Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
Can someone explain me how these virtual networks work? I know how "normal" networks work, when we have some pc with its MAC adress connecting by his private IP address to some router which has some public IP address, but I just don't get what these "virtual" networks mean.
Do containers actually get another IP address?
Does that IP address translates into host pc address so router doesn't see container and host as seperate private IP addresses?
How can these IP address be different than host IP address if host has only one network card?
Do you know any good tutorial for these stuff, it doesn't have to be for docker, just general about how virtual network works. I tried reading official docker docs about docker networks but it is too complicated for me, I am not that good in these stuff.
I don't need to know details, but just to get the picture how is this possible, and what it actually means when we create new docker network.
Well, explaining how Docker or LXD/LXC create and manage virtual networks is a bit long.
This is a high-level overview, I will add some useful link if you are interested in the topic.
In Linux you can create virtual network interfaces (veth) that are like network interfaces (MAC address or IP address can be assigned to them), these interfaces are attached to the containers.
You can connect the containers (locally) using virtual bridges (bridge-utils).
The virtual bridge can be connected to the virtual interfaces attached in the containers, that is how to create a simple virtual network in a single machine.
Docker or LXD manage for you the virtual interfaces and the virtual bridges to connect the containers (like a real network).
This is a really high-level overview, that gives you an idea of how the containers can be connected locally.
To allow the container to have internet connection, the container managers have to set correctly other parameters like iptables rules to NAT the traffic.
This video can be helpful for a better understanding
Related
I have created a virtual private network across two clusters in different regions. While the masters are able to communicate, I can't reach a worker across the virtual private network. I assume this is due to anti spoofing measures.
How I tried to fix it
I read (https://www.packetcoders.io/openstack-neutron-port-security-explained/ and https://www.redhat.com/en/blog/whats-coming-openstack-networking-kilo-release) that one needs to add allowed access pairs to all instances so that those allowed access pairs can access the worker. However I am unsure what IP needs to be allowed. I added the master's local ip in the subnet, its floating_ip and its ip in the virtual private network. None of these fixed my issue. I am still unable to reach the workers.
What I am looking for
A complete answer would be great, but ways to debug this further would be highly appreciated, too.
More info to avoid xy problem
I have started two clusters in different regions and have connected the masters using wireguard. They can already ping each other using subnet addresses. That's why I think that my problem is not wireguard related. If you think otherwise, I am happy to give additional info on this setup to avoid asking the wrong question.
I was quite surprised when I found out that there was a really big range of IP addresses allocated for loopback (127.x.y.z).
I didn't find much information about why it's like this, except that it could be used for testing networks and protocols locally, which got me thinking if it could be a good idea to use these addresses for IPC.
At the moment, as far as I know, IPC based on networking is usually done with TCP/UDP by opening sockets on ports which are most likely not used by any other service.
So my question is, to be even more sure that there won't be a port collision, could other loopback addresses be used instead?
For a more concrete example, could two processes communicate through sockets on address 127.31.41.59 and ports 27 and 18 (or even different loopback addresses)?
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 months ago.
Improve this question
I want my pods to receive multicast network traffic flowing from outside of my kubernetes cluster to specific ports in my nodes.
I'm considering two solutions:
Adding hostNetwork: true flag to their yaml file along with hostPort configuration in order to receive the traffic directly to the pod.
Forwarding the traffic locally on the nodes from eth0 interface to docker0 interface using iptables command.
Method 1 is an official feature in Kubernetes, but it feels like breaking a security wall that docker originally imposed, and might cause port
collisions with host's processes, etc.
Method 2 on the other hand transparently forwards the multicast network traffic to the pods.
Despite the fact I can use an automation tool to spread this configuration (ansible/salt etc), anything configured 'out of the scope' of Kubernetes feels a little hacky to me.
Would like to hear your pros and cons, comments, and maybe other solutions to the problem of multicasting to a kubernetes cluster.
A cleaner way to support multicast is to add an additional interface to your PODs through multus-cni. Then, you could associate this new multus interface to your host network interface that will receive multicast traffic on the host. Summarizing, you will have two interface on your POD i.e:
net1 (default) for pod-to-pod communication and other unicast traffic.
eth0 (multus) for multicast traffic. Then you will need to "join" it with a NIC in your host machine, either by using bridge or macvlan
See more details here: https://github.com/intel/multus-cni/blob/master/docs/quickstart.md
In the end we picked method 1, as it is the documented way to achieve what we wanted, and I can report that it works fine.
