DEV Community: Safak Ulusoy The latest articles on DEV Community by Safak Ulusoy (@polarbit). https://dev.to/polarbit https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F181552%2F69424fc6-eeb8-4917-8375-a406ef6e2ef2.png DEV Community: Safak Ulusoy https://dev.to/polarbit en How Docker Container Networking Works - Mimic It Using Linux Network Namespaces Safak Ulusoy Wed, 15 Apr 2020 00:56:53 +0000 https://dev.to/polarbit/how-docker-container-networking-works-mimic-it-using-linux-network-namespaces-9mj https://dev.to/polarbit/how-docker-container-networking-works-mimic-it-using-linux-network-namespaces-9mj <p>Docker (and probably any container technology) uses <em>linux network namespaces</em> to isolate container network from host network. When Docker creates and runs a container; it creates a separate network namespace (container network) and puts the container into it.</p> <p>Then, Docker connects the new container network to linux bridge <strong>docker0</strong> using a <em>veth pair</em>. This also enables container be connected to the host network and other container networks in the same bridge. </p> <p>So let's try to define <em>network namespace</em>, <em>veth pair</em> and <em>linux bridge</em> in one sentence:</p> <p>A "<strong>linux network namespace</strong>" is virtual network barrier encapsulating a process to isolate its network connectivity(in/out) and resources (i.e. network interfaces, route tables and rules) from linux core and other processes.</p> <p>A "<strong>veth pair</strong>" is basically a virtual network cable which have a virtual network interface device (NIC) on each end.</p> <p>A "<strong>linux bridge</strong>" is switch like virtual device that enables communication between network devices connected to the bridge, creating something kinda LAN. </p> <p>The diagram below may help you visualize and understand container networking better. Please refer to this diagram frequently while reading the rest of the post. <br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fpszchqfvcjpl13dextrc.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fpszchqfvcjpl13dextrc.png" alt="Docker Container Networking"></a></p> <p>The plan is to first investigate a docker container's network structure.<br> After that we will try to mimic a docker container network by manually creating a <em>network namespace</em> and <em>veth pair</em>; then do required configurations. </p> <h2> 1- Let's Demystify Docker Container Networking </h2> <p>Now we investigate docker's container networking.</p> <p>I have three ubuntu containers running locally, <em>"con1"</em>, <em>"con2"</em>, and <em>"con3"</em> namely. First let's have a look at them. See that <em>con3</em> is not in default <em>docker0</em> bridge. I run it in a custom docker bridge network named 'testnet'.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ filter</span><span class="o">=</span><span class="s1">'Name={{.Name}} Hostname={{.Config.Hostname}} '</span> <span class="o">&amp;&amp;</span> <span class="o">&gt;</span> filter+<span class="o">=</span><span class="s1">'IP={{or .NetworkSettings.IPAddress .NetworkSettings.Networks.testnet.IPAddress}} '</span> <span class="o">&amp;&amp;</span> <span class="o">&gt;</span> filter+<span class="o">=</span><span class="s1">'Mac={{or .NetworkSettings.MacAddress .NetworkSettings.Networks.testnet.MacAddress}} '</span> <span class="o">&amp;&amp;</span> <span class="o">&gt;</span> filter+<span class="o">=</span><span class="s1">'Bridge={{if .NetworkSettings.IPAddress}} docker0 {{else}} testnet {{end}}'</span> <span class="o">&amp;&amp;</span> <span class="o">&gt;</span> docker inspect con1 con2 con3 <span class="nt">--format</span> <span class="s2">"</span><span class="nv">$filter</span><span class="s2">"</span> | <span class="nb">sed</span> <span class="s1">'s/=\//=/g'</span> <span class="nv">Name</span><span class="o">=</span>con1 <span class="nv">Hostname</span><span class="o">=</span>f267c8cc5b55 <span class="nv">IP</span><span class="o">=</span>172.18.0.2 <span class="nv">Mac</span><span class="o">=</span>02:42:ac:12:00:02 <span class="nv">Bridge</span><span class="o">=</span> docker0 <span class="nv">Name</span><span class="o">=</span>con2 <span class="nv">Hostname</span><span