copyright 2015 1

Instructions for VNS32015

VNS3 3.5Container System Add-Ons

copyright 2015 2

Table of Contents

Introduction 3Docker Container Network 7Uploading a Image or Dockerfile 9Allocating a Container 13Saving a Running Container 15Access Considerations 18

copyright 2015

Introduction

3

copyright 2015 4

Docker OverviewDocker is an open source project released in March 2013 that automates the deployment of applications in Linux Containers (LXC). It is an engine that allows users to encapsulate any application or set of applications as a lightweight, portable, self-sufficient virtual container. These containers can be manipulated using standard operations and run anywhere Docker is installed.

Docker offers a different granularity of virtualization that allows for greater isolation between applications.

Cloud Provider OS/Hypervisor

Server Hardware

VNS3 bins/libs

bins/libs

bins/libs

GuestOS

GuestOS

GuestOS

AppStack

AppStack

AppStack

VM

Cloud Provider OS/Hypervisor

Server Hardware

VNS3

Docker

bins/libs

bins/libs

AppStack

AppStack

AppStack

AppStack

Container

copyright 2015 5

Docker and VNS3We have been receiving requests from customers for the ability to add their own layer 4-7 network service applications to the VNS3 layer 3 transport device. To provide that level of customization without compromising VNS3 core functionality, we added an Application Container System to VNS3 powered by Docker. Now you can embed layer 4-7 network service features and functions provided by other vendors - or developed in house, safely and securely into your Cloud Network.

Take a look at the following blog posts for further explanation and an example of how you can use VNS3 with Docker:

- An Introduction to Docker in VNS3- Using Docker.io for SSL termination and load balancing

Proxy Reverse Proxy Content Caching Load Balancing IDS Custom Container

Dynamic &Scriptable SDNRouter Switch Firewall VPN

ConcentratorProtocol

Redistributor

VNS3 Core Components

copyright 2015 6

Instance Sizing ConsiderationsVNS3 instance sizes have always been a factor in determining to network performance of the Overlay (customer’s edge connectivity, customer’s router config and geo/network distance being the other factors). Throughput is dependent on the instance's access to underlying hardware (more specifically the NIC). The fewer virtual workloads competing for those hardware resources, the better the performance. As you increase the size of the VNS3 instances you increase the total throughput.

Now that Docker is running as part of VNS3 the Controller’s instance size will also determine how many Docker application containers can run in your Controller. The type and process loads of the containers will be the determining factor. We recommend using m3.medium instance size for VNS3 Controllers.

Note: VNS3 3.5 is available as EBS-backed AMIs. This will not only allow for persistent storage in order to save Container configurations, but allow instance scaling within AWS.

copyright 2015

Docker Container Network

7

copyright 2015 8

Container Network SetupTo start using Docker you must first setup a Docker subnet where your containers will run. The default VNS3 Docker subnet is 198.51.100.0/28. VNS3 allows you to choose a custom address block. Make sure it will not overlap with the Overlay Subnet or any subnets you plan on connecting to VNS3. The Docker subnet can be thought of as a VLAN segment bridged to the VNS3 Controller’s public network interface.

The Container Networking Page shows the available container IP addresses for the chosen Container Network. IP addresses listed as reserved are either used by Docker (for routing, bridging, and broadcast) or are being used by a currently running container.

To change the Container Network first enter a new network subnet in CIDR notation.

Click Validate to ensure the subnet accommodates the Container Network requirements.

Click Set once validation is passed.

You will prompted with a popup warning that a Container Network change will require a restart of any running container. Click OK.

copyright 2015

Uploading an Image or Dockerfile

9

copyright 2015 10

Container ImagesVNS3 3.5 supports uploading a compressed archive of an LXC Container Image, Dockerfile or Docker Context Directory. In the future we will support pulling Containers from the public Docker Index and private repositories. ContainerContainer Images are used to launch Containers. You can think of this relationship as similar to an AMI and Instance in AWS. Once an Image is uploaded you can launch one or multiple Containers from the Image.Dockerfile Dockerfiles a representation of a Container image, basically a map of how to build an image - start from a source image and run a number of commands on that image before finalizing the Container Image. See the Dockerfile Reference Document for more information. Dockerfile Context DirectoriesVNS3 also supports the upload of what Docker calls a “context” or collection of files in a directory that are used along with a Dockerfile to build an Image. The Dockerfile needs to be in the root of the directory and the rest of the files need to be relative so the Dockerfile can access the appropriate assets during the build process. Cohesive Networks provides a number of Containers and Dockerfiles to help get you started on our Product Resources page and in the Docker Index respectively.

copyright 2015 11

Container Images: Upload a ContainerTo Upload a Container Image click on the Images left column menu item listed under the Container heading.

Click Upload Image.

