Dockers – Nuage shows off micro-segmentation on containers.

Yes! I could dig into containers finally.
My first impression is they are faster and easier to handle. I am seeing a hard future for hypervisors. However, Apps must to be designed to work on that sort of constant change.

Nuage brings a really good microsegmentation to them and help us to bring advanced routing, security and networks settings (i.e. forwarding, QoS)

I am not covering how to install nuage and how to make it works with dockers. This would be a future subject on this site.

I am also using KVM to show how can we connect VMs with containers in a same subnet or Layer-3 domain. Nice! don’t you think! details how I am using KVM could be find over my post: USING CENTOS CLOUD IMAGES WITH VIRSH AND NUAGE METADATA

Enough said… now it’s time to play.

some useful scripts

I’ve done some scripts to provision and remove containers. Next one is called create_cont.sh. You need to enter just the network name. If you need to change zones or domain, you will have to do it inside the script.

#!/bin/bash 
# usage: create_cont.sh <nuage_subnet_name> <how-many-containers>
COUNTER=0
while [  $COUNTER -lt $2 ]; do
    docker run -d -i -t -e "NUAGE-DOMAIN=dom2" -e "NUAGE-ZONE=zone0" -e "NUAGE-NETWORK=${1}" -e "NUAGE-ENTERPRISE=ACME Corp" -e "NUAGE-USER=mau" --net=none centos /bin/bash
    echo creating container $COUNTER ...
    let COUNTER=COUNTER+1 
done

You have to be able to remove as fast as you create them:

#!/bin/bash
# usage: remove_cont.sh 
for i in $( docker ps -q ); do
    docker stop $i
    docker rm $i
    echo removing $i ...
done

That’s all, pretty easy, don’t you think.

Cheat list of commands

This is the list of commands I will be using over this demo.

# bash access to container
docker exec -i -t <container-name> /bin/bash
# list containers
docker ps
# define domain virsh
virsh define <xml file>
# start domain
virsh start <domain name>
# list domains
virsh list --all

Playing with containers on two different computes

I’ve created 10 containers connected to subnet0 as the following:

[root@compute01 cheat_cont]# ./create_cont.sh subnet0 10
8d14224deaeda50c182c8a5154e96516695c11a7d49214589390c8e6fe369d55
creating container 0 ...
57e8e917974f2b63ba3572d7e3752f01ea0e7eaee93baf78c8d1fb51a72ab026
creating container 1 ...
c0bca01043c55078c23dfbec4ee9736118210d1eb7b57b75f3fa38558f6d4d3f
creating container 2 ...
8646cf049d24f317ebcf7901c2b4590f26aa74cf4829be7ae7d3ccf57fd9c57f
creating container 3 ...
ed4b8fe3a4b22b3a10d2c4b5868dd939e98f1aeb7e652a663e4d6199bea4c710
creating container 4 ...
76850489155db55ddda6dc8f2d7299562b3fc740977060466d42258c530e1c3d
creating container 5 ...
80142e10dc97071a620728e33b2a21660ca6721ffd7c3f215103baa1403acd18
creating container 6 ...
9258a63d05f0bf04babeee107b97e9612bb9777cea96da28d82dba8063e2463f
creating container 7 ...
77e628c93939f62051d335cacbd90f5c51642cbfc18907694d3c9b19d927630f
creating container 8 ...
732e4e99d689146dfd51681d8b80946a4950a74ca143a95e5620ed64130d1017
creating container 9 ...

Let’s check them out

[root@compute01 cheat_cont]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
732e4e99d689        centos              "/bin/bash"         21 seconds ago      Up 19 seconds                           berserk_visvesvaraya
77e628c93939        centos              "/bin/bash"         22 seconds ago      Up 20 seconds                           sick_leakey
9258a63d05f0        centos              "/bin/bash"         24 seconds ago      Up 22 seconds                           jovial_franklin
80142e10dc97        centos              "/bin/bash"         26 seconds ago      Up 24 seconds                           sleepy_roentgen
76850489155d        centos              "/bin/bash"         27 seconds ago      Up 26 seconds                           trusting_keller
ed4b8fe3a4b2        centos              "/bin/bash"         29 seconds ago      Up 27 seconds                           silly_feynman
8646cf049d24        centos              "/bin/bash"         31 seconds ago      Up 29 seconds                           modest_chandrasekhar
c0bca01043c5        centos              "/bin/bash"         33 seconds ago      Up 31 seconds                           insane_kare
57e8e917974f        centos              "/bin/bash"         34 seconds ago      Up 33 seconds                           boring_ardinghelli
8d14224deaed        centos              "/bin/bash"         36 seconds ago      Up 34 seconds                           gigantic_wescoff

Check out how they are shown into VSD

containers nuage dockers network microsegmentation

Let’s try one now and ping anyplace.

[root@compute01 cheat_cont]# docker exec -i -t gigantic_wescoff /bin/bash
[root@8d14224deaed /]# ping 10.37.134.38
PING 10.37.134.38 (10.37.134.38) 56(84) bytes of data.
64 bytes from 10.37.134.38: icmp_seq=1 ttl=64 time=120 ms
64 bytes from 10.37.134.38: icmp_seq=2 ttl=64 time=0.065 ms
64 bytes from 10.37.134.38: icmp_seq=3 ttl=64 time=0.064 ms
64 bytes from 10.37.134.38: icmp_seq=4 ttl=64 time=0.067 ms
64 bytes from 10.37.134.38: icmp_seq=5 ttl=64 time=0.066 ms

Now. I will create 4 containers into other compute server and I will check out connectivity among containers over both.

[root@compute01 cheat_cont]# ./create_cont.sh subnet1 4
497c0ee30696fe6635f7cad3ecebc72bad16b53b3e089921af30a96c30fd9325
creating container 0 ...
35c5fcc911f1b80919ae6d0167702e2cb83fedb9b7fa907710c83995e1195e51
creating container 1 ...
91233ace7512fa0bf674da68ba71c47035a1add6c345ce112e334737665e0943
creating container 2 ...
b325e5875e6c1c3db8a40bff402e674574f17a564432603a51a5e4d59998b045
creating container 3 ...

Check out on them

[root@compute01 cheat_cont]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
b325e5875e6c        centos              "/bin/bash"         17 seconds ago      Up 16 seconds                           admiring_murdock
91233ace7512        centos              "/bin/bash"         19 seconds ago      Up 17 seconds                           prickly_mahavira
35c5fcc911f1        centos              "/bin/bash"         20 seconds ago      Up 18 seconds                           tender_meitner
497c0ee30696        centos              "/bin/bash"         22 seconds ago      Up 20 seconds                           hungry_mclean

Ping now to check if I can connect to the same subnet

[root@compute01 cheat_cont]# docker exec -i -t hungry_mclean /bin/bash
[root@497c0ee30696 /]# ping 10.37.134.38
PING 10.37.134.38 (10.37.134.38) 56(84) bytes of data.
64 bytes from 10.37.134.38: icmp_seq=2 ttl=63 time=98.4 ms
64 bytes from 10.37.134.38: icmp_seq=3 ttl=63 time=0.086 ms
64 bytes from 10.37.134.38: icmp_seq=4 ttl=63 time=0.073 ms
64 bytes from 10.37.134.38: icmp_seq=5 ttl=63 time=0.087 ms

Done! See you

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s