class="o">=</span>fe0bb3dcedd8 <span class="nv">IP</span><span class="o">=</span>172.18.0.3 <span class="nv">Mac</span><span class="o">=</span>02:42:ac:12:00:03 <span class="nv">Bridge</span><span class="o">=</span> docker0 <span class="nv">Name</span><span class="o">=</span>con3 <span class="nv">Hostname</span><span class="o">=</span>bd3c200eca8b <span class="nv">IP</span><span class="o">=</span>172.19.0.2 <span class="nv">Mac</span><span class="o">=</span>02:42:ac:13:00:02 <span class="nv">Bridge</span><span class="o">=</span> testnet </code></pre> </div> <p>Now we will have a look at existing containers' network namespaces. However, Docker does not add container namespaces as visible from host by default. So we first need to make docker container network namespaces be visible from host so that we can see them using <code>ip netns list</code> command. Since this part is not too critical to understand I will dump all commands here.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Try to list docker network namespaces. But the result will be empty.</span> <span class="nv">$ </span><span class="nb">sudo </span>ip netns list &lt;no result&gt; <span class="c"># Make docker network namespaces visible.</span> <span class="nv">$ </span><span class="nb">sudo mkdir</span> <span class="nt">-p</span> /var/run/netns <span class="nv">$ pid1</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span>docker inspect con1 <span class="nt">-f</span> <span class="s1">'{{.State.Pid}}'</span><span class="si">)</span><span class="s2">"</span> <span class="nv">$ pid2</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span>docker inspect con2 <span class="nt">-f</span> <span class="s1">'{{.State.Pid}}'</span><span class="si">)</span><span class="s2">"</span> <span class="nv">$ pid3</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span>docker inspect con3 <span class="nt">-f</span> <span class="s1">'{{.State.Pid}}'</span><span class="si">)</span><span class="s2">"</span> <span class="nv">$ </span><span class="nb">sudo ln</span> <span class="nt">-sf</span> /proc/<span class="nv">$pid1</span>/ns/net /var/run/netns/con1 <span class="nv">$ </span><span class="nb">sudo ln</span> <span class="nt">-sf</span> /proc/<span class="nv">$pid2</span>/ns/net /var/run/netns/con2 <span class="nv">$ </span><span class="nb">sudo ln</span> <span class="nt">-sf</span> /proc/<span class="nv">$pid3</span>/ns/net /var/run/netns/con3 <span class="c"># Now we can see the container network namespaces.</span> <span class="nv">$ </span><span class="nb">sudo </span>ip netns list con3 <span class="o">(</span><span class="nb">id</span>: 3<span class="o">)</span> con2 <span class="o">(</span><span class="nb">id</span>: 2<span class="o">)</span> con1 <span class="o">(</span><span class="nb">id</span>: 1<span class="o">)</span> </code></pre> </div> <p>Now as you see, we have three container namespaces, namely <strong>con1</strong>, <strong>con2</strong> and <strong>con3</strong>. They have same names with their corresponding container. </p> <p>Let's see the details of each containers' network interfaces (NIC) on both side of their veth pairs. We will interpret the result afterwards.</p> <blockquote> <p>Remember, a <em>veth pair</em> is kinda a network cable which has two NICs on each end which connects a container network namespace to other devices which are also connected to same linux bridges.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c"># See 'con1' virtual network interface and ipv4 address.</span> <span class="nv">$ </span><span class="nb">sudo </span>ip netns <span class="nb">exec </span>con1 ip a | <span class="nb">grep</span> <span class="nt">-e</span> <span class="s1">'inet.*eth0'</span> <span class="nt">-e</span> <span class="s1">'eth0@'</span> 22: eth0@if23: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc noqueue state UP group default inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0 <span class="c"># See 'con2' virtual network interface and ipv4 address.</span> <span class="nv">$ </span><span class="nb">sudo </span>ip netns <span class="nb">exec </span>con2 ip a | <span class="nb">grep</span> <span class="nt">-e</span> <span class="s1">'inet.