Dockers – Nuage shows off micro-segmentation on containers.

Yes! I could dig into containers finally.
My first impression is they are faster and easier to handle. I am seeing a hard future for hypervisors. However, Apps must to be designed to work on that sort of constant change.

Nuage brings a really good microsegmentation to them and help us to bring advanced routing, security and networks settings (i.e. forwarding, QoS)

I am not covering how to install nuage and how to make it works with dockers. This would be a future subject on this site.

I am also using KVM to show how can we connect VMs with containers in a same subnet or Layer-3 domain. Nice! don’t you think! details how I am using KVM could be find over my post: USING CENTOS CLOUD IMAGES WITH VIRSH AND NUAGE METADATA

Enough said… now it’s time to play.

some useful scripts

I’ve done some scripts to provision and remove containers. Next one is called You need to enter just the network name. If you need to change zones or domain, you will have to do it inside the script.

# usage: <nuage_subnet_name> <how-many-containers>
while [  $COUNTER -lt $2 ]; do
    docker run -d -i -t -e "NUAGE-DOMAIN=dom2" -e "NUAGE-ZONE=zone0" -e "NUAGE-NETWORK=${1}" -e "NUAGE-ENTERPRISE=ACME Corp" -e "NUAGE-USER=mau" --net=none centos /bin/bash
    echo creating container $COUNTER ...

You have to be able to remove as fast as you create them:

# usage: 
for i in $( docker ps -q ); do
    docker stop $i
    docker rm $i
    echo removing $i ...

That’s all, pretty easy, don’t you think.

Cheat list of commands

This is the list of commands I will be using over this demo.

# bash access to container
docker exec -i -t <container-name> /bin/bash
# list containers
docker ps
# define domain virsh
virsh define <xml file>
# start domain
virsh start <domain name>
# list domains
virsh list --all

Playing with containers on two different computes

I’ve created 10 containers connected to subnet0 as the following:

[root@compute01 cheat_cont]# ./ subnet0 10
creating container 0 ...
creating container 1 ...
creating container 2 ...
creating container 3 ...
creating container 4 ...
creating container 5 ...
creating container 6 ...
creating container 7 ...
creating container 8 ...
creating container 9 ...

Let’s check them out

[root@compute01 cheat_cont]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
732e4e99d689        centos              "/bin/bash"         21 seconds ago      Up 19 seconds                           berserk_visvesvaraya
77e628c93939        centos              "/bin/bash"         22 seconds ago      Up 20 seconds                           sick_leakey
9258a63d05f0        centos              "/bin/bash"         24 seconds ago      Up 22 seconds                           jovial_franklin
80142e10dc97        centos              "/bin/bash"         26 seconds ago      Up 24 seconds                           sleepy_roentgen
76850489155d        centos              "/bin/bash"         27 seconds ago      Up 26 seconds                           trusting_keller
ed4b8fe3a4b2        centos              "/bin/bash"         29 seconds ago      Up 27 seconds                           silly_feynman
8646cf049d24        centos              "/bin/bash"         31 seconds ago      Up 29 seconds                           modest_chandrasekhar
c0bca01043c5        centos              "/bin/bash"         33 seconds ago      Up 31 seconds                           insane_kare
57e8e917974f        centos              "/bin/bash"         34 seconds ago      Up 33 seconds                           boring_ardinghelli
8d14224deaed        centos              "/bin/bash"         36 seconds ago      Up 34 seconds                           gigantic_wescoff

Check out how they are shown into VSD

containers nuage dockers network microsegmentation

Let’s try one now and ping anyplace.

[root@compute01 cheat_cont]# docker exec -i -t gigantic_wescoff /bin/bash
[root@8d14224deaed /]# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=120 ms
64 bytes from icmp_seq=2 ttl=64 time=0.065 ms
64 bytes from icmp_seq=3 ttl=64 time=0.064 ms
64 bytes from icmp_seq=4 ttl=64 time=0.067 ms
64 bytes from icmp_seq=5 ttl=64 time=0.066 ms

Now. I will create 4 containers into other compute server and I will check out connectivity among containers over both.

[root@compute01 cheat_cont]# ./ subnet1 4
creating container 0 ...
creating container 1 ...
creating container 2 ...
creating container 3 ...

Check out on them

[root@compute01 cheat_cont]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
b325e5875e6c        centos              "/bin/bash"         17 seconds ago      Up 16 seconds                           admiring_murdock
91233ace7512        centos              "/bin/bash"         19 seconds ago      Up 17 seconds                           prickly_mahavira
35c5fcc911f1        centos              "/bin/bash"         20 seconds ago      Up 18 seconds                           tender_meitner
497c0ee30696        centos              "/bin/bash"         22 seconds ago      Up 20 seconds                           hungry_mclean

Ping now to check if I can connect to the same subnet

[root@compute01 cheat_cont]# docker exec -i -t hungry_mclean /bin/bash
[root@497c0ee30696 /]# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=2 ttl=63 time=98.4 ms
64 bytes from icmp_seq=3 ttl=63 time=0.086 ms
64 bytes from icmp_seq=4 ttl=63 time=0.073 ms
64 bytes from icmp_seq=5 ttl=63 time=0.087 ms

Done! See you

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: