1
00:00:00,680 --> 00:00:02,920
‫...

2
00:00:04,600 --> 00:00:11,290
‫Requirements for this section include understanding how to start a container. Then basic TCP/IP

3
00:00:11,290 --> 00:00:16,860
‫networking concepts, such as subnets and IPs and ports and firewalls.

4
00:00:16,870 --> 00:00:21,070
‫You don't have to know all that, but it'll definitely make it a lot easier for you to understand this

5
00:00:21,070 --> 00:00:24,010
‫section which is focused on conceptual stuff,

6
00:00:24,010 --> 00:00:28,860
‫before we actually get into a bunch of the command line stuff in the next lecture.

7
00:00:29,380 --> 00:00:34,840
‫I just want to remind you about the -p option on your container run commands which exposes the

8
00:00:34,840 --> 00:00:37,000
‫port on your machine.

9
00:00:37,000 --> 00:00:41,940
‫There's actually a lot more going on in the background of Docker networking that we'll talk about.

10
00:00:42,130 --> 00:00:48,040
‫Docker has this concept of batteries included but removable which basically means that the defaults

11
00:00:48,310 --> 00:00:53,500
‫are pretty easy and common to work with, but that you can change a lot of the options under the hood.

12
00:00:54,760 --> 00:00:59,950
‫We'll quickly check out in this lecture the container port command that gives you a quick output

13
00:00:59,980 --> 00:01:04,560
‫of what ports are open for that container on your network.

14
00:01:04,810 --> 00:01:09,550
‫Then we're going to break down some of the concepts of Docker networking and virtual networks and

15
00:01:09,550 --> 00:01:11,830
‫how packets flow around the network.

16
00:01:12,280 --> 00:01:17,920
‫And we'll finish up with a network diagram showing how containers talk amongst each other and how that's

17
00:01:17,920 --> 00:01:22,690
‫different from the -p of exposing them onto the physical network.

18
00:01:24,110 --> 00:01:31,250
‫When you actually start a container, you're really in the background connecting to a particular Docker

19
00:01:31,250 --> 00:01:37,550
‫network. By default, that is the bridge network, as we'll check out in a minute. Then each one of

20
00:01:37,550 --> 00:01:44,270
‫those networks that you would connect to actually route out through a NAT firewall, which is actually

21
00:01:44,270 --> 00:01:50,750
‫the Docker daemon configuring the host IP address on its default interface so that your containers can

22
00:01:50,750 --> 00:01:55,710
‫get out to the Internet or to the rest of your network and then get back.

23
00:01:55,880 --> 00:02:02,240
‫But we don't actually need to use the -p when we have specific containers wanting to talk to each

24
00:02:02,240 --> 00:02:05,460
‫other inside our host.

25
00:02:05,490 --> 00:02:12,840
‫For example, if you had an application that had a sequel server and PHP Apache container, those two containers

26
00:02:12,930 --> 00:02:18,480
‫should be on the same network and they're able to talk to each other without actually opening their

27
00:02:18,480 --> 00:02:21,510
‫ports up to the rest of your physical network.

28
00:02:21,570 --> 00:02:28,350
‫If you had another application that was unrelated, that let's say was using Mongo and Node.js, you could

29
00:02:28,350 --> 00:02:33,870
‫create a network for that so that they could talk with each other without using the -p to expose them

30
00:02:33,870 --> 00:02:38,580
‫to the network. But they couldn't actually talk to the other network where you might have an unrelated

31
00:02:38,580 --> 00:02:40,610
‫app running.

32
00:02:40,640 --> 00:02:46,020
‫But the thing is that just about all those settings I described are actually changeable.

33
00:02:46,160 --> 00:02:53,360
‫And this brings up a good saying that Docker likes to use...that is batteries included but removable.

34
00:02:53,360 --> 00:02:57,860
‫You'll see that throughout this course that a lot of times there are defaults that just work out of

35
00:02:57,860 --> 00:02:58,390
‫the box.

36
00:02:58,400 --> 00:03:03,830
‫You don't even have to specify them. You just notice that things are configured in a sort of standard

37
00:03:03,830 --> 00:03:04,580
‫way.

38
00:03:04,580 --> 00:03:10,940
‫But a lot of these options are configurable either at runtime or even changeable after the fact. And

39
00:03:10,940 --> 00:03:14,090
‫we'll see some of that take place here when we play around with the networks.

40
00:03:14,920 --> 00:03:19,780
‫Some of the things that you can actually change would be creating multiple virtual networks, maybe one

41
00:03:19,780 --> 00:03:24,390
‫per app, or different ones based on different security requirements.

42
00:03:24,880 --> 00:03:29,140
‫You can actually, just like in the physical world, have two physical NICs on a real computer. You can

43
00:03:29,140 --> 00:03:34,150
‫actually have two virtual networks connected to one container, or you can actually have the container

44
00:03:34,150 --> 00:03:35,810
‫talk to no networks.