*eth0'</span> <span class="nt">-e</span> <span class="s1">'eth0@'</span> 24: eth0@if25: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc noqueue state UP group default inet 172.18.0.3/16 brd 172.18.255.255 scope global eth0 <span class="c"># See 'con3' virtual network interface and ipv4 address.</span> <span class="nv">$ </span><span class="nb">sudo </span>ip netns <span class="nb">exec </span>con3 ip a | <span class="nb">grep</span> <span class="nt">-e</span> <span class="s1">'inet.*eth0'</span> <span class="nt">-e</span> <span class="s1">'eth0@'</span> 34: eth0@if35: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc noqueue state UP group default inet 172.19.0.2/16 brd 172.19.255.255 scope global eth0 <span class="c"># See docker bridges' and containers' NICs on the host side.</span> ... 3: docker0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc noqueue state UP group default <span class="nb">link</span>/ether 02:42:7c:72:8a:f2 brd ff:ff:ff:ff:ff:ff inet 172.18.0.1/16 brd 172.18.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:7cff:fe72:8af2/64 scope <span class="nb">link </span>valid_lft forever preferred_lft forever 23: vethd1d3c7f@if22: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc noqueue master docker0 state UP group default <span class="nb">link</span>/ether d6:92:c7:41:c6:b9 brd ff:ff:ff:ff:ff:ff link-netnsid 1 inet6 fe80::d492:c7ff:fe41:c6b9/64 scope <span class="nb">link </span>valid_lft forever preferred_lft forever 25: veth622799a@if24: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc noqueue master docker0 state UP group default <span class="nb">link</span>/ether fa:47:38:e1:eb:04 brd ff:ff:ff:ff:ff:ff link-netnsid 2 inet6 fe80::f847:38ff:fee1:eb04/64 scope <span class="nb">link </span>valid_lft forever preferred_lft forever 30: br-6c1c92f34df9: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc noqueue state UP group default <span class="nb">link</span>/ether 02:42:a3:0b:d6:71 brd ff:ff:ff:ff:ff:ff inet 172.19.0.1/16 brd 172.19.255.255 scope global br-6c1c92f34df9 valid_lft forever preferred_lft forever inet6 fe80::42:a3ff:fe0b:d671/64 scope <span class="nb">link </span>valid_lft forever preferred_lft forever 35: veth05790ff@if34: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc noqueue master br-6c1c92f34df9 state UP group default <span class="nb">link</span>/ether de:d4:74:dd:ea:5c brd ff:ff:ff:ff:ff:ff link-netnsid 3 inet6 fe80::dcd4:74ff:fedd:ea5c/64 scope <span class="nb">link </span>valid_lft forever preferred_lft forever <span class="c"># Ping 'con2' from 'con1' network. (SUCCESS)</span> ubuntu@vm0:~<span class="nv">$ </span><span class="nb">sudo </span>ip netns <span class="nb">exec </span>con1 ping 172.18.0.3 PING 172.18.0.3 <span class="o">(</span>172.18.0.3<span class="o">)</span> 56<span class="o">(</span>84<span class="o">)</span> bytes of data. 64 bytes from 172.18.0.3: <span class="nv">icmp_seq</span><span class="o">=</span>1 <span class="nv">ttl</span><span class="o">=</span>64 <span class="nb">time</span><span class="o">=</span>0.040 ms 64 bytes from 172.18.0.3: <span class="nv">icmp_seq</span><span class="o">=</span>2 <span class="nv">ttl</span><span class="o">=</span>64 <span class="nb">time</span><span class="o">=</span>0.037 ms <span class="nt">---</span> 172.18.0.3 ping statistics <span class="nt">---</span> 2 packets transmitted, 2 received, 0% packet loss, <span class="nb">time </span>1023ms <span class="c"># Ping 'con3' from 'con1' network. (FAIL)</span> ubuntu@vm0:~<span class="nv">$ </span><span class="nb">sudo </span>ip netns <span class="nb">exec </span>con1 ping 172.19.0.2 PING 172.19.0.2 <span class="o">(</span>172.19.0.2<span class="o">)</span> 56<span class="o">(</span>84<span class="o">)</span> bytes of data. <span class="nt">---</span> 172.19.0.2 ping statistics <span class="nt">---</span> 73 packets transmitted, 0 received, 100% packet loss, <span class="nb">time </span>73728ms ... </code></pre> </div> <p>Let's interpret the results and sum up.