Weave network driver
Built-in network drivers are great for local communication inside a single host or exposing ports. Unfortunately the built-in multi-host networking support (overlay network driver) is based on VXLAN, which is not encrypted and needs full connectivity between hosts. If you do not have a secure trusted LAN between all hosts, the weave network driver provides a great flexible and secure alternative. Just like Docker daemon, Weave also provides an embedded DNS server for automatic service discovery of containers.
A Weave 1.4.5 network consists of several Docker containers that are managed through a helper script and can be assigned to containers on demand. To build a Weave network we supply addresses of other hosts and the network will automatically (re)connect to peers when they become available.
$ wget -O /usr/local/bin/weave https://git.io/weave
$ chmod +x /usr/local/bin/weaveIn case you have a strict firewall DROP policy, you must permit loopback traffic from the weave script (TCP 6784, UDP 53), inter-peer traffic to the Weave control port (TCP 6783), sleeve and fastdp data ports (UDP 6783/6784):
$ iptables -A INPUT -i lo -p tcp --dport=6784 -j ACCEPT
$ iptables -A INPUT -i lo -p udp --dport=53 -j ACCEPT
$ iptables -A INPUT -p tcp --dport=6783 -j ACCEPT
$ iptables -A INPUT -p udp --dport=6783 -j ACCEPT
$ iptables -A INPUT -p udp --dport=6784 -j ACCEPT
$ iptables-save > /etc/iptables/rules.v4Check if manually starting the Weave network and adding configuration parameters to the docker command, works:
$ weave launch
$ weave status
$ docker $(weave config) run -it --rm debian /bin/ip addr show ethwe
38: ethwe@if39: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether ea:c7:b6:f3:75:da brd ff:ff:ff:ff:ff:ff
inet 10.32.0.1/12 scope global ethwe
valid_lft forever preferred_lft forever
inet6 fe80::e8c7:b6ff:fef3:75da/64 scope link tentative
valid_lft forever preferred_lft forever
$ weave resetOtherwise you may want to create Weave networks on demand (with docker network create --driver=weave mynet) and join containers to them as usual (--net=mynet).
Configure systemd service
Weave network also needs to be configure to start on boot and optionally expose host IP as a systemd service unit:
$ cat > /etc/default/weave << __EOF__
CHECKPOINT_DISABLE=true
CONNLIMIT=100
WEAVE_NO_FASTDP=true
WEAVE_PASSWORD="wfvAwt7sj"
PEERS="1.2.3.4"
__EOF__
$ chmod 600 /etc/default/weave
$ cat > /etc/systemd/system/weave.service << __EOF__
[Unit]
Description=Weave Network
Documentation=http://docs.weave.works/weave/latest_release/
Requires=docker.service
After=docker.service
[Service]
EnvironmentFile=-/etc/default/weave
ExecStartPre=/usr/local/bin/weave launch --no-restart --connlimit \$CONNLIMIT \$PEERS
ExecStart=/usr/bin/docker attach weave
ExecStartPost=/bin/bash -c '/usr/local/bin/weave expose -h \$(hostname -s).weave.local'
ExecStop=/usr/local/bin/weave stop
[Install]
WantedBy=multi-user.target
__EOF__
$ systemctl daemon-reload && systemctl enable weave && systemctl restart weaveCheck if Weave network is set up correctly:
$ weave status
Version: 1.4.5
Service: router
Protocol: weave 1..2
Name: aa:bb:f1:e5:98:a2(foo)
Encryption: enabled
PeerDiscovery: enabled
Targets: 2
Connections: 3 (2 established, 1 retrying)
Peers: 3 (with 6 established connections)
TrustedSubnets: none
Service: ipam
Status: ready
Range: 10.32.0.0-10.47.255.255
DefaultSubnet: 10.32.0.0/12
Service: dns
Domain: weave.local.
Upstream: 1.2.3.4
TTL: 1
Entries: 0
Service: proxy
Address: unix:///var/run/weave/weave.sock
Service: plugin
DriverName: weave
$ weave status dns
docker-vm 10.45.0.0 weave:expose 82:a1:66:22:11:00