45
00:03:36,550 --> 00:03:41,740
‫You can skip any of the virtual network configuration that comes out of the box and actually use

46
00:03:41,740 --> 00:03:42,420
‫--

47
00:03:42,420 --> 00:03:46,350
‫net=host, and you'll lose some of the containerization benefits.

48
00:03:46,360 --> 00:03:48,980
‫But in some cases it might be required.

49
00:03:49,540 --> 00:03:54,310
‫Later on, we're actually going to get into Docker network drivers. There's this whole plugin

50
00:03:54,340 --> 00:04:01,320
‫ecosystem around Docker that extends the capabilities of Docker to a lot of third party tools.

51
00:04:01,480 --> 00:04:05,950
‫But in this case we're going to look at a couple of different Docker network drivers and how they might

52
00:04:05,950 --> 00:04:09,120
‫change up our networking and give us new abilities.

53
00:04:09,490 --> 00:04:11,750
‫This is really just scratching the surface.

54
00:04:11,780 --> 00:04:17,170
‫There's actually networking concepts throughout this course where we'll be talking about more advanced

55
00:04:17,170 --> 00:04:23,420
‫topics of multi host private networking and concepts like sub interfaces and so on.

56
00:04:23,590 --> 00:04:26,020
‫But for now, let's dive into some command line stuff.

57
00:04:29,270 --> 00:04:30,190
‫As a quick review,

58
00:04:30,200 --> 00:04:37,300
‫let's look at the -p of our container running commands...docker container run.

59
00:04:37,310 --> 00:04:49,110
‫If you remember when we first ran a container, we used the -p to expose port 80 of our Nginx.

60
00:04:50,780 --> 00:04:58,430
‫That took the left side, which is the host port, and forwards traffic from that port into the port

61
00:04:58,490 --> 00:04:59,760
‫80 of the container.

62
00:05:00,290 --> 00:05:09,460
‫If we did docker container port webhost, it actually shows this in a nice, easy format

63
00:05:09,500 --> 00:05:15,180
‫which ports are forwarding traffic to that container from the host into the container itself.

64
00:05:16,220 --> 00:05:19,020
‫We haven't talked about the IP address of the container.

65
00:05:19,270 --> 00:05:24,730
‫So you might just assume that the container is using the same IP as the host. But by default, that's

66
00:05:24,730 --> 00:05:25,650
‫not true.

67
00:05:26,020 --> 00:05:32,500
‫We can easily get the Docker IP of that container by inspecting it and we're going to use the

68
00:05:32,500 --> 00:05:40,120
‫format command, or option really, which you'll notice actually has a pretty specific format for how

69
00:05:40,120 --> 00:05:42,340
‫to filter incoming stuff.

70
00:05:42,340 --> 00:05:47,440
‫You can always use the grep command which we used earlier to filter out your text output, but the

71
00:05:47,440 --> 00:05:55,790
‫format, the --format, it's actually a little cleaner and consistent. You do two curly brackets,

72
00:05:55,790 --> 00:06:05,600
‫and then once we get used to knowing the format of the config file, we know that NetworkSettings.IP

73
00:06:05,600 --> 00:06:11,370
‫Adress is the actual node of that JSON output that we want to look at.

74
00:06:11,420 --> 00:06:16,300
‫And then webhost. Oops that means I didn't spell it right.

75
00:06:16,300 --> 00:06:17,830
‫I P A d d.

76
00:06:19,300 --> 00:06:20,900
‫And that's not what I expected.

77
00:06:20,920 --> 00:06:26,920
‫If I was going to use the IP of my host because I know my Macs on my local network, and if I do an

78
00:06:26,920 --> 00:06:33,360
‫ifconfig on my Mac, I just know that the IP address is on my home network or a 1 9 2 1 6 8 Subnet.

79
00:06:33,360 --> 00:06:37,480
‫That's interesting that they're not the same network.

80
00:06:37,600 --> 00:06:39,460
‫So why is that?

81
00:06:39,520 --> 00:06:41,950
‫Let's see if it'll make more sense if I draw it out.

82
00:06:43,670 --> 00:06:54,410
‫If my host operating system is connected to my network...this is my network...physical network. Then

83
00:06:54,410 --> 00:07:01,130
‫this is the Ethernet interface on my host machine, in my case it's my Mac.

84
00:07:01,190 --> 00:07:08,990
‫There's a little firewall in there that does several things. It blocks all incoming traffic coming

85
00:07:08,990 --> 00:07:15,230
‫in from the network so that everything is blocked by default. I would call it a firewall. Any traffic

86
00:07:15,230 --> 00:07:20,150
‫that's coming out from my containers is going to be NATed by default.

87
00:07:20,150 --> 00:07:24,990
‫It's acting like a pretty common edge firewall on a network.

88
00:07:25,100 --> 00:07:32,150
‫But there's this concept of the virtual networks, and by default, you'll see a network called bridge

89
00:07:35,700 --> 00:07:40,040
‫or docker0.