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Container</th> <th>veth NIC on Container</th> <th>veth NIC on Bridge</th> <th>Bridge</th> </tr> </thead> <tbody> <tr> <td>con1</td> <td>22: eth0@if23 172.18.0.2</td> <td>23: vethd1d3c7f@if22</td> <td>docker0</td> </tr> <tr> <td>con2</td> <td>24: eth0@if25 172.18.0.3</td> <td>25: veth622799a@if24</td> <td>docker0</td> </tr> <tr> <td>con3</td> <td>34: eth0@if35 172.19.0.2</td> <td>35: veth05790ff@if34</td> <td>br-6c1c92f34df9</td> </tr> </tbody> </table></div> <ul> <li>One end of veth pair (<em>eth0@if23</em>) is in container network; and the other (<em>vethd1d3c7f@if22</em>) is in host network (or docker0 bridge).</li> <li>See that NIC names end with other peer NIC's line number. This may help you identify a veth pair when you see them.</li> <li>When you run <code>ip addr list</code> command; you only see NICs in host network.</li> <li>In order to execute some command inside container's network you don't need to login to the container. Just execute your command like this: <code>ip netns exec &lt;name of namespace&gt; &lt;shell command&gt;</code> </li> <li>NICs on bridges do not have ip addresses.</li> <li>Ping is <strong>successful</strong> from <em>con1</em> to <em>con2</em> since they are both connected to default <em>docker0</em> bridge.</li> <li>Ping is <strong>failed from</strong> <em>con1</em> to <em>con3</em> since they are connected to different bridges and they are not connected. That is basically how containers or container groups are isolated from each other.</li> </ul> <p>Also just try some commands in container networks and play around using the command we mentioned above "<em>ip netns exec ...</em>". You can run <em>ip a</em>, <em>traceroute 8.8.8.8</em>, <em>ping 172.18.0.3</em> or whatever you want.</p> <p>That's all I want to say for now. I believe that is enough to understand very basics of docker container networking. Let's continue with the next part. </p> <h2> 2- How to Manually Create A Container Network - Using Linux Network Namespaces and Veth Pair </h2> <p>Now we will create a <em>network namespace</em> and a <em>veth pair</em>; then connect <em>"host network"</em> to <em>"container network"</em> using this veth pair.</p> <p>Let's start with creating a new empty network namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create network namespace.</span> ubuntu@vm0:~<span class="nv">$ </span>ip netns add sample <span class="c"># List namespaces.</span> ubuntu@vm0:~<span class="nv">$ </span>ip netns list sample </code></pre> </div> <p>Then we create a veth pair in default network namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create new veth pair.</span> ubuntu@vm0:~<span class="nv">$ </span>ip <span class="nb">link </span>add veth1 <span class="nb">type </span>veth peer name veth2 <span class="c"># List network interfaces. </span> ubuntu@vm0:~<span class="nv">$ </span>ip a 20: veth2@veth1: &lt;BROADCAST,MULTICAST,M-DOWN&gt; mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 <span class="nb">link</span>/ether de:f9:8e:4c:75:60 brd ff:ff:ff:ff:ff:ff 21: veth1@veth2: &lt;BROADCAST,MULTICAST,M-DOWN&gt; mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 <span class="nb">link</span>/ether de:6f:db:d8:58:cd brd ff:ff:ff:ff:ff:ff </code></pre> </div> <p>At this point we have a container network (network namespace) named <em>"sample"</em> and a veth pair which have network interfaces named <em>"veth1"</em> and <em>"veth2"</em> on each end. And now we can connect <em>host network</em> to <em>sample</em> network, by moving one end of the vnet pair <em>veth1</em> to the <em>sample</em> network. Let's do it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Move veth1 to 'sample' namespace.</span> ubuntu@vm0:~<span class="nv">$ </span>ip <span class="nb">link set </span>veth1 netns sample <span class="c"># List interfaces in 'default' namespace.</span> ubuntu@vm0:~<span class="nv">$ </span>ip a 20: veth2@if21: &lt;BROADCAST,MULTICAST&gt; mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 </code></pre> </div> <p>Now we connected two host and container network namespaces. But we are not there yet. We have still many things to make it work.</p> <p>If you look at the last screen, you can see that we can no longer see <em>veth1</em> in <em>default</em> network namespace. Because we moved it to the <em>sample</em> network namespace, but <code>ip netns list</code> command is executed in <em>default</em> network namespace. </p> <p>In order to see <em>veth1</em> again, we need to run <code>ip link list</code> command in the <em>sample</em> network namespace. For this we will use <code>ip netns exec &lt;command&gt;</code> command, which executes the given command in the specified network namespace. Let's do it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List interface in 'sample' namespace.