3

all. I'm learning Docker. But still cannot find any documentations about how Docker ingress network connect several separated hosts.

I have 2 VMs in different datacenters and want create swarm cluster on them. Is it possible that default installed ingress network makes containers on vm1 visible for containers on vm2 inside some overlay network? Or both vm1 and vm2 should be in same local network?

d219
  • 2,707
  • 5
  • 31
  • 36
Michael
  • 31
  • 2

2 Answers2

5

In general, it's not recommended to span datacenters within a Swarm. You can span availability zones (datacenters in same geo area that are ~10ms or less latency) but between regions should be their own Swarms. This is 100% a latency issue of inter-virtual-network traffic (overlay driver) and the Raft consensus traffic between Swarm managers. There is no hard limit on latency, but you likely don't want the complexity in a single Swarm of trying to prevent traffic in your apps from hopping back and forth between datacenters... unless the datacenters are very low latency.

For more data on this look at the Docker Success site (search swarm overlay and filter to reference), as the Docker EE requirements for Swarm are the same as Docker CE generally.

The other requirement between nodes in a Swarm is that they have ports open between each other's public IP's. Ideally, there is no NAT between nodes.

Bret Fisher
  • 8,164
  • 2
  • 31
  • 36
  • Can a secondary manager cluster somehow observe worker nodes across regions and take over if the primary cluster fails (ie not just operate independently)? What's the recommended multi-datacenter strategy? – Jared Jan 12 '19 at 04:55
  • 1
    You’re fine in multiple data centers that are ~10ms from each other. This works with availability zones (different datacenters in same region). Across regions, there is no built-in tool, though Docker Inc. Demoed such a tool they are working on (for Docker Enterprise customers) at DockerCon 2018. – Bret Fisher Jan 12 '19 at 18:22
0

If both hosts are part of the same docker swarm cluster then from perspective of docker it does not matter that they are in different data centers. Routing between services will just work. For example service1 on host1 will be able to access service2 in another data center. You might however need to account for any possibly large latencies that would occur because of physical distance of hosts.

It is also the same story with the ingress network. It does not care that there are 2 data centers. Any swarm cluster node will participate in it and route incoming requests to the correct service/host.

Blaž Šnuderl
  • 328
  • 4
  • 11
  • Thx a lot for response. But how its possible "under the hood", tunnels?, because i cannot understand, how we can route any traffic without tunnel to another network. E.g. in ingress my container has ip 10.0.0.5 how it can see 10.0.0.6 in another datacenter, because these are rfc1918 local adresses, which are not routable via global network. – Michael Aug 10 '18 at 13:03
  • Yeah I am not sure about exact details but I assume each docker overlay network (https://docs.docker.com/network/network-tutorial-overlay/) that a container is attached to maps to a "virtual" ethernet adapter inside that container. There is also some extra info provided here https://docs.docker.com/network/overlay/ Apparently multiple docker daemons are linked using the _docker_gwbridge_ interface. – Blaž Šnuderl Aug 10 '18 at 17:25
  • 2
    Swarm nodes assume they can contact each other without NAT (called the “control plane”) but can be on different subnets. Overlay networking encapulates (tunnels) the application traffic (called “data plane”) using IPVS so your app containers are sitting on a flat IP subnet but can find each other over much more complex networks. – Bret Fisher Jan 12 '19 at 18:28