Docker 101: Layered Architecture & Networking

A beginner’s introduction to Docker & why it’s awesome?

Published in

Dev, Sec & Ops

6 min readJan 1, 2020

Docker 101, is a new series that I am beginning to give you guys a closer look at one of the most buzzing word of the DevSecOps world. This new technology have been revolutionising the way deployment takes place while easing the work for the people at the DevOps department.

I have been working very closely with the DevOps team at the organisation I currenlty work at. For a guy who comes from a pen-testing background, listening to the word “Docker” day in and day out became frustrating to a point where I decided to just leave security all together for sometime and get involved in the DevOps part of things.

For the past few days, I have been binge watching Docker tutorials, understanding why is it required, what are its benefits and how it saves time and resources. After putting in the work, I have realised that dockers are here to stay for a long time and how beneficial it is for everyone from development to deployment and management.

Last week I published my second article on Docker, Docker 101: Images & Dockerfiles. So, you can go back and read my previous articles on docker to have a better understanding of what I am trying to explain here.

Let’s recap!

In my previous article I explained about Docker Images and Dockerfile, showing how to setup a Docker Image, what are the things required to create an Image. The commands executed to create a Docker image needs to be in sequence and also gave a explanation as to why it is so . I showed how to use Dockerfile to create these images with ease whenever you need to without having to type the same commands over and over again.

We had our first look at Docker Images and Dockerfiles. Now that we have gone through it let’s pick up from where we dropped off in the previous article.

Layered Architecture

Dockers have layered architecture and we already know that as in the previous article I mentioned how we need to build docker in a sequential manner. Where we need to choose an OS first and then install the libraries and packages and not the other way around. Let me show what exactly I mean by the layered architecture.

The image above gives us an idea of the layered architecture. It has been divided into two different layers.

Image Layer ( Read Permission )

This contains of all the steps that we carry out in the particular sequence to create a docker image so that it can be build to start up a container. We can see how each step is carried out in sequence and the command that is required to build the image. This only has read permission as once we build the image then we can’t carry out changes in this layer. If we need to change the image we need to stop the container and then change the Dockerfile accordingly.

Container Layer ( Read & Write Permission )

This is the layer where we run the image to start the container and then work on it and set up services on top of it.This layer has read and write permission so we can carry out our tasks as needed. There is one problem here that as soon as the container is destroyed every changes that we have made in this container gets erased.

The layers of Docker Images are container are clear to us now but you know what is better than one docker container, multiple docker container communicating with each other. Let’s see how we can set that up.

Docker Network

So, we have seen how to properly setup one docker and use docker file for that process and the layers that are involved. In real life scenario one docker alone is not very useful and can’t really perform a lot of tasks. So most of the time we end up setting up more than one docker which communicates with other running containers to carry out a task.

To communicate with other dockers we need to setup networking within these for these containers to send and recieve data. So, let’s see how many types of docker network are there and how do they work.

Bridge Network

Docker containers are running on a bridged network when all of them are on the same network of 172.12.0.0/16. In this way they can easily communicate between themselves.

Host Network

In this scenario the docker container’s port are mapped to the port of the host machine. As we perform port mapping so so no other container can use that port as it is already being used by other container.

Isolated

This is the case when there is a container running on a total different network form other docker containers and can’t communicate with any of them.

Now, that we know about these container networks you might have this question on your mind what if you wanted to setup containers on two different networks, so that they can function in isolation from each other.

Creating User defined Network

So, let’s focus on the topic of how to setup a specific network for your different docker containers. The reason we are looking into this is because by default the docker containers are spawned in the 172.17.0.1 network. When we start setting up docker all over the place, then we need to segregate them properly in networks so as to reduce the confusion and have a clear boundary regarding which certain dockers are meant to communicate with which certain dockers.

docker network create \       --driver bridge \       --subnet 182.17.0.0/16 \       <network-name>

This is the command that is to be executed create a new network, here we can define the type of network we want it to be, like bridge, host or none. Once we have done that then we need to decide the subnet and CIDR. In the last part of the command we need to give name to the network.

$ docker network ls

This will help you list all the containers and the network they are running on.

$ docker inspect <container-name>

This command will give you the results about the network of the container.

When it comes to Docker networking there are certain points that we must always remember

All Containers can resolve each other using container name so instead of using the IP address we should always use their container name.
The inbuilt DNS server always run on 127.0.0.11 IP address.

These two things help you a lot when setting up these environments.

Conclusion

This article has mainly focused on the layered architecture of Docker Images, the image layer and the container layer. It has also gone through setting up the docker network and the different type of networks that mainly exist, bridge network, host network and the isolated network. It also went through the step needed to setup independent networks and points to keep in mind while creating independent network. I have more articles related to Docker that I will be publishing in this upcoming week. Stay tuned for those.

If you enjoyed it please do clap & let’s collaborate. Get, Set, Hack!

Website : aditya12anand.com | Donate : paypal.me/aditya12anand
Telegram : https://t.me/aditya12anand
Twitter : twitter.com/aditya12anand
LinkedIn : linkedin.com/in/aditya12anand/
E-mail : aditya12anand@protonmail.com