</span> ubuntu@vm0:~<span class="nv">$ </span>ip netns <span class="nb">exec </span>sample ip <span class="nb">link </span>list 21: veth1@if20: &lt;BROADCAST,MULTICAST&gt; mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 </code></pre> </div> <blockquote> <p>There is one thing to note. Previously, <em>veth2</em> was listed as <code>20: veth2@veth1 ..</code> in response to <code>ip a</code> command. Now its name is listed as <code>20: veth2@if21 ..</code>. Similary <em>veth1</em> is also listed as <code>20: veth1@21 ...</code> from now on. It seems veth pair's network interfaces started to use other veth end's line number in its names. Knowing this may help identify veth pairs in different network namespaces. </p> </blockquote> <h5> Configure Networking Between Host and Container </h5> <p>At this point we have network namespace named <em>"sample"</em> and this network namespaces is connected to the <em>"default"</em> network namespace by a veth pair. <br> <code>(container network) veth1 &lt;--&gt; veth2 (host network)</code></p> <blockquote> <p>Sometimes I may refer <em>sample</em> network namespace as <em>container network</em>; and <em>default network namespace</em> as <em>host network</em>.</p> </blockquote> <p><em>But still we are not there yet.</em> We still need to configure many things to be able to access to the container network from host network by IPv4 address; or access to internet from container network. Let's do the following steps quickly:</p> <ul> <li>Create a linux bridge <em>samplebr</em>. (like <em>docker0</em> bride)</li> <li>Join <em>veth2</em> network interface to <em>samplebr</em> bridge. </li> <li>Assign an ipv4 address to <em>samplebr</em>.</li> <li>Assign an ipv4 address to <em>veth1</em>.</li> <li>Up <em>veth1</em> device.</li> <li>Up container localhost.</li> <li>Up <em>veth2</em> device.</li> <li>Up <em>samplebr</em> device.</li> <li>Add bridge ip as default gateway for the container network. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a linux bridge *samplebr*.</span> ubuntu@vm0:~<span class="nv">$ </span>ip <span class="nb">link </span>add name samplebr <span class="nb">type </span>bridge <span class="c"># Join *veth2* network interface to *samplebr* bridge.</span> ubuntu@vm0:~<span class="nv">$ </span>ip <span class="nb">link set </span>veth2 master samplebr <span class="c"># * Assign an ipv4 address to *samplebr*.</span> ubuntu@vm0:~<span class="nv">$ </span>ip addr add 10.1.1.1/24 brd + dev samplebr <span class="c"># Assign an ipv4 address to *veth1*.</span> ubuntu@vm0:~<span class="nv">$ </span>ip netns <span class="nb">exec </span>sample ip addr add 10.1.1.2/24 dev veth1 <span class="c"># Up *veth1* device.</span> ubuntu@vm0:~<span class="nv">$ </span>ip netns <span class="nb">exec </span>sample ip <span class="nb">link set </span>veth1 up <span class="c"># Up container localhost.</span> ubuntu@vm0:~<span class="nv">$ </span>ip netns <span class="nb">exec </span>sample ip <span class="nb">link set </span>lo up <span class="c"># Up *veth2* device.</span> ubuntu@vm0:~<span class="nv">$ </span>ip <span class="nb">link set </span>veth2 up <span class="c"># Up *samplebr* device.</span> ubuntu@vm0:~<span class="nv">$ </span>ip <span class="nb">link set </span>samplebr up <span class="c"># Add bridge 'samplebr' as default gateway for the container network.</span> ubuntu@vm0:~<span class="nv">$ </span>ip netns <span class="nb">exec </span>sample ip route add default via 10.1.1.1 </code></pre> </div> <p>That's it! Now, we did setup networking between host and container network. We can test by pinging our <em>veth1</em> network interface or container network with ipv4 <code>10.1.1.2</code> from the host. Or we can ping host network from the container network.