Container Networking

  4 minute read  

By default a container can make outbound connections, but bridge networking keeps anything outside the appliance from reaching it. To make it reachable from somewhere else — the LAN, another Trustgrid node over VPN, or the internet — attach it to the network in one of three ways. This page covers those three ways plus how outbound traffic from the container leaves the appliance.

Container addresses and DNS

When a container starts, an IP address in 172.18.0.0/16 (the default container network — contact Trustgrid support if you need to change it) is assigned. By default the container’s DNS resolver points at a relay on the appliance, which lets containers running on the same appliance reach each other by container name — the name you typed into the Overview screen — instead of by IP. External lookups are forwarded upstream.

You normally don’t need to change any of this. The two relevant overrides on the Overview screen:

  • IP — pin the container to a specific address within 172.18.0.0/16. Only needed if another container has to reach this one by address rather than name.
  • DNS — point the container at a custom DNS server. Overriding this bypasses the appliance’s DNS relay, so the container can no longer resolve its sibling containers by name — only set it if you specifically need a different resolver.

Three ways to expose a container

You can use any of these, or combine them.

1. Host port mappings

A host port mapping puts the container on one of the appliance’s network interfaces — so something else on the same LAN (a workstation, another server) can reach it.

FieldNotes
ProtocolMust be set explicitly to tcp or udp. Blank or invalid values are ignored.
Host InterfaceThe appliance’s network port to listen on, e.g. ens192. The list of interfaces is on the Networking → Interfaces page.
Host PortThe port to listen on.
Container PortThe port inside the container that should receive the traffic.

Use this when something on the appliance’s LAN needs to reach the container.

2. Virtual networks

Attaching a Trustgrid virtual network to a container lets it talk to other Trustgrid nodes over the VPN overlay, as if it were a peer.

FieldNotes
Virtual NetworkThe Trustgrid virtual network to attach.
Virtual IPThe address the container should use on that network.
Allow OutboundWhen on, the container can also originate connections out onto the virtual network. When off, traffic only flows into the container.

Use this when a container needs to reach (or be reached by) other Trustgrid nodes. See the Expose a container over a virtual network tutorial for the end-to-end walkthrough.

3. Virtual interfaces

A virtual interface forwards all traffic from an appliance-level interface (typically a tunnel) directly into the container, where it shows up as one of the container’s own network interfaces.

FieldNotes
NameThe appliance-side interface to forward.
DestinationThe interface name to use inside the container (e.g. eth1).

Use this when the container itself needs to manage the interface — running its own VPN client, capturing packets, that sort of thing.

Outbound traffic — where does it go?

When a container makes an outbound connection:

  • To another container on the same appliance — goes directly between them.
  • To anything else (the internet, the appliance’s LAN, an internal server) — leaves the appliance using the same network path the appliance itself uses for outbound traffic.
  • To a peer over Trustgrid VPN — only works if the container has a virtual network attachment with Allow Outbound on, or if you’ve placed it in a VRF that routes there.

VRFs

The VRF field on the Network screen lets you put the container in a specific routing context — useful for forcing all of a container’s outbound traffic out a particular tunnel, separate from the rest of the appliance. Leave it blank to use the appliance’s normal routing.

Deployment example

A web service container with three traffic paths:

  • LAN clients reach it through a port mapping on the appliance’s LAN interface.
  • Other Trustgrid nodes reach it on its virtual network address.
  • The container itself reaches the internet through the appliance’s WAN — for package updates, calling external services, etc.
      LAN client          Trustgrid peer node                       Internet
           │                       │                                   ▲
           │ port 8080             │ port 443 to 10.50.0.10            │ container
           │                       │ over the virtual network          │ outbound
           ▼                       ▼                                   │
   ┌─────────────────────┬───────────────────────────────────────────────┐
   │   LAN interface     │              WAN interface                    │
   │  192.168.100.209    │              172.16.0.10                      │
   ├─────────────────────┴───────────────────────────────────────────────┤
   │                            Trustgrid node                           │
   │                                                                     │
   │            │ NAT in          │ NAT in            ▲ NAT out          │
   │            │ (port map)      │ (virtual network) │ (to internet)    │
   │            ▼                 ▼                   │                  │
   │       ┌───────────────────────────────────────────────────┐         │
   │       │  Container nginx                                  │         │
   │       │      Container address        172.18.0.7          │         │
   │       │      Virtual-network address  10.50.0.10          │         │
   │       └───────────────────────────────────────────────────┘         │
   │                                                                     │
   └─────────────────────────────────────────────────────────────────────┘