapping on the host, which is sometimes very inconvenient and even fails to meet our requirements. Therefore, it is necessary for Docker containers on different physical machines to communicate with each other directly using their own IP addresses. Furthermore, if Docker containers are located on different physical hosts, we will inevitably encounter cross-host communication problems of Docker containers. This article will try.

Scene structure

As shown in the figure below, we have two physical hosts 1 and 2. We start a centos container on each host. After successful startup, the two containers run on the two hosts respectively.

How do containers on two hosts communicate?

How can Docker containers on two hosts communicate directly through IP addresses?

An immediate solution is to implement direct communication between the two centos containers by adding routes to their respective hosts. Let’s try it

Analysis of scheme principle

Since the IP address of the container is used for routing, it is necessary to prevent containers on different hosts from using the same IP address. Therefore, different subnets should be allocated to different hosts to ensure this. So we construct the routing scheme for communication between the two containers, as shown in the figure below.

Container to container communication

The configurations are as follows:

• The IP address of host 1 is 192.168.145.128
• The IP address of host 2 is 192.168.145.129
• Subnet allocated for the Docker container on host 1:172.17.1.0/24
• Subnet allocated for the Docker container on host 2:172.17.2.0/24

After this configuration, Docker containers on two hosts will definitely not use the same IP address, thus avoiding IP conflicts.

Let’s define two routing rules:

• All packets whose destination address is 172.17.1.0/24 are forwarded to host 1
• All packets whose destination address is 172.17.2.0/24 are forwarded to host 2

To sum up, the transfer process of packets between two containers is as follows:

• Packets sent from Container1 to Container2 first go to Container1’s gateway Docker0, and then they need to be sent to Host 2 by looking up the route of host 1. When the packets arrive at Host 2, they are forwarded to Host 2’s Docker0. And then it sends the packets to Container2; The reverse principle is the same and will not be repeated.

That’s what we had in mind, so let’s try it out and see if it works.

The actual test

• 0x01. Configure Docker0 on host 1 and Host 2 respectively

Edit /etc/docker-daemon. json file on host 1 and add: “bip” : “IP /netmask”

{" BJP ", "172.17.1.252/24}"Copy the code

Edit /etc/docker-daemon. json file on host 2 and add: “bip” : “IP /netmask”

{" BJP ", "172.17.2.252/24}"Copy the code

• 0x02. Restart the Docker service

Run the following commands on hosts 1 and 2 to restart the Docker service for the modified Docker0 network segment to take effect

systemctl restart docker
Copy the code

• 0x03. Add a routing rule

Add the following routing rules to host 1:

Route add -net 172.17.2.0 netmask 255.255.255.0 GW 192.168.145.129Copy the code

Add the following routing rules to host 2:

Route add -net 172.17.1.0 netmask 255.255.255.0 GW 192.168.145.128Copy the code

• 0x04. Configure iptables rules

Add the following rules to host 1:

Iptables -t NAT -f POSTROUTING iptables -t NAT -A POSTROUTING -s 172.17.1.0/24! - d 172.17.0.0/16 - j MASQUERADECopy the code

Add the following rules to host 2:

Iptables -t NAT -f POSTROUTING iptables -t NAT -A POSTROUTING -s 172.17.2.0/24! - d 172.17.0.0/16 - j MASQUERADECopy the code

• 0x05. Start container

Start centos containers on host 1:

docker run -it --name container1 centos /bin/bash
Copy the code

Start the centos container on host 2:

docker run -it --name container2 centos /bin/bash
Copy the code

• 0x06. Direct communication between containers

Ok, now the two containers can ping each other

container1 ping container2

container2 ping container1

Afterword.

This paper discusses a possible scheme of direct communication between Docker containers in LAN. Of course, there are many ready-made solutions for communication between host containers, such as Flannel, which is also used in my private cloud.

• The author’s more original articles are here, welcome to watch

• My Personal Blog

The author has more SpringBt practice articles here:

• Spring Boot application monitoring actual combat
• The SpringBoot application is deployed in an external Tomcat container
• ElasticSearch in SpringBt practice
• A preliminary study on Kotlin+SpringBoot joint programming
• Spring Boot Logging framework practices
• SpringBoot elegant coding: Lombok plus

If you are interested, take some time to read some of the author’s articles on containerization and microservitization:

• Use K8S technology stack to create personal private cloud serial articles
• Nginx server configuration from a detailed configuration list
• Docker container visual monitoring center was built
• Use ELK to build Docker containerized application log center
• RPC framework practice: Apache Thrift
• RPC framework practice: Google gRPC
• Establishment of microservice call chain tracking center
• Docker containers communicate across hosts
• Preliminary study on Docker Swarm cluster
• Several guidelines for writing dockerFiles efficiently

CodeSheep · Program sheep