๐๐ง๐ญ๐ซ๐จ ๐ญ๐จ ๐๐จ๐ง๐ญ๐๐ข๐ง๐๐ซ ๐๐๐ญ๐ฐ๐จ๐ซ๐ค๐ข๐ง๐
Chronicles of Containers - Part 6
Hey there! ๐
As promised last week, Iโm switching gears a bit and moving back to deep-dives in containers :) If you are curious on โWHYโ am I switching contexts, itโs actually quite simple - Iโm experimenting with this approach where I spend a week or two exploring a topic, and just when I reach the peak of โwow, I can draw a ton of stuff on this topicโ, I cut it off and move to different topic. My reasoning is that I achieve two things: 1) I leave my subconcious to further process what I learned until then and 2) I never get bored by spending months on same thing :)
Anyway, back to containers. Surprisingly or not, I presumed that Container Networking will be a rather simple topic to cover. And I was dead wrong. As I eventually learned, thereโs SO MUCH under the hood and Iโm just getting warmed up.
One thing that actually fascinated me is that, by default, Containers have no Network Adapters at all! And yes, it surprised me because I thought you magically get it out of the box. Nope. Doesnโt work that way. So, how DOES it work? Well, as usual, the image goes first and then some more details:
(click on image to view in full size)
๐ก ๐๐๐๐ก ๐๐จ๐ง๐ญ๐๐ข๐ง๐๐ซ ๐ ๐๐ญ๐ฌ ๐ข๐ญ๐ฌ ๐จ๐ฐ๐ง ๐๐๐ญ๐ฐ๐จ๐ซ๐ค ๐ข๐ฌ๐จ๐ฅ๐๐ญ๐ข๐จ๐ง - one of the beauties of container isolation is that, among your own Task List, File Tree and Registry, you also get your own "Network Namespace". From Container's POV, it has no clue it's in Container, so all you see from the INSIDE is zero or more container-specific network adapters. What you see from the OUTSIDE (i.e. your Host OS) is array of Network Namespace inside which the containers are locked in.
๐ก ๐๐จ๐ง๐ญ๐๐ข๐ง๐๐ซ๐ฌ ๐ก๐๐ฏ๐ ๐ง๐จ ๐๐๐๐๐ฎ๐ฅ๐ญ ๐ง๐๐ญ๐ฐ๐จ๐ซ๐ค ๐๐๐๐ฉ๐ญ๐๐ซ๐ฌย - this came to me as a surprise. Even though they are isolated, by default, you don't really get any networking capabilities. Executing "ipconfig" is likely to return nothing. That's where a "Container Networking" stuff kicks in.
๐ก ๐๐จ๐ง๐ญ๐๐ข๐ง๐๐ซ ๐๐๐ญ๐ฐ๐จ๐ซ๐ค ๐๐ง๐ญ๐๐ซ๐๐๐๐ ๐ข๐ฌ ๐ '๐ฌ๐ญ๐๐ง๐๐๐ซ๐' - CNI is nothing more than a framework. A framework that defines a format for specifying network adapters, plugins which are binaries that set up the networking based on the specification and commands that can be executed against a container in order to enable/disable adapters. And even though itโs not โstandardโ per se, it seems to be the most commonly used approach to configuring container networking.
๐ก ๐๐๐ machinery ๐ข๐ฌ ๐๐๐ฅ๐ฅ๐๐ ๐จ๐ง๐๐ ๐ญ๐ก๐ ๐๐จ๐ง๐ญ๐๐ข๐ง๐๐ซ ๐ข๐ฌ ๐ฌ๐ญ๐๐ซ๐ญ๐๐ - as soon as container is up & running, the container runtime (e.g. containerd, rkt, etc.) will invoke CNI. CNI then loads the specification file, looks up WHAT needs to be setup, and invokes actual plugins to do the dirty work (e.g. add & configure actual network adapters inside container).
Hereโs an example of how that config file might look like:
(Image source: https://www.cni.dev/docs/spec/#add-example)
As you might have guessed, this is a CNI specification that instructs CNI machinery to invoke a plugin called โbridgeโ (which really is just an executable called โbridge.exeโ in plugins/ folder), pass it the config params from above, and expect that it will configure the network bridge.
And thatโs about it. At least as far as Introductory part is concerned. In the next article I will dig a level deeper into CNI, concepts that it defines, plugins and common operations.
Until then, if you missed some of the previous articles, you might find them at the bottom of the page. If you havenโt subscribed yet, now would be a good time to do so:
๐ก๐ก P.S. You should probably know that Docker has itโs own machinery for dealing with Networking. It CAN use CNI, but it has itโs own ways and you can read about them here.
Other articles in the Container series:
How do COWs (Containers on Windows) work? (Part 5 of the series) - specific focus on running containers natively on Windows.
What is Container Network Interface (CNI)? (Part 7 of the series) - deeper-look into how networking is configured at runtime.
What's inside the Container Image? (Part 8 of the series) - exploring & describing image content.