Core Networking and Storage Concepts
This section explores advanced networking patterns, storage drivers, and performance optimization techniques essential for production Docker deployments.
Advanced Networking Concepts
Network Namespaces and Isolation
# Inspect container network namespace
docker exec container ip netns list
docker exec container ls -la /proc/self/ns/
# Create container with host networking
docker run -d --name host-net --network host nginx
# Create container with no networking
docker run -d --name no-net --network none alpine sleep 3600
# Share network namespace between containers
docker run -d --name primary alpine sleep 3600
docker run -d --name secondary --network container:primary alpine sleep 3600
Custom Network Drivers
# Create macvlan network
docker network create -d macvlan \
--subnet=192.168.1.0/24 \
--gateway=192.168.1.1 \
-o parent=eth0 \
macvlan-net
# Create ipvlan network
docker network create -d ipvlan \
--subnet=192.168.2.0/24 \
--gateway=192.168.2.1 \
-o parent=eth0 \
-o ipvlan_mode=l2 \
ipvlan-net
# Use external network plugin
docker network create -d weave \
--subnet=10.32.0.0/12 \
weave-net
Network Security and Policies
# Create network with encryption (overlay)
docker network create \
--driver overlay \
--opt encrypted \
--subnet=10.0.0.0/24 \
secure-overlay
# Network with custom iptables rules
docker network create \
--driver bridge \
--opt com.docker.network.bridge.enable_icc=false \
--opt com.docker.network.bridge.enable_ip_masquerade=true \
isolated-bridge
# Container with specific security options
docker run -d --name secure-app \
--network isolated-bridge \
--security-opt no-new-privileges \
--cap-drop ALL \
--cap-add NET_BIND_SERVICE \
nginx
Advanced Storage Concepts
Storage Drivers and Backends
# Local driver with specific options
docker volume create \
--driver local \
--opt type=ext4 \
--opt device=/dev/sdb1 \
local-volume
# NFS volume
docker volume create \
--driver local \
--opt type=nfs \
--opt o=addr=192.168.1.100,rw \
--opt device=:/exports/data \
nfs-volume
# CIFS/SMB volume
docker volume create \
--driver local \
--opt type=cifs \
--opt o=username=user,password=pass,uid=1000,gid=1000 \
--opt device=//server/share \
cifs-volume
# Encrypted volume
docker volume create \
--driver local \
--opt type=ext4 \
--opt o=loop,encryption=aes256 \
encrypted-volume
Volume Plugins
# Install volume plugin
docker plugin install rexray/ebs
# Create EBS volume
docker volume create \
--driver rexray/ebs \
--opt size=10 \
--opt volumetype=gp2 \
ebs-volume
# Use cloud storage
docker volume create \
--driver rexray/s3fs \
--opt bucket=my-bucket \
--opt region=us-east-1 \
s3-volume
Storage Performance Optimization
# docker-compose.yml with optimized storage
version: '3.8'
services:
database:
image: postgres:13
volumes:
# Separate data and WAL for performance
- postgres-data:/var/lib/postgresql/data
- postgres-wal:/var/lib/postgresql/wal
# tmpfs for temporary files
- type: tmpfs
target: /tmp
tmpfs:
size: 1G
# Shared memory for PostgreSQL
- type: tmpfs
target: /dev/shm
tmpfs:
size: 2G
environment:
- POSTGRES_INITDB_WALDIR=/var/lib/postgresql/wal
redis:
image: redis:7-alpine
volumes:
- redis-data:/data
# tmpfs for Redis working directory
- type: tmpfs
target: /tmp
tmpfs:
size: 512M
command: |
redis-server
--save 900 1
--save 300 10
--save 60 10000
--dir /data
volumes:
postgres-data:
driver: local
driver_opts:
type: ext4
o: noatime,nodiratime
postgres-wal:
driver: local
driver_opts:
type: ext4
o: noatime,nodiratime,sync
redis-data:
driver: local
Network Performance and Monitoring
Network Performance Tuning
# Optimize network performance
docker run -d --name optimized-app \
--network custom-bridge \
--sysctl net.core.rmem_max=134217728 \
--sysctl net.core.wmem_max=134217728 \
--sysctl net.ipv4.tcp_rmem="4096 65536 134217728" \
--sysctl net.ipv4.tcp_wmem="4096 65536 134217728" \
--sysctl net.ipv4.tcp_congestion_control=bbr \
myapp
# Container with increased network buffers
docker run -d --name high-throughput \
--ulimit nofile=65536:65536 \
--sysctl net.core.netdev_max_backlog=5000 \
--sysctl net.core.netdev_budget=600 \
nginx
Network Monitoring
# Monitor network statistics
docker exec container cat /proc/net/dev
docker exec container ss -tuln
docker exec container netstat -i
# Network performance testing
docker run --rm --network container:target \
nicolaka/netshoot iperf3 -c server-ip
# Packet capture
docker run --rm --network container:target \
nicolaka/netshoot tcpdump -i eth0 -w capture.pcap
# Network troubleshooting toolkit
docker run -it --rm --network container:target \
nicolaka/netshoot
Storage Performance and Monitoring
Storage Performance Tuning
# High-performance storage mount
docker run -d --name fast-db \
-v fast-storage:/var/lib/mysql \
--mount type=tmpfs,destination=/tmp,tmpfs-size=1G \
