Container Networking Interface (CNI)

CNI (Container Network Interface), a Cloud Native Computing Foundation project, consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers, along with a number of supported plugins. 

namespace network

namespace network (docker, rkt, Meso, Kubernetes, etc)
1. Create network namespace
2. Create Bridge Network/Interface)
3. Create VETH Pairs (Pipe or virtual Cable)
4. Attach VETH to namespace
5. Attach other VETH to Bridge
6. Assign IP addresses
7. Bring the interfaces up
8. Enable NAT Masquerade
namespace network

If we are all solving the same networking challenges, why code and develop the same solution multiple times?

So we all of the ideas from the different solutions and move all the networking portions of it into a single program or code. Since this is the bridge network we call it bridge.

Bridge Network
1. Create network namespace
2. Create Bridge Network/Interface)
3. Create VETH Pairs (Pipe or virtual Cable)
4. Attach VETH to namespace
5. Attach other VETH to Bridge
6. Assign IP addresses
7. Bring the interfaces up
8. Enable NAT Masquerade
Bridge Network

we created a program that performs all the required tasks to get the container attached to a bridge network.

So, what if you want to create such a program for yourself?

What arguments and commands should it support? How do you make sure the program you create will work correctly with the run times? How do you know container run times like Kubernetes or rkt will invoke your program correctly?

So, we need a standard. That why we need the container network interface to come in. The CNI is a set of standards that define how programs should be developed to solve networking challenges in a container runtime environment. The programs are referred to as plugins.

Container Networking Interface (CNI) defines a set of responsibilities for container run times and plugin. For container runtimes, CNI specifies that it is responsible for creating a network namespace for each container It should then identify the networks the container must attach to container runtime must then invoke the plugin when a container is created using the add command and also invoke the plugin when the container is deleted using the del command. It also specifies how to configure in network plugin on the container runtime environment using a JSON file. On the plugin side, it defines that the plugin should support Add, Del, and check command-line arguments and that these should accept parameters like container and network namespace. The plugin should take care of assigning IP addresses to the PODs and any associated routes required for the containers to reach other containers in the network. the results should be specified in a particular format.

Any runtime should be able to work with any plugin.

CNI comes with a set of supported plugins. Such as bridge, VLAN, IPVLAN, MACVLAN, or WINDOWS. There are other plugins available from third party organizations as well. Some examples are weave, flannel, cilium, Vmware, NSX, Calico, Infoblox etc. All of these container runtimes implement CNI standards.

However, Docker does not implement Container Networking Interface

docker has its own set of standards known as CNM which stands for Container Network Model which is another standard that aims at solving container networking challenges similar to CNI. Due to the differences the plugin do not natively integrate with Docker.

You can not run a docker container and specify the network plugin to use is CNI and specify one of the plugins

But You can use CNI which you should work it yourself.

# Create container without any network configuration 
and then manually invoke the bridge plugin yourself.
docker run --network=none nginx
bridge add 3e2fa894edf0 /var/run/netns/3e2fa894edf0

This is pretty much how kubernetes does it.

When Kubernetes creates docker containers it creates them on the none network. And it invokes the configured CNI plugins who takes care of the rest of the configuration.

Leave a Reply

Your email address will not be published.

ANOTE.DEV