On the resulting Upload Container Image Window enter the following;

- Input name

- Description

- Select the Container Url radio button - provide the publicly accessible URL of the archived Container Image file (supported file formats tar, tgz, tar.gz, tar.bz2, and zip)

Click Upload.Once the Container Image has finished the import process, you will be able to use the action button to edit and delete the Image or allocate (launch) a Container.

copyright 2015 12

Container Images: Upload from a DockerfileTo Upload a Dockerfile click on the Images left column menu item listed under the Container heading.

Click Upload Image.

On the resulting Upload Container Image Window enter the following;

- Input name

- Description

- Select the Dockerfile Url radio button - provide the publicly accessible URL of the Dockerfile (note the filename is required to be Dockerfile) or URL of an archived Dockerfile Context Directory (supported file formats tar, tgz, tar.gz, tar.bz2, and zip)

Click Upload. Once the Dockerfile has been uploaded and the image has has finished the build process, you will be able to use the action button to edit and delete the Image or allocate (launch) a Container.

copyright 2015

Allocating a Container

13

copyright 2015 14

Container Images: Allocate a ContainerTo launch a Container click the Actions drop down button next to the Container Image you want to use and click Allocate.

On the resulting pop up window enter the following:

- Name of the Container

- Command used on initiation of the Container

- Description

Click Allocate.

You will be taken to the Containers page where you newly created Container will list its status.

copyright 2015

Saving a Running Container

15

copyright 2015 16

Saving a Running Container : Save as an ImageVNS3 does not currently support the Docker commit or export command. As a result it is recommended that you customize your Docker container before uploading it to the VNS3 Controller.

copyright 2015 17

Saving a Running Container : ExportVNS3 does not currently support the Docker commit or export command. As a result it is recommended that you customize your Docker container before uploading it to the VNS3 Controller.

copyright 2015

Access Considerations

18

copyright 2015 19

Container Images: Accessing the ContainerOnce the Container has launched, an IP address included in the specified Container Network CIDR will be listed.

Accessing the Container depends on the source network. The following pages cover connection considerations when trying to access a VNS3 Container from the public Internet, Overlay Network, and Remote IPsec Subnet.

copyright 2015 20

Access Consideration: Public InternetAccessing a Container from the Public Internet will require additions to the inbound hypervisor firewall rules with the VNS3 Controller as well as VNS3 Firewall.

The following example shows how to access an Nginx server running as a Container listening on port 80 (substitute port 22 if the Container is running SSHD).

Network Firewall/Security Group Rule Allow port 80 from your source IP (possibly 0.0.0.0/0 if the Nginx server is load balancing for a public website).

VNS3 Firewall Enter rules to port forward incoming traffic to the Container Network and Masquerade outgoing traffic off the VNS3 Manger’s public network interface.

#Let the Docker Subnet Access the Internet Via the Controllers Public IP MACRO_CUST -o eth0 -s <Controller Private IP> -j MASQUERADE

#Port forward 9080 to the nginx docker containerPREROUTING_CUST -i eth0 -p tcp -s 0.0.0.0/0 --dport 9080 -j DNAT --to <Container Network IP>:80

copyright 2015 21

Access Consideration: Overlay NetworkAccessing a Container from the Overlay Network does not require any Network Firewall/Security Group or VNS3 Firewall rule additions.

copyright 2015 22

Access Consideration: IPsec Remote SubnetsAccessing a Container from a remote subnet advertised behind an IPsec tunnel will either require an existing tunnel to the VNS3 Overlay Network PLUS some VNS3 forwarding firewall rules OR a tunnel negotiated between the remote subnet and the Container Network.

Option 1 - Existing Tunnel and VNS3 Firewall If you have an existing tunnel to the VNS3 Overlay Network, you can add a few VNS3 firewall forwarding rules to access any Containers you have launched.

Enter rules to port forward incoming traffic to the Container Network and Masquerade outgoing traffic off the VNS3 Manger’s public network interface.

#Let the Docker Subnet Access the Internet Via the Controllers Public IP-o eth0 -s <Controller Private IP> -j MASQUERADE

#Port forward 9080 to the nginx docker containerPREROUTING_CUST -i eth0 -p tcp -s <Remote Subnet CIDR> --dport 9080 -j DNAT --to <Container Network IP>:80

Option 2 - Remote Subnet<->Container Network IPsec tunnel Access between a remote subnet and any subset of the Container Network can be established using IPsec tunnels. Simply specify the Container Network CIDR (default of 172.0.10.0/28) as one end of the IPsec subnet configuration on both the VNS3 (Container Network is the local subnet) and the remote IPsec device (Container Network is the remote subnet).

copyright 2015 23

VNS3 Configuration Document LinksVNS3 Product Resources - Documentation | Add-ons

VNS3 Configuration InstructionsInstructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network.

VNS3 Docker InstructionsExplains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers.

VNS3 TroubleshootingTroubleshooting document that provides explanation issues that are more commonly experienced with VNS3.