Docker 101: Layered Architecture & Networking
I have been working very closely with the DevOps team at the organisation I currently work at. For a guy who comes from a pen-testing background, listening to the word “Docker” day in and day out became frustrating to a point where I decided to just leave security all together for some time and get involved in the DevOps part of things.
For the past few days, I have been binge-watching Docker tutorials, understanding why is it required, what are its benefits and how it saves time and resources. After putting in the work, I have realised that dockers are here to stay for a long time and how beneficial it is for everyone from development to deployment and management.
Last week I published my second article on Docker, Docker 101: Images & Dockerfiles. So, you can go back and read my previous articles on docker to have a better understanding of what I am trying to explain here.
In my previous article I explained about Docker Images and Dockerfile, showing how to setup a Docker Image, what are the things required to create an Image. The commands executed to create a Docker image needs to be in sequence and also gave an explanation as to why it is so. I showed how to use Dockerfile to create these images with ease whenever you need to without having to type the same commands over and over again.
We had our first look at Docker Images and Dockerfiles. Now that we have gone through it let’s pick up from where we dropped off in the previous article.
Dockers have layered architecture and we already know that as in the previous article I mentioned how we need to build docker in a sequential manner. Where we need to choose an OS first and then install the libraries and packages and not the other way around. Let me show what exactly I mean by the layered architecture.
The image above gives us an idea of the layered architecture. It has been divided into two different layers.
Image Layer ( Read Permission )
This contains all the steps that we carry out in a particular sequence to create a docker image so that it can be built to start up a container. We can see how each step is carried out in sequence and the command that is required to build the image. This only has read permission as once we build the image then we can’t carry out changes in this layer. If we need to change the image we need to stop the container and then change the Dockerfile accordingly.
Container Layer ( Read & Write Permission )
This is the layer where we run the image to start the container and then work on it and set up services on top of it. This layer has read and write permission so we can carry out our tasks as needed. There is one problem here that as soon as the container is destroyed every change that we have made in this container gets erased.
The layers of Docker Images are container are clear to us now but you know what is better than one docker container, multiple docker container communicating with each other. Let’s see how we can set that up.
So, we have seen how to properly set up one docker and use docker file for that process and the layers that are involved. In a real-life scenario, one docker alone is not very useful and can’t really perform a lot of tasks. So most of the time we end up setting up more than one docker which communicates with other running containers to carry out a task.
To communicate with other dockers we need to set up networking within these for these containers to send and receive data. So, let’s see how many types of docker network are there and how do they work.
Docker containers are running on a bridged network when all of them are on the same network of 22.214.171.124/16. In this way they can easily communicate between themselves.
In this scenario the docker container’s port are mapped to the port of the host machine. As we perform port mapping so so no other container can use that port as it is already being used by other container.
This is the case when there is a container running on a total different network form other docker containers and can’t communicate with any of them.
Now, that we know about these container networks you might have this question on your mind what if you wanted to setup containers on two different networks so that they can function in isolation from each other.Creating User-defined Network
So, let’s focus on the topic of how to setup a specific network for your different docker containers. The reason we are looking into this is that by default the docker containers are spawned in the 172.17.0.1 network. When we start setting up docker all over the place, then we need to segregate them properly in networks so as to reduce the confusion and have a clear boundary regarding which certain dockers are meant to communicate with which certain dockers.
docker network create \
--driver bridge \
--subnet 126.96.36.199/16 \
This is the command that is to be executed create a new network, here we can define the type of network we want it to be, like bridge, host or none. Once we have done that then we need to decide the subnet and CIDR. In the last part of the command, we need to give a name to the network.
$ docker network ls
This will help you list all the containers and the network they are running on.
$ docker inspect <container-name>
This command will give you the results of the network of the container.
When it comes to Docker networking there are certain points that we must always remember
All Containers can resolve each other using container name so instead of using the IP address we should always use their container name. The inbuilt DNS server always runs on 127.0.0.11 IP address.
These two things help you a lot when setting up these environments.
This article has mainly focused on the layered architecture of Docker Images, the image layer and the container layer. It has also gone through setting up the docker network and the different type of networks that mainly exist, bridge network, host network and the isolated network. It also went through the step needed to setup independent networks and points to keep in mind while creating an independent network. I have more articles related to Docker that I will be publishing in this upcoming week. Stay tuned for those.
If you enjoyed it please do clap & let’s collaborate. Get, Set, Hack!
Website : aditya12anand.com | Donate : paypal.me/aditya12anand Telegram : https://t.me/aditya12anand Twitter : twitter.com/aditya12anand LinkedIn : linkedin.com/in/aditya12anand/ E-mail : [email protected]
To present you with this content I had to go through a lot of video content and lab environments.