I can not clearly understand what --ingress flag means when creating docker network in swarm mode.
Official documentation says:
--ingress | Create swarm routing-mesh network
But isn't it enough to create a network with overlay driver like this:
docker network create -d overlay my-multihost-network
Documentation says about overlay network:
an overlay network called ingress, which handles control and data traffic related to swarm services. When you create a swarm service and do not connect it to a user-defined overlay network, it connects to the ingress network by default.
Related
As per the Docker documentation, overlay network is automatically getting created when we initialise docker swarm. But we can not use that network for individual docker container which not part of swarm resource. So, we need to create overlay network with "--attachable" flag.
I tried to create attachable overlay network but I am getting following error :
docker network create -d overlay --attachable my-attachable-overlay
Error response from daemon: This node is not a swarm manager. Use "docker swarm init" or "docker swarm join" to connect this node to swarm and try again.
Do we need to run this command on swarm manager ? Can't we use it directly on low weight container like boot2docker without initialising docker swarm ?
The swarm scoped overlay network driver does indeed require swarm. If you have a single node, you only need to do docker swarm init and then you can create a swarm scoped network. If you are getting this error on a swarm worker node, then you just need to create the network on a manager in the swarm and then it can be used on the worker nodes in that swarm.
The whole purpose of the overlay network driver is to enable container-to-container communication between multiple nodes in a swarm. It is not necessary to use the overlay network driver in a single node where you do not intend to use any other swarm features nor communicate with containers on other nodes. Use a local scoped network driver instead like bridge.
docker network ls
NETWORK ID NAME DRIVER SCOPE
90ed18951aa8 bridge bridge local
02a1158b1219 docker-registry_default bridge local
myn3onq0xgdg ingress overlay swarm
2t91hityplpb preprod_default overlay swarm
What is the differences between 'overlay' and 'bridge' drivers? When each of them should be used?
An overlay network is used in swarm mode to create a network that spans multiple docker hosts. A bridge network exists only on a single host (and is realized by a Linux bridge device).
For more information, see the the "Network Drivers" section of the Docker documentation.
Docker network is created in a docker swarm, which contains several nodes, with this command:
docker network create --attachable --driver overlay [network-name]
And containers are attached to the network with "docker service create" command.
There is extra container with the name "lb-[network-name]" appeared after in the network.
What is that container and how to configure docker network not to have that?
From docker swarm documentation (https://docs.docker.com/engine/swarm/key-concepts/):
Swarm mode has an internal DNS component that automatically assigns
each service in the swarm a DNS entry. The swarm manager uses internal
load balancing to distribute requests among services within the
cluster based upon the DNS name of the service.
It's a part of swarm architecture, you can't deactivate it.
Take a look also to this detailed answer regarding networking of docker swarm:
https://stackoverflow.com/a/44649746/3730077
I have been trying to understand docker and the swarm mode.I also read about the docker network tutorials.
I have tried the docker swarm mode.If a docker swarm mode is initialised and if we execute docker network ls it shows a network with the name ingress.
My question is do I need to exclusively create an overlay network?Or should the swam mode work fine without exclusively creating a network?
My question is do I need to exclusively create an overlay network?Or should the swam mode work fine without exclusively creating a network?
No, you don't need to, however it is recommended that you create a custom overlay network for your applications that you deploy to the swarm. The ingress overlay network handles control and data traffic related to swarm services. From the official documentation:
Use the default overlay network demonstrates how to use the default
overlay network that Docker sets up for you automatically when you
initialize or join a swarm. This network is not the best choice for
production systems.
If you need communication between containers on different Docker Swarm Nodes, you need an overlay network.
If you just use "docker run" it will use the ingress network on the host you are running the command.
Docker uses the NAT mode of ipvs to get service load balancing and in NAT mode the real server knows nothing about the VIP.
From my understanding, VIP is only used for communication between containers from different services, so it should only appear in the mangle table of iptables.
I believe this is discussed right now (last week Aug. 2016) in PR 25414, where container networking in service create is initially reported as:
The containers provisioned in docker swarm mode can be accessed in service discovery either via a Virtual IP (VIP) and routed through the docker swarm ingress overlay network. Or via a DNS round robbin (DNSRR)
But Charles Smith (sfsmithcha) adds:
VIP is not on the ingress overlay network. You need to create a user-defined overlay network in order to use VIP or DNSRR. (See PR 25420)
We should not conflate ingress, which is (--publish ports) with swarm-internal overlay networking.
Charles' illustration of the presence of VIP is (docs/swarm/networking.md)
Docker Engine swarm mode natively supports overlay networks, so you can enable container-to-container networks.
When you use swarm mode, you don't need an external key-value store.
Features of swarm mode overlay networks include the following:
You can attach multiple services to the same network.
By default, service discovery assigns a virtual IP address (VIP) and DNS entry to each service in the swarm, making it available by its service name to containers on the same network.
You can configure the service to use DNS round-robin instead of a VIP.
Use swarm mode service discovery
By default, when you create a service attached to a network, the swarm assigns the service a VIP. The VIP maps to a DNS alias based upon the service name. Containers on the network share DNS mappings for the service via gossip so any container on the network can access the service via its service name.
You don't need to expose service-specific ports to make the service available to other services on the same overlay network.
The swarm's internal load balancer automatically distributes requests to the service VIP among the active tasks.
The OP insists:
Still can't get the reason why VIP is attached on the container's eth0...
Well:
The eth0 interface represents the container interface that is connected to the overlay network. So if you create an overlay network, you will have those VIP associated to it.
eth1 interface represents the container interface that is connected to the docker_gwbridge network, for external connectivity outside of container cluster.
Now issue 25325 is about Docker 1.12 swarm mode load balancing not consistently working, where the the IPVS table is not being populated correctly.
That illustrate the role of those ipv, and the bug should be fixed in 1.12.1-rc1.