0

I'm trying to setup transparent proxy network using container (docker)

Client (C)         Proxy (P1)      Proxy (P2)
10.10.1.1/24      10.10.2.1/24    10.10.3.1/24
    veth0             veth0          veth0
     |                 |               |
  veth pair         veth pair      veth pair
     |                 |               |
 -----------(HOST)----------------------------
client-veth0       p1-veth0          p2-veth0
10.10.1.2/24      10.10.2.2/24     10.10.3.2/24
     |                 |               |    172.16.202.30
     +-----------------+---------------+------- enp4s0 ---- INTERNET

I set up this network in Linux netns environment by running configuration commands below inside each namespace, after setting up host portion:

  • ip netns exec {target_ns} ip addr...
  • ip netns exec {target_ns} ip link...
  • ip netns exec {target_ns} ip route ...

Docker does networking by default and connects all containers with bridged networking. I want to setup separate data-plane, leaving management network (docker network by default) aside. So I have to make additional veth pair, put one end to each containers, and do policy routing on newly established veth interfacess.

For this I made a runscript: https://gist.github.com/cwyang/23220d7fed5a0cc9af21949aad70e2f6.

I want to set up corresponding network in Docker-compose environment.

Should I make a runscript again and run a series of docker exec instead of ip netns exec, to set up a network inside container, after running three containers?

If not, what's the recommended way?

In other words, when one want to do some custom-setup from host to docker container, is there plan B? (A) Docker(-compose) up and user does a series of docker execs (B) Docker up with some configuration to run after the container starts up. Configuration is run by docker, not by user.

When a container is down for a reason and docker(-compose) relaunches it, the configuration should be applied. So if the mechanism is provided by infra, users need not monitor each participating container to re-apply the configuration by themselves. So I wonder there is plan B.

Any help will be appreciated deeply. Thank you.

Chul-Woong Yang
  • 123
  • 7
  • What do you want to copy exactly? The ip-adresses themselves? Because this is basically what Docker does by default. – Gerrit Apr 21 '20 at 07:28
  • @Gerrit i want to make veth pair, not attached to docker bridge, and setup custom ip route for each container and this is cleary not a default docker networking. i want this setup for my policy routing to route client’s packet via multiple transparent proxies. – Chul-Woong Yang Apr 21 '20 at 07:32
  • @Gerrit I was sleeping on your comments. I'm not sure whether my policy routing works on default docker network. So I changed my question that I want to separate management plane from data plane and to setup data plane. Thank you for your comment. – Chul-Woong Yang Apr 21 '20 at 08:55
  • This seems more appropriate for the serverfault forum actually. But you do know that you can create separate bridges with `docker network create`? https://docs.docker.com/engine/reference/commandline/network_create/#specify-advanced-options. In docker-compose you can use the toplevel networks key to name your networks and with external: true take them from pre created bridges. However with default settings docker would block all traffic between containers on different bridges through iptables. But this is what you are looking for? – Gerrit Apr 21 '20 at 10:36
  • Than you. Your comment leads me to docker network plugin https://docs.docker.com/engine/extend/plugins_network/, and this is what I'm looking for. – Chul-Woong Yang Apr 25 '20 at 05:36

0 Answers0