Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to compare various Docker network schemes from different dimensions. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

We will compare various network schemes from different dimensions, which you can refer to when you choose. CloudMan's advice is: there is no best, only the most suitable, clear their own needs, through PoC selection.

At first, Docker only provided a simple single-host network, which obviously made it difficult for Docker to build a container cluster and scale out to multiple hosts through scale-out.

Driven by the market demand, cross-host container network technology began to develop. This is a very active technical field, and many excellent solutions have emerged in a short time. In this chapter, we discuss several mainstream schemes in detail-Docker Overlay, Macvlan, Flannel, Weave, and Calico. Now is the time to make a comparison so that we can have a better understanding of the characteristics and advantages of various options.

We will compare from the following aspects, you can choose the most appropriate scheme according to different scenarios.

Network model

Which network model is used to support multi-host network?

Distributed Store

Do you need a distributed key-value database such as etcd or consul to store network information?

IPMA

How to manage the IP of container network?

Connectivity and isolation

What kind of network connectivity does it provide? Which level and type of isolation between containers are supported?

Performance

Performance comparison.

Network model

A cross-host network means connecting containers on different hosts with the same virtual network. The topology and implementation technology of this virtual network is the network model.

Docker overlay, as the name indicates, is an overlay network, which establishes a VxLAN tunnel between hosts. The original data packet is encapsulated as a VxLAN packet at the sending end and unpacked at the receiving end after arriving at the destination.

The Macvlan network connects containers through VLAN at layer 2 and relies on external gateways to connect different macvlan on layer 3. Packets are sent directly, do not need to be encapsulated, and belong to underlay network.

Flannel We discussed two kinds of backend:vxlan and host-gw. Vxlan, similar to Docker overlay, belongs to the overlay network. Host-gw uses the host as the gateway, relies on layer 3 IP forwarding, and does not need to encapsulate packets like vxlan, so it belongs to underlay network.

Weave is an VxLAN implementation and belongs to the overlay network.

The network model of each scheme is described as follows:

Distributed Store

Docker Overlay, Flannel, and Calico all require etcd or consul. Macvlan is a simple local network that does not need to save and share network information. Weave itself is responsible for exchanging network configuration information between hosts and does not require Distributed Store.

Connectivity and isolation

Containers in the same Docker Overlay network can communicate, but different networks cannot communicate. To achieve cross-network access, containers can only be added to multiple networks. Communication with the external network can be through the docker_gwbridge network.

The connectivity or isolation of Macvlan networks depends entirely on layer 2 VLAN and layer 3 routing.

Containers in different Flannel networks can communicate directly without providing isolation. Communication with the external network can be through the bridge network.

Under the default configuration of Weave network, all containers are in a large subnet and can communicate freely. If you want to achieve isolation, you need to specify different subnet or IP for the container. The solution to communicate with the external network is to add the host to the weave network and use the host as a gateway.

Calico only allows communication between containers located in the same network by default, but access control can be achieved in almost any scenario through its powerful Policy.

Performance

Performance testing is a very rigorous and complex project, here we only try to compare the performance of each scheme in terms of the principle of the technical solution.

The simplest judgment is that the performance of Underlay network is better than that of Overlay network.

Overlay network uses tunneling technology to encapsulate packets into UDP for transmission. Because it involves packet encapsulation and de-encapsulation, there is additional CPU and network overhead. Although almost all Overlay network solutions use Linux kernel vxlan module at the bottom of the network, which can minimize the overhead, but this overhead still exists compared with Underlay network. So the performance of Macvlan, Flannel host-gw, Calico will be better than Docker overlay, Flannel vxlan and Weave.

Overlay can support more layer 2 network segments than Underlay, can make better use of the existing network, and has the advantages of avoiding physical switch MAC table exhaustion, so it needs to be considered comprehensively in the scheme selection.

On how to compare a variety of Docker network solutions from different dimensions to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.