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ubuntu@vm0:~<span class="nv">$ </span>ping 10.1.1.2 PING 10.1.1.1 <span class="o">(</span>10.1.1.2<span class="o">)</span> 56<span class="o">(</span>84<span class="o">)</span> bytes of data. 64 bytes from 10.1.1.2: <span class="nv">icmp_seq</span><span class="o">=</span>1 <span class="nv">ttl</span><span class="o">=</span>64 <span class="nb">time</span><span class="o">=</span>0.022 ms 64 bytes from 10.1.1.2: <span class="nv">icmp_seq</span><span class="o">=</span>2 <span class="nv">ttl</span><span class="o">=</span>64 <span class="nb">time</span><span class="o">=</span>0.028 ms ubuntu@vm0:~<span class="nv">$ </span>ip netns <span class="nb">exec </span>sample ping 172.17.52.174 PING 172.17.52.174 <span class="o">(</span>172.17.52.174<span class="o">)</span> 56<span class="o">(</span>84<span class="o">)</span> bytes of data. 64 bytes from 172.17.52.174: <span class="nv">icmp_seq</span><span class="o">=</span>1 <span class="nv">ttl</span><span class="o">=</span>64 <span class="nb">time</span><span class="o">=</span>0.024 ms 64 bytes from 172.17.52.174: <span class="nv">icmp_seq</span><span class="o">=</span>2 <span class="nv">ttl</span><span class="o">=</span>64 <span class="nb">time</span><span class="o">=</span>0.143 ms </code></pre> </div> <p>However, we can not reach external networks (internet) yet. We have a little more things to configure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ubuntu@vm0:~<span class="nv">$ </span><span class="nb">sudo </span>ip netns <span class="nb">exec </span>sample ping 8.8.8.8 connect: Network is unreachable ubuntu@vm0:~<span class="nv">$ </span>ip netns <span class="nb">exec </span>sample ping github.com ping: github.com: Temporary failure <span class="k">in </span>name resolution </code></pre> </div> <h5> Configure Networking From Container To Internet </h5> <p>We don't yet have internet connection from container network to internet. DNS resolver also is not working. Let's fix these all.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Make sure *ip_forwarding* is enabled.</span> root@test1:~# sysctl <span class="nt">-w</span> net.ipv4.ip_forward<span class="o">=</span>1 <span class="c"># Enable sending requests and getting responses to/from internet (ping 8.8.8.8).</span> root@test1:~# iptables <span class="nt">-t</span> nat <span class="nt">-A</span> POSTROUTING <span class="nt">-s</span> 10.1.1.0/24 <span class="o">!</span> <span class="nt">-o</span> samplebr <span class="nt">-j</span> MASQUERADE <span class="c"># Find your dns nameserver for the host network interface (eth0)</span> root@test1:~# systemd-resolve <span class="nt">--status</span> <span class="c"># Create resolv.conf file for container network.</span> root@test1:~# <span class="nb">mkdir</span> <span class="nt">-p</span> /etc/netns/sample/ root@test1:~# <span class="nb">echo</span> <span class="s2">"nameserver 172.17.52.161"</span> <span class="o">&gt;</span> /etc/netns/sample/resolv.conf <span class="c"># Test dns again.</span> root@test1:~# ip netns <span class="nb">exec </span>sample ping github.com PING github.com <span class="o">(</span>140.82.118.3<span class="o">)</span> 56<span class="o">(</span>84<span class="o">)</span> bytes of data. 64 bytes from lb-140-82-118-3-ams.github.com <span class="o">(</span>140.82.118.3<span class="o">)</span>: <span class="nv">icmp_seq</span><span class="o">=</span>1 <span class="nv">ttl</span><span class="o">=</span>49 <span class="nb">time</span><span class="o">=</span>28.5 ms 64 bytes from lb-140-82-118-3-ams.github.com <span class="o">(</span>140.82.118.3<span class="o">)</span>: <span class="nv">icmp_seq</span><span class="o">=</span>2 <span class="nv">ttl</span><span class="o">=</span>49 <span class="nb">time</span><span class="o">=</span>27.4 ms </code></pre> </div> <p>Voila! We made it. Now we have a container network which is able to connect to the host network, internet or other container networks (network namespaces) which is attached to the same linux bridge (if any). </p> <blockquote> <p>If still you can not connect to the internet from container network; it is possible that some docker rules in iptables are blocking. Run this command <code># iptables -L</code>. If you see <em>"Chain FORWARD (policy DROP)"</em> somewhere in the result; execute these commands: <code># iptables -F FORWARD</code> <code># iptables -P FORWARD ACCEPT</code>.