Henry Du Blog

think digital, act analog

Cross-host Container Networks


Cross-host Container Networks - VXLAN mode VXLAN We have reviewed the UDP mode of cross-host container networks. We realized that there will be a performance issue because the IP packets have to be processed by the user space application. VXLAN allows us to handle the encapsulation/decapsulation in Linux kernel space. Virtual Extensible LAN a.k.a VXLAN (RFC7348) is supported by Linux kernel. It is able to encapsulate the IP packets by another layer and construct the overlay networks like the UDP tunnel does.

Cross-host Container Networks

UDP Mode

Cross-host Container Networks - UDP mode In the previous article, we walked through containers network in one Linux host. However, by default Docker configuration, one container is unable to communicate with the other container in different host. In order to solve cross-host container communication problem, there are many solutions. We will go through some of them one by one. First and very famous one is Flannel CNI. Flannel CNI Flannel CNI project is the one of the projects developed by CoreOS.

Container Networks

Container Networks Network Namespace Linux container network stack is isolated in its own network namespace. The network stack includes: Network Interface, Loopback Device, Routing Table and iptables chains/rules. The containerized process will use its own network stack to send and response the network request. If the running container wants to use the host network stack, the --net=host option will be used. Let’s start a Nginx container by sharing the host network.

Cgroups: Container Resource Limitation

Container Resource Limitation Cgroups A container is running as a single process in a host. If multiple containers are running in the same host, there is a chance that one container will occupy the full CPU, while others are in the starvation situation. Therefore, it would be better to have a resource limitation, such that, one container will not fully share the host resources, such as CPU, memory etc. Linux Cgroups is the feature to limit resources for a process in Linux kernel.

Deep Dive Kubernetes Notes: Container Isolation

Deep Dive Kubernetes Notes: Container Process Isolation Process The binary executables are stored in the file system as a file. When the operating system starts to run one executable, it will load the file into the memory. For example, Linux executable has ELF format. In memory layout, it has a text area containing all the instructions. The instruction will be executed by CPU as an execution path. In the meantime, there may be files, I/O devices open and close associated with these executions.