### Docker_network
* containers running apps that need to use network to access internet, database, or end users
* Types of network
* published ports
* DNS
* load balancing
* traffic flow
* logging
* [reference link](https://docs.mirantis.com/containers/v3.0/dockeree-ref-arch/index.html)

#### container network
* every container has its own ip address, ethernet interface, DNS and routing table.
  + ethernet interface can connect to layer 2 switch that can be connected to routers and other networks
  + apps inside docker does not see difference between a container and a real server network
  + can have ip address management and DNS fast and scalable
* container network architecture and models
  + Container Network Model (CNM)
    + defines the fundamental building blocks of docker networking (it is a document)
      + defines 
        + sandbox
          + defines a net name space
            + contains ethernet interface, IP, DNS config, Routing table, and ports
          + a container is a collection of name spaces, process namespace, a mount namespace for a root file system etc
        + endpoint
          + connect sandbox container to network ( virtual ethernet interface pair)
        + network
          + collection of endpoints that can communicate
        
    + the implementation of CNM by code is Libnetwork (library of net)
      + libnet does not implement everything. it needs some plugins
    + plugin drivers that implement specific network toplogies such as bridges and overlays
      + create the virtual bridge

#### Network CLI 
* create Network
  + `docker network create -d bridge golden-gate` (bridge is the driver, golden-gate is the network name)
    + windows drivers
      + 12bridge, overlay, nat, transparent, 3rd-party
    + linux drivers
      + bridge, overlay, macvlan, ipvlan, 3rd-party
  + to list the network
    `docker network list`
  + to inspect a specific network
   `docker inspect golden-gate`
   [
    {
        "Name": "golden-gate",
        "Id": "7a7defdd73674d24ff9752bd3c8bcc059099a5b16ba1f3b5700f34b170a6c5c8",
        "Created": "2022-05-14T03:00:19.31605Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.18.0.0/16",
                    "Gateway": "172.18.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {},
        "Options": {},
        "Labels": {}
    }
]

* to attach the network to a docker container
`docker run -dit --name network_test --network golden-gate alpine sh`
  + then to inspect the docker container
  `docker inspect network_test`
* to deattach the network from the docker container
  `docker network disconnect golden-gate network_test`
* to connect network back 
 `docker network connect golden-gate network_test`
* clean up to remove docker container and network
 `docker rm network_test -f`
 `docker network rm golden-gate`


#### Single host bridge networks
* single host, isolated network, with bridge topology
* all network created with this driver is 802.1d bridge network
  + also called switches, or layer 2 switches
  + it is a network device that lets any devices connected to it communicate with each other
    + if we connect several dockers to it, the dockers can talk to each other
  + scope
    + local scope means they don't span multiple hosts
      + only dockers on the same host can talk
* new containers without explicitly attach a network, it will be attached to default network  
* to check which containers are attached to which network for a specific network, use the following cli:     
`docker network inspect bridge (network name)`

* show that two dockers connecting to default bridge network can 
  + talk to each other by ip addresses
  + talk to outside
  + can not talk to each other by names
  + example code (names of docker containers are ctr1 and ctr2, respectively)
    + create two containers 
     `docker run -idt --name ctr1 alpine ash`
     `docker run -idt --name ctr2 alpine ash`
    + attach to docker ctr1 by `docker attach ctr1`
      + `ip addr show` (make sure the ip address of ctr1 is correct)
    + ping ctr2 by 
      + its ip address `ping -c 4 172.17.0.3`
    + its container name `ping ctr2`(does not work)
    + ping outside `ping google.com` and it works
    
* show two dockers attached to a user created bridge network
  + create a bridge network
    `docker network create --driver bridge ps-bridge`
  + check which docker containers are attached
    `docker network inspect ps-bridge`
  + create two containers attached to ps-bridge
   `docker run -dit --name ctr3 --network ps-bridge alpine ash`
   `docker run -dit --name ctr4 --network ps-bridge alpine ash`
  + confirm that ctr3 and ctr4 are connected to ps-bridge 
   `docker network inspect ps-bridge`
  + attach to docker ctr3 and 
    + ping ctr4 by ip address and it works
     `docker attach ctr3`
     `ping -c 4 172.19.0.3`
    + ping ctr4 by name and it works, too
      `ping -c 4 ctr4`
    + ping google.com and it works
    + ping ctrl by ip and name, and it does not work
      + two bridge networks are not connected
  + in user defined bridge network, the containers are registered to docker's internal DNS and can be found
    + it is recommended to connect all your containers using user created bridge network, not the default

* show a container can connect to multiple networks
  + connect ctr1 also to ps-bridge
    `docker network connect ps-bridge ctr1`
  + attach to ctr1 and check if it can talk to containers on ps-bridge network
    + attach to ctrl (escape by ctr-PQ)
    `docker attach ctr1`
    + make sure ctr1 is connected to both default and ps-bridge networks
    `ip link show` (eth0 and eth0 connect to two networks)
     `ip addr show` (two ip addresses, one corrsponds to one network)
  + ping ctr4 by name and it works (ip show work, too)   

* bridge network only allows containers on same bridge network to communicate, and not very useful
  + one use case is to connect to app container that publish port on host. The mapping of host and container ports are done by bridge

#### multi-host overlay networks
* simple, scalable and secure
* containers on different hosts can talk using overlay (L2 broadcast domain)
* the details of open ports and connected on layer 3 are called underlay
* if we 
specify an encrypt flag when creating the network, all traffic on it get encrypted 