Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multi-ns single-host proxy #6

Open
cirocosta opened this issue Aug 24, 2017 · 1 comment
Open

Multi-ns single-host proxy #6

cirocosta opened this issue Aug 24, 2017 · 1 comment

Comments

@cirocosta
Copy link
Owner

cirocosta commented Aug 24, 2017
edited
Loading

tl;dr: add ability to specify domain=mydomain.com,address=127.0.0.1,port=80,ns=12313 such that connections to mydomain.com would have a server where the connection to upstream server 127.0.0.1:80 would be performed over the network namespace 12313 (with the restriction that ns=12313 exist).

Hey,

I was wondering if we can put a l7 in the host machine and make it forward requests to overlay-networks that are not having their containers with a port bound to the machine (but the containers itself are in the machine).

                                              ns 456
                                           +----------------------+
                                    +----->|  network1_container1 |
                                    |      +----------------------+ 
                    (host namespace)|  
  HOST: mycontainer.com  --> l7 ----+       ns 123
                                    |     +----------------------+
                                    +---->|  network2_container1 | 
                                          +----------------------+

naturally that places the constraint of running the network1_container and network2_container1 in the same host.

A use-case that comes to my mind is providing a way to touching local containers via a single address. For instance:

docker network create --driver overlay --attachable network1
docker network create --driver overlay --attachable network2
docker run --name nginx1 --detach --network network1 nginx:alpine
docker run --name nginx2 --detach --network network1 nginx:alpine

# no ports are bound, thus even if we 
# inspect `nginx` container and get its
# network IP we won't be able to get the
# response back. 

# Now say that we make `l7` load-balance
# across the two network namespaces.
# We could then bypass veths/bridges relying
# solely on `l7` to make the requests across
# both networks with only 1 port binding (l7).

curl <l7-ip>:80 ---> nginx1    # from network 1
curl <l7-ip>:80 ---> nginx2    # from network 2
...

This is useful in the scenario where an agent run in a machine in the host namespace but the containers that are running in this machine are not in such namespace (naturally, they're on their own network-isolated contexts).

If this agent wants to touch the service provided by these containers then this agent must perform the connections entering those namespaces.

I'm not very sure how could we specify that without tying it too much to docker though ...
Maybe something like:

domain=mydomain.com,address=127.0.0.1,port=80,ns=12313

such that by specifying ns the upstream tcp connection would be perform inside the 12313 ns.
@cirocosta
Copy link
Owner Author

cirocosta commented Aug 25, 2017
edited
Loading

It turns out that managing multiple netns are not very manageable right now with Go:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cirocosta