Weaving Containers with Kontena

Multi-host Docker applications have come a long way since early days of container revolution. You know the usual problem we all have faced; how do you discover and connect services that are not on the same host, or not even in the same datacenter. You could expose ports, use ambassador patterns or tweak your favorite software defined networking ("SDN") stack together. With a lot of patience, trial and error, and countless hours of hacking you eventually found a working setup for your needs.

Soon, we will see Docker 1.9 with a support for network plugins. It will feature a default plugin for creating overlay networks that is supposed to help us when trying to connect containers across hosts. Now, how this new awesomeness affects us at Kontena? Not much. We have been connecting containers together across hosts already for long time, thanks to Weave by Weaveworks.

The Overlay Network

In Kontena, the overlay network is powered by Weave. It is one of the first overlay network technologies made available for Docker and we have been using it (among some other technologies) for various projects almost a year now. Based on our experience, the reliability and stability is very impressive. It is a solid choice for any serious Docker setup.

One of the coolest things about Weave is the way how it exposes network fabric to containers. With Weave, developers don't need to take infrastructure details into account when deploying Kontena services to cloud or bare metal provider platforms. Another nice feature of is the built-in encryption of all overlay network traffic.

Kontena network architecture is comprised of a number of Kontena Nodes (machines or VMs that run containerized workloads) and a Kontena Master that controls and monitors the Nodes. All Kontena Nodes belong to a Grid, that is an abstraction used to isolate multiple projects running on single Kontena Master. The Kontena's overlay network is configured so that each Grid will get one flat subnet. Nodes can be placed to multiple availability zones or different regions.

With Kontena, you can actually spread Nodes anywhere; any infrastructure, any cloud provider, around the globe, it just works. You might ask how this is possible? Weave needs to know the IP addresses of the other hosts. This information is provided by Kontena: each Node calls to Kontena Master when they started and receive information about the other Nodes. The information is also updated periodically when new Nodes are discovered or old Nodes found dead. This is how Kontena is "weaving" the network automatically, without any manual configuration.

Network Security

Since Weave comes with built-in network traffic encryption feature, we have enabled the network traffic encryption on Kontena's overlay network by default. You can enjoy isolated and secure networking in your infrastructure, cloud platform or even across different providers. This is very useful especially if you are running your containerized workloads on infrastructure without Amazon AWS VPC -like security (for example DigitalOcean).

Having the overlay network isolated and all traffic encrypted is a great achievement. However, it creates another challenge: how to access the services within the overlay network without compromising the security? Since the overlay network is private by default you cannot access any services within the network unless you expose them through Docker. Usually you don't want to do that unless it is Internet facing service. We though about this a lot and wanted to give users a sane way to securely access the Grid.

After testing different solutions we decided to build OpenVPN service to Kontena. OpenVPN allows developers to access any of the services as they were in the same LAN network. This is really handy when you need to connect to a database or some internal web service that you don't want to expose to internet. One of the great use cases for this is Kontena's integrated Private Docker image registry that can be accessed only through VPN.

Service Discovery

Service discovery is a key component for most distributed systems and micro service oriented architectures. With Kontena we have tried to create robust developer friendly service discovery using combination of two different technologies: DNS and etcd distributed key-value store.

Kontena's service discovery DNS is powered by Weave "Gossip" DNS. With Kontena's service discovery, each service will automatically get their own unique DNS record for basic round-robin style load-balancing. For example let's say that you have a wordpress service that is scaled to number of instances (=containers). For this service, Kontena will automatically register wordpress.kontena.local DNS and return IP addresses from all the instances belonging to this service. In addition, each instance will get their own dedicated DNS entry, for example first instance of wordpress service can be accessed using wordpress-1.kontena.local address. This is simple but very useful.

If developer needs more advanced service discovery or shared configuration storage, they should look at etcd. With Kontena, etcd is automatically integrated to each Grid and made available inside the overlay network. Since the overlay network is encrypted and private, etcd is also secured.

The Future

Docker is evolving and the upcoming 1.9 version will feature network plugins. We need to facilitate this plugin architecture also in Kontena. However, as explained before, it'll not affect the users. It's just something cool for us to play around with.

At the time of writing this post, we are already exploring how to integrate network overlay technology through the Docker plugin system. In the future, we are most likely trying to find a way how to isolate services from each other at network level. Weave's fast datapath is also looking promising.

The future looks bright for Kontena. There are many technical improvements we can still make. The biggest challenge for us is not related to technical features, but the way how we see people using them. We want to enable organizations of all sizes, regardless of their technical competence, to take advantage of latest and coolest container technologies. We try to maximize developer happiness and therefore keep things simple.

About Kontena

Kontena is a new open source Docker container orchestration platform built to maximize developer happiness. It works on any cloud, it's easy to setup and super simple to use. Give it a try! If you like it, please star it on Github and follow us on Twitter. We hope to see you again!

Image Credits: allispossible.org.uk, Dew on spider web