--device-read-bps /dev/sda:100mb \
--device-write-bps /dev/sda:100mb \
mysql:8.0
# Storage with specific I/O scheduler
docker volume create \
--driver local \
--opt type=ext4 \
--opt o=noatime,data=writeback \
fast-volume
Storage Monitoring
# Monitor storage usage
docker system df -v
docker exec container df -h
docker exec container iostat -x 1
# Volume inspection
docker volume inspect volume-name
docker exec container lsblk
docker exec container mount | grep volume
# Storage performance testing
docker run --rm -v test-volume:/data \
alpine dd if=/dev/zero of=/data/testfile bs=1M count=1000
Multi-Host Networking
Docker Swarm Overlay Networks
# Initialize swarm
docker swarm init --advertise-addr 192.168.1.10
# Create overlay network
docker network create \
--driver overlay \
--subnet=10.0.0.0/24 \
--gateway=10.0.0.1 \
--attachable \
multi-host-net
# Deploy service on overlay network
docker service create \
--name web \
--network multi-host-net \
--replicas 3 \
nginx
# Inspect overlay network
docker network inspect multi-host-net
External Network Integration
# Connect to external network
docker network create \
--driver bridge \
--subnet=172.20.0.0/16 \
--gateway=172.20.0.1 \
--opt com.docker.network.bridge.name=docker-ext \
external-bridge
# Route traffic to external services
docker run -d --name proxy \
--network external-bridge \
-p 80:80 \
-v ./nginx.conf:/etc/nginx/nginx.conf \
nginx
Security Best Practices
Network Security
# Secure network configuration
version: '3.8'
services:
web:
image: nginx
networks:
- frontend
ports:
- "443:443"
volumes:
- ./ssl:/etc/nginx/ssl:ro
app:
image: myapp
networks:
- frontend
- backend
# No exposed ports - only accessible through nginx
db:
image: postgres:13
networks:
- backend # Isolated from frontend
volumes:
- db-data:/var/lib/postgresql/data
environment:
- POSTGRES_SSL_MODE=require
networks:
frontend:
driver: bridge
driver_opts:
com.docker.network.bridge.enable_icc: "false"
backend:
driver: bridge
internal: true # No external access
volumes:
db-data:
driver: local
driver_opts:
type: ext4
o: noatime,nodev,nosuid
Storage Security
# Encrypted volume with specific permissions
docker volume create \
--driver local \
--opt type=ext4 \
--opt o=encryption=aes256,uid=1000,gid=1000,mode=0700 \
secure-volume
# Read-only mounts for security
docker run -d --name secure-app \
-v config-volume:/app/config:ro \
-v secrets-volume:/app/secrets:ro,Z \
--read-only \
--tmpfs /tmp:noexec,nosuid,size=100m \
myapp
# SELinux labels for enhanced security
docker run -d --name selinux-app \
-v data-volume:/app/data:Z \
-v logs-volume:/app/logs:z \
--security-opt label=type:container_t \
myapp
Backup and Recovery
Network Configuration Backup
#!/bin/bash
# backup-networks.sh
# Backup network configurations
mkdir -p network-backup
for network in $(docker network ls --format "{{.Name}}" | grep -v bridge | grep -v host | grep -v none); do
docker network inspect $network > network-backup/$network.json
done
# Restore networks
for config in network-backup/*.json; do
network_name=$(basename $config .json)
# Parse JSON and recreate network
docker network create --driver $(jq -r '.[0].Driver' $config) $network_name
done
Storage Backup Strategies
#!/bin/bash
# backup-volumes.sh
# Backup volume data
backup_volume() {
local volume_name=$1
local backup_path=$2
docker run --rm \
-v $volume_name:/source:ro \
-v $backup_path:/backup \
alpine tar czf /backup/$volume_name-$(date +%Y%m%d).tar.gz -C /source .
}
# Restore volume data
restore_volume() {
local volume_name=$1
local backup_file=$2
docker run --rm \
-v $volume_name:/target \
-v $(dirname $backup_file):/backup \
alpine tar xzf /backup/$(basename $backup_file) -C /target
}
# Backup all volumes
for volume in $(docker volume ls -q); do
backup_volume $volume ./backups
done
Summary
This section covered core networking and storage concepts:
Advanced Networking
- Network Drivers: Macvlan, ipvlan, and custom network plugins
- Security Policies: Network isolation and encrypted communications
- Performance Tuning: Kernel parameters and buffer optimization
- Multi-Host: Overlay networks and external integrations
Advanced Storage
- Storage Drivers: NFS, CIFS, and cloud storage backends
- Volume Plugins: Third-party storage solutions and cloud integration
- Performance: I/O optimization and monitoring techniques
- Security: Encryption, permissions, and SELinux integration
Operational Excellence
- Monitoring: Network and storage performance metrics
- Troubleshooting: Debugging tools and techniques
- Backup/Recovery: Configuration and data protection strategies
- Security: Best practices for production deployments
Next Steps: Part 3 explores practical applications including real-world networking architectures, storage patterns, and enterprise deployment scenarios.