I heard that WeaveWorks supports multicast: https://www.weave.works/use-cases/multicast-networking/
github issue has few words on multicast support
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
The community reviewed whether to reopen this question 4 months ago and left it closed:
Original close reason(s) were not resolved
Improve this question
So, i have been reading up on NAT-Punchthrough. I seem to be getting the idea, but i have a hard time implementing it, and i feel that i am missing a step here.
Testing this functionality is kind of hard because i have little control over the environment when it comes to a internet based connection.
I have a SQL server to run as my "facilitator" it keeps the external address of both server and client, and their port as seen by the outside.
Here are steps so far:
- I connect to my SQL server through a web request (PHP script) that stores server/client IP/PORT
- When both are known, both client and server attempt connecting (server hosts on a set port, client connects over a set port)
- Nothing significant happens
There are 2 unknowns here, and i would like to check one with you.
Is it true that NAT-Punchthrough requires that i do the first step with the exact (internal/LAN) port i plan to connect with in the step after that?
If so, i don't know how exactly my server works underwater, so it might need more ports then my initial given static port to connect over, but that at least gives me a hint.
If anyone has more documentation on this then me, please let me know.
Sources:
Programming P2P application
http://www.mindcontrol.org/~hplus/nat-punch.html
NAT punch through works on the principle of educated guesswork. It is usually used to create connections with devices that do IP Masquerading. This is the technology used in most home internet modems to the point that NAT has become interchangeably used to refer to IP Masquerading.
When you connect out from a device which is behind a NAT system like a home modem. You have no control of the port that will be used for the outbound connection to the Internet. However many of these devices allocate ports using specific patterns. For example, incremental numbers.
NAT punch through involves trying to directly connect two source systems that are both behind independent NAT devices. A third system, your "facilitator" acts as a detector for the origin port numbers currently being assigned by both NAT devices on outbound connections. The origin port number, along with the IP address is then sent to the other parties.
So now the clever bit to answer your question. Both systems that want to directly connect, start trying to communicate to the other. They try connecting to a range of ports, around the known port number detected by the facilitator. This is the guesswork.
It is important that both source systems start trying to connect as this will establish NAT sessions in the local devices that allow traffic from the Internet in. If either source device correctly guesses one of those NAT session port numbers, then a connection is established.
In reality, engineers from organisations that have use for NAT punch through have probably spent some time examining the more popular NAT port allocation algorithms and tuning their software. If you have control of connections through your NAT devices, then it would be fairly easy to set up some tests and see how the port numbers change between connections to different servers.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I developed an internet-based IOS app,and my app communicates with the server through html requests.
It works perfect when I test it locally. But when I test it through the internet,it seems the html requests can't be received by the server.
I am using my Mac Pro as the server ,and the laptop is connected to the internet via the same wifi as the my iPhones.
So,how can I make a laptop connected to internet via wifi an server?
There are a lot of complications to making something available on the internet from a home machine, and it's not clear from your problem statement where the problem lies. Here are some of the most common gotchas:
Check that the server is accessible from another computer on the same local area network as the server (leave the iOS device out of it at firs - if not, the server is misconfigured. Check firewall settings on the server.
I understand that you want this accessible from devices outside the local area network (ie, you want it to be usable from anywhere, not just your home network). For this, you must configure your router to forward the appropriate port (probably 80, depending on the server software you're using) to the server. This is called "Port Forwarding" or other similar names (depending on the router manufacturer); consult the documentation for your router for information on how to enable it, as the process varies between make and model. Note that some ISP's supply a cable/dsl modem that has it's own firewall in it (for example, comcast business class does this), so you may also have to set up port forwarding on that as well.
You need to specify the external IP address of the server (you can use whatsmyip.com or similar to find it) when connecting to it over the internet, not the LAN IP.
As everything is working locally, the problem is located in the device linking your laptop to the internet : your internet box.
By default, when it receives request from outside, your box will reject them, because this is a security risk (it could allow anyone to access your private network server, and if there is a security breach in a member, this could be a real problem). Moreover, your box has most of the times more than on device connected, so how can it know which device the request it gets is for?
Luckily, there is a way to tell your box "Hey! If you receive a request on this port, forward it to my laptop!". It is called port forwarding. This is quite difficult to explain as every ISP has a different implementation of this. But to set this, you have to connect to your box's administration interface and look for the section related to port forwarding.
Once you're there, you will have to set the port (if you run an HTTP application, it is 80 for example), a protocol (use both in doubt), and finally the destination IP. This is the IP of your computer on the local network. You can get it using ipconfig on Windows.
Once you have set your forward rule, you should be able to acces your app from the internet using either a Dynamic DNS service, or your Internet address, which you can get from websites such as http://www.whatismyip.org