90
00:07:40,140 --> 00:07:47,210
‫When you start a new container, we'll call it C1, that container is attached to that network, that virtual

91
00:07:47,210 --> 00:07:53,630
‫network, and that virtual network is automatically attached to your Ethernet interface on your host so

92
00:07:53,630 --> 00:07:54,760
‫that it can get out.

93
00:07:55,130 --> 00:08:05,330
‫In our case, when we just launched that Nginx, we gave it a -p 80:80. That told it over

94
00:08:05,330 --> 00:08:14,470
‫here to open up port 80 on my Ethernet interface on my Mac and forward

95
00:08:14,470 --> 00:08:18,380
‫anything coming into port 80 through that virtual network

96
00:08:19,390 --> 00:08:21,470
‫to port 80 in that container.

97
00:08:21,710 --> 00:08:27,410
‫By default, when I create a second container, it's put on that same bridge network.

98
00:08:27,740 --> 00:08:32,260
‫Those two containers can talk freely back and forth on their exposed ports.

99
00:08:32,450 --> 00:08:38,810
‫Unless I specify the -p, no traffic coming into my internal networks here is going to get to

100
00:08:38,810 --> 00:08:39,800
‫my containers.

101
00:08:40,010 --> 00:08:45,830
‫I can actually create more virtual networks and call them what I want. I'm going to call this one

102
00:08:47,620 --> 00:08:57,070
‫net my app, let's say. And let's say I connect two containers here...I got MySQL.

103
00:08:58,390 --> 00:09:00,730
‫Then I got an Apache.

104
00:09:03,550 --> 00:09:05,480
‫On MySQL,

105
00:09:05,560 --> 00:09:13,110
‫I didn't open up any ports, and never specified a -p. But on the Apache one, I gave it a -p of

106
00:09:13,240 --> 00:09:19,290
‫8080:80.

107
00:09:19,540 --> 00:09:26,050
‫That would mean over here on the right, at my Ethernet interface on my host, it's going to start listening on port

108
00:09:26,080 --> 00:09:27,540
‫8080.

109
00:09:28,480 --> 00:09:35,140
‫As soon as traffic comes in to my host on port 8080, it's going to route it through down to this

110
00:09:35,140 --> 00:09:40,770
‫new virtual network I created and into that Apache server on port 80.

111
00:09:40,810 --> 00:09:46,330
‫Inside this virtual network, the Apache server is free to talk to the MySQL server over its listening

112
00:09:46,330 --> 00:09:47,180
‫port.

113
00:09:47,200 --> 00:09:53,470
‫When you think about virtual networks in Docker, and where containers belong, think about how you

114
00:09:53,470 --> 00:09:58,630
‫would put different containers in proximity to each other because they're related in their application.

115
00:09:59,200 --> 00:10:04,140
‫As you can see, these two examples, if I had a container one and a container two up top rank something different,

116
00:10:04,330 --> 00:10:09,610
‫If they're not going to be talking to the services in this network down below, then it would make sense

117
00:10:09,610 --> 00:10:12,160
‫to keep them on separate virtual networks.

118
00:10:12,160 --> 00:10:16,270
‫If they ever had to talk to each other, they would have to go through their published ports all the

119
00:10:16,270 --> 00:10:18,350
‫way out and back in.

120
00:10:18,460 --> 00:10:26,410
‫As a reminder, on any interface on your host, you can't listen on more than one port for multiple containers.

121
00:10:26,410 --> 00:10:31,710
‫So, you can't have two containers listening on the port 80 at the host level.

122
00:10:31,870 --> 00:10:33,640
‫Only one can do that.

123
00:10:33,750 --> 00:10:38,290
‫If you try to start another container, it would actually error out and say that there's already something

124
00:10:38,290 --> 00:10:43,480
‫else on that port. That's not a Docker limitation; that's just a limitation of how IP networking typically

125
00:10:43,480 --> 00:10:44,500
‫works.

126
00:10:44,500 --> 00:10:50,890
‫Just a quick recap on this section. We actually spent a lot of time on the concepts of Docker networking,

127
00:10:51,520 --> 00:10:59,980
‫including the exposing of ports on your host to the physical network using the -p. The idea of

128
00:10:59,980 --> 00:11:06,500
‫Docker focusing on sane defaults where they call it batteries included but removable.

129
00:11:06,970 --> 00:11:12,990
‫How for local dev and testing, you probably can just get by with the defaults, but everything is changeable.

130
00:11:13,450 --> 00:11:17,890
‫Then we learned about the container port command which is a quick way to look at the ports exposed

131
00:11:17,890 --> 00:11:19,760
‫for your particular containers.

132
00:11:20,560 --> 00:11:25,720
‫Then we broke down the packets moving around virtual networks and how those relate to other virtual

133
00:11:25,720 --> 00:11:29,200
‫networks, and how they get in and out of your Docker machine.

134
00:11:29,650 --> 00:11:35,470
‫So, these are all really good concepts to understand as we jump into the actual CLI stuff in the next

135
00:11:35,470 --> 00:11:36,110
‫lecture.