</p> </blockquote> <h2> FINAL WORDS </h2> <p>And we are done. I think I explained most of the things I learnt in last weeks. Of course for ease of understanding or simplicity I omitted or did not go much into some parts. But I think we got to the point.</p> <p>Please see also the resources I shared below, go over them if you find time. They were beneficial to me.</p> <h5> Why All These Information Is Important </h5> <ul> <li>It makes you happy and satisfies your curiosity. :)</li> <li>Personally for me, it makes it very easy to understand and reason about when someone talks or writes about container networking or kubernetes networking generally.</li> <li>You are better armed if you face a network issue inside a container or across containers. No You can use various tools inside container namespaces to debug and resolve issues. ('ip a', 'ip netns exec ', 'ping', 'traceroute', 'nslookup', 'tcpdump' ...) </li> </ul> <p>I also want to write two follow-up posts. One will be <em>Basic Networking for Cloud: IP, Subnets, and CIDR</em>; and obviously next will be about <em>Kubernetes Networking 101</em>. I will also try to keep it shorter this time.</p> <p>I hope you enjoy. </p> <h2> Resources </h2> <ul> <li><a href="https://platform9.com/blog/container-namespaces-deep-dive-container-networking/" rel="noopener noreferrer">Container Namespaces - Deep Dive Container Networking</a></li> <li><a href="https://blog.scottlowe.org/2013/09/04/introducing-linux-network-namespaces/" rel="noopener noreferrer">Introducing Linux Network Namespaces</a></li> <li><a href="https://seagullbird.xyz/posts/linux-netns/" rel="noopener noreferrer">Linux Network Namespace on seagullbird.xyz</a></li> <li><a href="https://medium.com/google-cloud/understanding-kubernetes-networking-pods-7117dd28727" rel="noopener noreferrer">Understanding Kubernetes Networking</a></li> <li><a href="https://www.youtube.com/watch?v=6v_BDHIgOY8&amp;feature=youtu.be" rel="noopener noreferrer">https://www.youtube.com/watch?v=6v_BDHIgOY8&amp;feature=youtu.be</a></li> </ul> docker linux networking How to Change Default DotNet SDK Version Safak Ulusoy Tue, 25 Jun 2019 13:19:24 +0000 https://dev.to/polarbit/how-to-change-default-dotnet-sdk-version-43ph https://dev.to/polarbit/how-to-change-default-dotnet-sdk-version-43ph <p>When I installed ".Net Core 3 SDK (preview 6)", default version of <em>dotnet core sdk</em> on my system is changed to this new version. Then I needed to revert the default version to "2.x.x" in some places. So I followed the steps below. </p> <p>See <a href="https://docs.microsoft.com/en-us/dotnet/core/tools/global-json" rel="noopener noreferrer">Official Documentation</a></p> <h4> See Installed DotNet Core SDK and Runtime Versions </h4> <p>In order to see all installed <strong>dotnet SDK</strong> versions (and currently used default version), run:<br> <code>dotnet --version</code><br> <code>dotnet --list-sdks</code><br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn4izfg47ahfczor1qbeo.PNG" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn4izfg47ahfczor1qbeo.PNG"></a></p> <p>In order to see all installed <strong>dotnet Runtime</strong> versions, run:<br> <code>dotnet --list-runtimes</code><br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3u7vdo3fcw6nkr7i7jxb.PNG" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3u7vdo3fcw6nkr7i7jxb.PNG"></a></p> <h4> Change Default DotNet SDK Version using global.json File </h4> <p>In order to change default <em>dotnet SDK version</em>, place a global.json file in the current folder or any parent folder with the contents below. You can create the global.json file manually, or use the dotnet cli command <code>dotnet new globaljson</code>. <br> </p> <div class="ltag_gist-liquid-tag"> </div> <p>Now <em>dotnet core sdk</em> version is reverted back in the folder which <em>global.json</em> resides, or in it's subfolders.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fptwb1rhh2mc9oqqs21g8.PNG" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fptwb1rhh2mc9oqqs21g8.PNG"></a></p> <p><strong>Note:</strong> By default <code>dotnet new globaljson</code> cli command sets the SDK version using the current effective version. You can change this behaviour by adding optional <code>--sdk-version=2.2.300</code> parameter.</p> <div class="ltag_gist-liquid-tag"> </div> dotnet