1
00:00:00,480 --> 00:00:05,560
‫Marty ask Isn't the docker network segmented from the host slash public network.

2
00:00:05,580 --> 00:00:10,410
‫A co-worker seems to think that the IP range in our Docker environment might cause a conflict with our

3
00:00:10,410 --> 00:00:12,370
‫normal company network.

4
00:00:12,570 --> 00:00:14,180
‫So that's actually a great question.

5
00:00:14,190 --> 00:00:15,830
‫The answer to the first one is yes.

6
00:00:15,840 --> 00:00:16,630
‫The Dockers.

7
00:00:16,680 --> 00:00:21,820
‫So by default right you're using Docker network drivers and the default one is bridge.

8
00:00:21,870 --> 00:00:27,060
‫If you're using swarm the default one is overlay and of course you can use other network drivers in

9
00:00:27,060 --> 00:00:36,050
‫fact if you see me jump into into here and I just do a docker

10
00:00:38,750 --> 00:00:44,170
‫network ls oh my Docker is not running

11
00:00:47,160 --> 00:00:55,870
‫Oh and look at that there's a new version of Docker out No I do not want to update that today so give

12
00:00:55,870 --> 00:00:57,220
‫me a minute for Docker to start.

13
00:00:57,310 --> 00:01:02,770
‫But there is a there's a list of Docker network drivers that come out of the box and you choose the

14
00:01:02,770 --> 00:01:07,370
‫default one bridge drive by just creating a docker network or not even specifying a network and don't

15
00:01:07,380 --> 00:01:08,410
‫use bridge.

16
00:01:08,410 --> 00:01:13,870
‫Most of us in production will use other networks like swarm overlay or Kubernetes will have its own

17
00:01:14,200 --> 00:01:15,600
‫network drivers.

18
00:01:15,640 --> 00:01:21,940
‫There are other ones like host and Mac v lan that you can use as well you can technically even use none

19
00:01:21,940 --> 00:01:28,630
‫which will disable networking but the thing here is that if you're talking about the default bridge

20
00:01:28,630 --> 00:01:35,770
‫network which again is probably not what you're going to use in production that is a net network segment

21
00:01:35,770 --> 00:01:41,940
‫so it's its own subnet range and it's running in bridge mode so that means it's going to Nat itself

22
00:01:41,980 --> 00:01:47,290
‫outside of that private subnet into your company networks.

23
00:01:47,290 --> 00:01:54,460
‫But even though it won't technically conflict with your net physical networks you can't have the same

24
00:01:54,460 --> 00:01:56,490
‫subnets that are used outside your host.

25
00:01:56,500 --> 00:02:00,190
‫And that is due to just standard TCP IP routing.

26
00:02:00,280 --> 00:02:09,340
‫So if you follow the the IP protocol routing details essentially if I'm on let's say a 10 0 0 0 subnet

27
00:02:10,690 --> 00:02:19,900
‫on my docker container inside of Docker and then a 10 dot 0 1 subnet is used somewhere in my corporate

28
00:02:19,900 --> 00:02:25,330
‫network then my container on my local machine won't know how to route to that network because it thinks

29
00:02:25,780 --> 00:02:30,220
‫that that network is actually already a part of my local subnet.

30
00:02:30,280 --> 00:02:30,810
‫Right.

31
00:02:30,820 --> 00:02:38,350
‫So you can't technically have any subnet clashing anywhere in the hopping of containers around so even

32
00:02:38,350 --> 00:02:44,110
‫though it technically Nats it's still going to probably cause issues and in fact with some companies

33
00:02:44,110 --> 00:02:49,930
‫because the docker networks out of the box are usually 172 subnets and sometimes companies overlap those

34
00:02:49,930 --> 00:02:55,600
‫subnets and that causes a problem which means that companies have to go into their Docker settings for

35
00:02:55,600 --> 00:03:07,680
‫instance going up here into preferences and they would go into the daemon config and see sir I don't

36
00:03:07,680 --> 00:03:09,690
‫think as a 7 that option yet

37
00:03:13,410 --> 00:03:18,160
‫see that one day I saw one.

38
00:03:18,180 --> 00:03:18,920
‫Oh so yeah.

39
00:03:18,950 --> 00:03:21,220
‫So this is the default subnet right here.

40
00:03:21,260 --> 00:03:27,500
‫It's a little hard to see maybe on the screen but it's a one entity 168 65 subnet and mine and you can

41
00:03:27,500 --> 00:03:32,690
‫change that but you also may need to change other defaults inside the daemon config over here under

42
00:03:32,690 --> 00:03:38,120
‫advanced based on whether using swarm overlay or using the default bridge and so on so forth.

43
00:03:38,120 --> 00:03:40,280
‫So yes this is possible.

44
00:03:40,280 --> 00:03:46,370
‫And basically if you're not sure just test create containers see if you can get maybe try to ping something

45
00:03:46,370 --> 00:03:50,540
‫on your network the first way that usually people tell it this is a problem is they create containers

46
00:03:50,540 --> 00:03:56,180
‫on our machine and then maybe have a sequel server or something in their data center or in a server

47
00:03:56,180 --> 00:03:57,280
‫closet they need to get to.

48
00:03:57,680 --> 00:04:01,840
‫So then they try to get from their container to that machine and they can't connect at all.

49
00:04:01,910 --> 00:04:05,480
‫Give them some depending on you know the application and what you're using it might give you an error.

50
00:04:05,660 --> 00:04:10,580
‫So try to ping try to do a trace route add those utilities into a container and see if you can trace

51
00:04:10,580 --> 00:04:16,820
‫route or ping to that remote IP address because of course you if you're not someone who's managing all

52
00:04:16,820 --> 00:04:21,220
‫the subnets in your company you may not know every subnet used all around the network.

53
00:04:21,230 --> 00:04:29,750
‫Now another thing is that if you're using cloud like using Ada of U.S. subnets and your company maybe

54
00:04:29,750 --> 00:04:35,450
‫houses part of their infrastructure there and you have VPN between you and eight of us then you also

55
00:04:35,450 --> 00:04:39,110
‫have to care about the subnets in Ada U.S. and whether those will clash as well.

56
00:04:39,110 --> 00:04:46,340
‫So basically Docker subnets even though they're needed aren't going to help you solve problems for getting

57
00:04:46,340 --> 00:04:50,320
‫packets out any more than any other subnet on your network.

58
00:04:50,330 --> 00:04:51,670
‫Basically you can't use it.

59
00:04:51,770 --> 00:04:57,700
‫You should not and probably can't use two subnets the same anywhere in your network right.

60
00:04:57,710 --> 00:05:02,000
‫It may it may allow you to get packets in because technically the packets coming in know how to get

61
00:05:02,000 --> 00:05:07,070
‫to your machine because you're needed but when you try to send packets back out your machine might say

62
00:05:07,070 --> 00:05:11,690
‫well hey I don't need the city's packets out because that particular IP address is in my local subnet

63
00:05:11,840 --> 00:05:12,940
‫or at least it thinks it is.

64
00:05:13,070 --> 00:05:13,350
‫Right.

65
00:05:13,490 --> 00:05:15,840
‫So hope that makes sense.

66
00:05:16,220 --> 00:05:21,050
‫That's just sort of some of the limitations of IP subheading and yes you may have to change that.