Creating and Managing Containers
Now that the containers feature and Docker are installed, the next step is to create
container instances in your environment. Before a useful container can be created to
perform a function, it’s important to understand and set up the desired network
connectivity, to enable communication to and from container instances.
Configuring Networking
To enable the connectivity from the Docker Engine and its libnetwork plug-in,
Windows Server 2016 (and Windows 10) implements the Host Network Service (HNS)
as part of its servicing layer to communicate with the underlying OS networking
components and create the required objects (for example, a network compartment
that I’ll cover shortly). The libnetwork plug-in is an extensible model to implement
their own networking stack to work with the underlying container host OS while
providing a consistent management interface to the higher Docker management
services, allowing them to work consistently across platforms. The Microsoft official
container networking information is located at https://msdn.microsoft.com/en-
us/virtualization/windowscontainers/management/container_networking.
MODES OF NETWORK CONNECTIVITY
Containers are used in many scenarios. These range from single-node developer
environments requiring only simple network configurations (such as using NAT with
port mappings or transparent connectivity directly to a network), through to
multinode and cloud environments that require far more complex networking
configurations. These configurations may leverage virtual networks overlaying a
physical network fabric and network policies, such as access control lists (ACLs) and
QoS which will be required along with load-balancing capabilities between container
instances.
To enable the different levels of network configuration along with the different
requirements for Windows containers and Hyper-V containers, a network stack is
implemented. This stack is based on the Hyper-V virtual switch for all of its
connectivity to the outside world, along with other technologies such as WinNAT and
network compartments, depending on the network mode utilized. Network
compartments are not container specific, but rather are a TCP/IP construct (which
will extend to other components such as NDIS and even Windows Firewall over time)
that isolates the contained processes within their own namespace, and containers
takes advantage of this by placing each Windows container in its own network
compartment. A host vNIC (a virtual NIC visible on the host) is added to the network
compartment that is then connected to the virtual switch providing connectivity. In
the case of a Hyper-V container, a regular synthetic vmNIC (a virtual machine NIC) is
used that is then connected to the virtual switch. The virtual switch can be either
internal or external, depending on the networking mode. However, all of the virtual