1 00:00:00,000 --> 00:00:09,260 In this video, we'll talk about container networking. 2 00:00:09,260 --> 00:00:14,320 So docker containers and pot and root containers are offered on their own network. 3 00:00:14,320 --> 00:00:18,080 Because these containers have an IP address and this IP address needs to be provided in 4 00:00:18,080 --> 00:00:20,480 full isolation. 5 00:00:20,480 --> 00:00:25,440 To offer the full isolation, the Linux network bridge device is used to connect the private 6 00:00:25,440 --> 00:00:28,680 container network to the external network. 7 00:00:28,680 --> 00:00:33,200 So the containers have their own IP address, but they cannot be used from the outside because 8 00:00:33,200 --> 00:00:35,200 they are on the private network. 9 00:00:35,200 --> 00:00:41,560 However, from the private network, containers can go outside and packets can return to the 10 00:00:41,560 --> 00:00:45,840 container using Network Address Translation or NET technology. 11 00:00:45,840 --> 00:00:51,139 And this NET technology is implemented by Linux firewalls. 12 00:00:51,139 --> 00:00:56,520 So that is why firewalling is always important when you are using containers. 13 00:00:56,520 --> 00:01:01,040 In Potman, it's a little bit different if you are using Potman rootless containers, 14 00:01:01,040 --> 00:01:05,099 because they don't have an IP address, and for that reason, they are not connected to 15 00:01:05,099 --> 00:01:06,900 any container network. 16 00:01:06,900 --> 00:01:10,559 The Potman philosophy is why would a container need an IP address? 17 00:01:10,559 --> 00:01:14,839 Because really, a container is all about a specific process that is running, and the 18 00:01:14,839 --> 00:01:19,440 generic way to address processes is by using their port numbers. 19 00:01:19,440 --> 00:01:26,400 Now let me show you what these container networks look like in a docker environment. 20 00:01:26,400 --> 00:01:36,000 All right, let me start by doing a sudo apt install docker.io. 21 00:01:36,000 --> 00:01:44,879 Now this being docker, I need sudo usermod minus a g docker and student to make sure 22 00:01:44,879 --> 00:01:49,760 that my current account is a member of the group docker, otherwise it can't run containers. 23 00:01:49,760 --> 00:01:57,559 And now as a little trick to rapidly activate my new group membership, I use new GRP docker. 24 00:01:57,559 --> 00:02:01,080 Let's start a subshell in which docker is my primary group. 25 00:02:01,080 --> 00:02:04,320 Primary group is not perfect, but for this demo, it's good enough. 26 00:02:04,320 --> 00:02:08,880 So I'm going to use docker run nginx. 27 00:02:08,880 --> 00:02:09,880 And what is that doing? 28 00:02:09,880 --> 00:02:13,919 Well, it's unable to find the image nginx locally, and it's going to fetch it. 29 00:02:13,919 --> 00:02:15,500 We have seen that before. 30 00:02:15,500 --> 00:02:20,339 And oh boy, I didn't make that docker run minus d. 31 00:02:20,339 --> 00:02:23,380 We wanted to run in detached mode, right? 32 00:02:23,380 --> 00:02:27,220 So here docker ps is showing that it is running. 33 00:02:27,220 --> 00:02:30,100 Now if I use IPA, then what do we see? 34 00:02:30,100 --> 00:02:35,380 We see that besides the ns160, there is a docker 0, and it's this docker 0 that was 35 00:02:35,380 --> 00:02:39,279 automatically created by docker as a docker bridge. 36 00:02:39,279 --> 00:02:43,059 Now in this docker bridge, there is a virtual patch cable. 37 00:02:43,059 --> 00:02:46,020 You can even see that in the IPA output. 38 00:02:46,020 --> 00:02:49,740 It's the veth5, et cetera, highlighted here. 39 00:02:49,740 --> 00:02:55,119 And this is the virtual patch cable that goes into the container. 40 00:02:55,119 --> 00:02:59,179 So if I use docker ps, then I can see my container. 41 00:02:59,179 --> 00:03:07,419 And if I would use docker inspect on silly satellite, there we can see the IP address 42 00:03:07,419 --> 00:03:10,820 configuration that has been assigned to it. 43 00:03:10,820 --> 00:03:15,259 You can also see that this container is on the network with the name bridge. 44 00:03:15,259 --> 00:03:19,699 And this network has its own gateway and its own IP address. 45 00:03:19,699 --> 00:03:24,699 And this is how the container can connect to the external network. 46 00:03:24,699 --> 00:03:27,539 And this is container networking in a nutshell.