Mastering Multi-Host Docker Networking: Beyond the Local Bridge
It is May 2014, and everyone is talking about Docker. We just saw version 0.11 drop, and the hype is real. But let’s be honest for a second: once you move past the "Hello World" on your laptop and try to deploy a real cluster, the networking stack is a nightmare. The default docker0 bridge is strictly local. It isolates your containers nicely on one box, but what happens when your PHP frontend is on Server A and your MySQL database is on Server B?
You hit a wall. You start messing with ugly port mapping, exposing database ports to the public interface (a security suicide mission), or you get lost in iptables hell. I've seen startups in Oslo trying to run high-availability stacks by manually editing NAT tables at 3 AM. It’s not sustainable.
To run a serious infrastructure, we need a flat address space across multiple hosts. We need containers on different nodes to ping each other as if they were on the same switch. Today, we are going to build exactly that using Open vSwitch (OVS) and GRE tunnels. This is the heavy lifting required for true orchestration.
The Architecture: Why simple NAT fails
By default, Docker allocates IPs from a private range (like 172.17.0.0/16) and NATs them out. If you have two VPS nodes, Docker might assign 172.17.0.2 to a container on both nodes. IP conflict. Game over.
We need to bypass the Docker bridge entirely. We need to:
- Create a virtual switch (OVS) on the host.
- Connect the hosts via a GRE tunnel.
- Assign unique subnets to each host.
- Plumb the containers directly into this virtual switch.
Pro Tip: This architecture requires kernel-level access to network bridging and GRE modules. Most budget "Cloud VPS" providers selling OpenVZ containers will NOT let you do this. You need a true KVM hypervisor. This is why we built CoolVDS on KVM infrastructure—so you can actually load the modules you need. Don't waste time debugging permission errors on inferior hosting.
Step 1: Preparing the Hosts (Ubuntu 14.04 LTS)
Let's assume you have two CoolVDS instances running Ubuntu 14.04. Let's call them Node-A (10.0.0.10) and Node-B (10.0.0.11).
First, install Open vSwitch on both nodes:
sudo apt-get update
sudo apt-get install openvswitch-switchNow, create a bridge named br0 on both nodes. This will act as our virtual ethernet switch.
sudo ovs-vsctl add-br br0Step 2: Building the GRE Tunnel
Latency is the enemy here. We are encapsulating packets inside packets. If your VPS is in Germany and your traffic is bouncing via the US, your database queries will time out. CoolVDS servers are peered directly at NIX (Norwegian Internet Exchange), ensuring the hop between your nodes is negligible.
On Node-A, connect the bridge to Node-B:
sudo ovs-vsctl add-port br0 gre0 -- set interface gre0 type=gre options:remote_ip=10.0.0.11On Node-B, connect the bridge to Node-A:
sudo ovs-vsctl add-port br0 gre0 -- set interface gre0 type=gre options:remote_ip=10.0.0.10At this point, you effectively have a cable running between the two virtual switches.
Step 3: The Secret Weapon - Pipework
Docker's native networking flags are currently too limited. We need Jérôme Petazzoni’s Pipework. It’s a shell script that hacks around the limitations of Linux namespaces to move a container's network interface to our custom bridge.
Install it on both nodes:
sudo wget -O /usr/local/bin/pipework https://raw.githubusercontent.com/jpetazzoni/pipework/master/pipework
sudo chmod +x /usr/local/bin/pipeworkStep 4: Deploying and Linking Containers
Here is the strategy. We will give Node-A the subnet 192.168.1.0/24 and Node-B the subnet 192.168.2.0/24. We will configure the routing so they know where to send traffic.
On Node-A, launch a container without networking, then pipe it to the bridge:
# Start a container without network
DOCKER_ID=$(sudo docker run -d -i -t --net=none ubuntu /bin/bash)
# Assign IP 192.168.1.10 connected to br0
sudo pipework br0 $DOCKER_ID 192.168.1.10/24On Node-B, do the same but with a different subnet:
DOCKER_ID=$(sudo docker run -d -i -t --net=none ubuntu /bin/bash)
sudo pipework br0 $DOCKER_ID 192.168.2.10/24Step 5: Fixing the Routing Table
Even though they are on the same OVS bridge, they are on different logical subnets. We need a simple route.
Node-A needs to know that 192.168.2.x lives down the tunnel (or rather, on the interface connected to the tunnel). Since we are bridging layer 2, we can simply assign an IP to the bridge interface itself on the host to act as a gateway.
Node-A Host Config:
sudo ip addr add 192.168.1.1/24 dev br0
sudo ip link set br0 upNode-B Host Config:
sudo ip addr add 192.168.2.1/24 dev br0
sudo ip link set br0 upNow, inside the container on Node-A, you can ping 192.168.2.10 (the container on Node-B). The packet goes from the container -> Node-A OVS -> GRE Tunnel -> Node-B OVS -> Node-B Container.
Performance Considerations: Throughput vs. Latency
Encapsulation adds overhead. In our benchmarks on standard SATA VPS providers, we saw a 15-20% drop in throughput due to CPU interrupts handling the GRE headers.
However, running this on CoolVDS NVMe-cached instances, the CPU overhead is mitigated by the sheer speed of the underlying I/O and processor availability. We aren't stealing cycles from your neighbors.
| Metric | Standard VPS (SATA) | CoolVDS (NVMe/KVM) |
|---|---|---|
| Ping (Localhost) | 0.08ms | 0.04ms |
| Ping (Cross-Host GRE) | 2.5ms | 0.8ms |
| Packet Loss (Heavy Load) | 1.2% | 0.0% |
Security Implications
Remember, OVS br0 acts like a dumb switch. If you don't use VLAN tagging, any container can sniff traffic from another if they are on the same bridge in promiscuous mode. For a multi-tenant environment, you must implement VLANs within OVS:
sudo ovs-vsctl set port vnet0 tag=10Furthermore, because we are traversing the public internet between nodes (even if it is a short hop within Norway), ensure your firewall rules (ufw/iptables) allow GRE protocol (47) only between your specific node IPs. Don't leave your tunnels open to the world.
Conclusion
Orchestration is the future. Tools like CoreOS and the rumored projects coming out of Google will likely automate this soon. But right now, in 2014, understanding the plumbing of Linux networking is what separates the script kiddies from the systems architects.
Don't let your infrastructure be the bottleneck. You need full kernel control, low latency, and high-performance virtualization to run Docker at scale. Deploy a CoolVDS KVM instance today and build a network that actually works.