Container Networking: What You Should Know

The concept of container networking aims to standardize and optimize container data flows. Container networks create insulated zones to make it possible for multiple containers to communicate simultaneously and independently in an efficient manner.

What is Container Networking?

Container Networking is an emerging application sandboxing mechanism used in home desktops and web-scale enterprise networking solutions similar in concept to a virtual machine. Isolated inside the container from the host and all other containers are a full-featured Linux environment with its users, file system, processes, and network stack. All applications inside the container are permitted to access or modify files or resources available inside the container only.

It is possible to run multiple containers simultaneously, each with its installations and dependencies. This is particularly useful when newer versions of an application may require a dependency upgrade that may cause conflicts with other application dependencies running on the server. Unlike virtual machines, containers share host resources rather than fully simulating all hardware on the computer, making containers smaller and faster than virtual machines and reducing overhead. In the context of web-scale applications, containers were designed to replace VMs as a deployment platform for microservice architectures.

Containers also have the characteristic of portability, for example, Docker, a container engine, allows developers to package a container and all its dependencies together. That container package can then be made available for download. Once downloaded, the container can immediately be run on a host.

How does it work?​

Each virtual machine running on a hypervisor has its operating system, applications, and libraries, and can encapsulate persistent data, install a new operating system, use a different filesystem than the host, and employ a different kernel.

In contrast, containers are a “running instance” of an image, virtualization of an ephemeral operating system that spins up to perform some tasks before being deleted and forgotten. Because containers are ephemeral, system users run many more instances of containers than virtual machines, which require a larger address space.

A container relies on two Linux kernel features to create isolation: namespace and Cgroups. To give the container its view of the system and isolate it from other resources, a namespace is created and unshared for each resource. Then, control groups (Cgroups) are used to monitor and restrict system resources such as CPU, memory, disk I/O, and network, among others.

Benefits of Container Networking

Containers are becoming rapidly adopted, replacing VMs as a platform for microservices.

Containers have several key benefits:

• Run Containerized Apps Alongside Existing Workloads: Machines can run containerized apps alongside traditional VMs on the same infrastructure, granting flexibility and speed.
• Combine Portability with Security, Visibility, and Management: Because of the inherent design of containers it allows for greater security through sandboxing, resource transparency with the host, task management, and execution environment portability.
• Leverage Your Existing Infrastructure and Scale Easily: Use your existing SDDC to avoid costly and time-consuming re-architecture of your infrastructure that results in silos – silos occur when distinct departments maintain their own IT infrastructure within the same organization. This “silo effect” creates problems when rolling out organization-wide IT policies and upgrades due to the differences in technical configurations in each department. Reintegrating silos is a costly and time-consuming process that can be avoided through container networking.
• Provide Developers with a Docker-Compatible Interface: Developers already familiar with Docker can develop applications in containers through a Docker-compatible interface and then provision them through the self-service management portal or UI.

Types of Container Networking

None

This container networking type means the container receives a network stack. The container does not have an external network interface but receives a loopback interface. Docker and rkt employ similar behavior when minimal or no networking is used. You can use this model to test containers, assign containers without external communication, and stage containers for future network connections.

Bridge

A Linux bridge provides the internal host network that enables communication between containers on the same host. Bridge networking employs iptables for NAT and port mapping to provide single-host networking. It is the default Docker network type (docker0).

Host

This networking type allows a newly created container to share its network namespace with the host. It provides higher performance, almost at the speed of bare metal networking, and eliminates the need for NAT. However, the downside of this approach is that it can lead to port conflicts. The container has access to the host’s network interfaces. However, unless the container is deployed in privilege mode, it may not reconfigure the host’s network stack.

Overlays

An overlay delivers communications across hosts via networking tunnels, allowing containers on different hosts to behave as though they were on a single machine. Containers connected to different overlay networks cannot communicate—this enables network segmentation.

There are various tunneling technologies. The technology used in Docker libnetwork, for example, is the virtual extensible local area network (VXLAN). Each cloud provider tunnel type creates a dedicated route for each VPC or account. Public cloud support is essential for overlay drivers. Overlays are suitable for hybrid clouds, providing scalability and redundancy without opening public ports.

Underlays

An underlay network driver exposes host interfaces to VMs or containers running on the host. Examples of underlay drivers include MACvlan and IPvlan. Underlays are simpler and more efficient than bridge networking; they don’t require port mapping and are easier to work with than overlays.

Underlays are especially suited to handling on-premise workloads, traffic prioritization, security, compliance, and brownfield use cases. Underlay networking eliminates the need for separate bridges for each VLAN.

What are the Disadvantages of Container Networking?​

The main disadvantages of container networking are as follows:

• Containers aren’t designed to operate at bare-metal rates. Virtual machines use resources more inefficiently than containers. However, due to overlay networking, the interaction between containers and the host system, and other factors, containers still have performance overhead. You must use bare metal rather than containers if you want 100 percent bare-metal performance.
• Container ecosystems are splintered. Although the Docker platform as a whole is open source, some container products aren’t compatible with others, mainly owing to competition among the companies that support them.
• Persistence data storage is difficult. Unless you save it somewhere else first, all of the data inside a container is lost forever when it goes down by design. Although there are solutions to keep data persistently in Docker, such as Docker Data Volumes, this is likely a difficulty that has yet to be fully addressed.
• Graphical applications are ineffective. Docker was created to make it easier to deploy server applications that don’t need a graphical user interface. While there are several innovative ways (such as X11 video forwarding) for running GUI software inside a container, they are at best clumsy.
• Containers aren’t appropriate for all applications. Containers are particularly useful for programs that are meant to run as a collection of discrete microservices. The sole true advantage of Docker is that it can make application distribution easier by offering a simple packaging method.

Key Takeaways

• Containers are a way of running distributed applications in a lightweight, abstract fashion.
• Container networks run on software platforms, such as Docker, that can be run on the cloud.
• Containers’ efficiency comes from the fact they are self-contained. They use the bare minimum of software and resources to run and use a router to direct traffic instead of a switch.
• Applications in a container are built out of microservices, which communicate through a virtualized network. This means they take up less space and can act like independent sites.
• SDN is a key part of containerization, enabling containers to span multiple platforms and increase network efficiency.