Weaveworks company logo

Weave network driver

Built-in network drivers are great for local communication inside a single host or exposing ports. Unfortunately the built-in multi-host networking support (overlay network driver) is based on VXLAN, which is not encrypted and needs full connectivity between hosts. If you do not have a secure trusted LAN between all hosts, the weave network driver provides a great flexible and secure alternative. Just like Docker daemon, Weave also provides an embedded DNS server for automatic service discovery of containers.

A Weave 1.4.5 network consists of several Docker containers that are managed through a helper script and can be assigned to containers on demand. To build a Weave network we supply addresses of other hosts and the network will automatically (re)connect to peers when they become available.

$ wget -O /usr/local/bin/weave https://git.io/weave
$ chmod +x /usr/local/bin/weave

In case you have a strict firewall DROP policy, you must permit loopback traffic from the weave script (TCP 6784, UDP 53), inter-peer traffic to the Weave control port (TCP 6783), sleeve and fastdp data ports (UDP 6783/6784):

$ iptables -A INPUT -i lo -p tcp --dport=6784 -j ACCEPT
$ iptables -A INPUT -i lo -p udp --dport=53 -j ACCEPT
$ iptables -A INPUT -p tcp --dport=6783 -j ACCEPT
$ iptables -A INPUT -p udp --dport=6783 -j ACCEPT
$ iptables -A INPUT -p udp --dport=6784 -j ACCEPT
$ iptables-save > /etc/iptables/rules.v4

Check if manually starting the Weave network and adding configuration parameters to the docker command, works:

$ weave launch
$ weave status
$ docker $(weave config) run -it --rm debian /bin/ip addr show ethwe
38: ethwe@if39: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether ea:c7:b6:f3:75:da brd ff:ff:ff:ff:ff:ff
    inet scope global ethwe
       valid_lft forever preferred_lft forever
    inet6 fe80::e8c7:b6ff:fef3:75da/64 scope link tentative 
       valid_lft forever preferred_lft forever
$ weave reset

Otherwise you may want to create Weave networks on demand (with docker network create --driver=weave mynet) and join containers to them as usual (--net=mynet).

Configure systemd service

Weave network also needs to be configure to start on boot and optionally expose host IP as a systemd service unit:

$ cat > /etc/default/weave << __EOF__
$ chmod 600 /etc/default/weave
$ cat > /etc/systemd/system/weave.service << __EOF__
Description=Weave Network

ExecStartPre=/usr/local/bin/weave launch --no-restart --connlimit \$CONNLIMIT \$PEERS
ExecStart=/usr/bin/docker attach weave
ExecStartPost=/bin/bash -c '/usr/local/bin/weave expose -h \$(hostname -s).weave.local'
ExecStop=/usr/local/bin/weave stop

$ systemctl daemon-reload && systemctl enable weave && systemctl restart weave

Check if Weave network is set up correctly:

$ weave status

        Version: 1.4.5

        Service: router
       Protocol: weave 1..2
           Name: aa:bb:f1:e5:98:a2(foo)
     Encryption: enabled
  PeerDiscovery: enabled
        Targets: 2
    Connections: 3 (2 established, 1 retrying)
          Peers: 3 (with 6 established connections)
 TrustedSubnets: none

        Service: ipam
         Status: ready

        Service: dns
         Domain: weave.local.
            TTL: 1
        Entries: 0

        Service: proxy
        Address: unix:///var/run/weave/weave.sock

        Service: plugin
     DriverName: weave
$ weave status dns
docker-vm       weave:expose 82:a1:66:22:11:00