I have mocked up the simplest possible bare metal container networking design on CoreOS stable (1068.8.0). Attached is the result. This design keeps broadcast domains small while allowing the container environment to appear as a single vlan to the physical network. It also eliminates NAT which is generally desirable. Load balancing could still be integrated and I believe microsegmentation could still be achieved with iptables. Container-to-container communication is achieved via the shortest L2 path without static routes, a routing protocol or transiting an upstream router. ARP table size is a consideration, but no more so than in vm networking. There is no vlan segmentation down to the container, but perhaps multiple bridges could be used to emulate such. I am interested in feedback: Is this a good design? Why is this a bad design? Is this design incompatible with Kubernetes or Mesos?
--
You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
As Seán already noted, this will work. The question is, to what scale. You are basically creating what at one time (I'm dating myself here) a brouter. To one side the network looks like a router, to the other a bridge. In reality you are using ARP to distribute 'routes'. As you note, you may run out of ARP table entries, as there is no aggregation of routes on the router. It also means that there is a LOT of ARPing for destinations that are really behind a router hop. You also might have issues in that ARP records don't necessarily time-out right away. So you may end up forwarding to incorrect destinations (if a server goes down and it's 'subnet' is moved somewhere else). There are fixes to that as well (like GARP), but now you have more moving parts.There are solutions to this, such as Canal (full disclosure, I'm the CTO of Tigera, the home for Canal, Calico, and co-maintainers on Flannel). With Canal, you would be either able to route or 'switch' at the networking layer, and use Calico for policy/segmentation. Either of those two configurations would meet your requirements (1 VLAN, small broadcast domains, no NAT, and segmentation). Best of all, they are all open source and widely adopted and deployed.
--
You received this message because you are subscribed to a topic in the Google Groups "CoreOS User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/coreos-user/5ohcc39-hws/unsubscribe.
To unsubscribe from this group and all its topics, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Correct, containers within a pod should be cooperative and hence not conflict on ports.