[DOCKER] For me: Infrastructure and network notes

Introduction

I've forgotten a lot because the network has been around for a long time. After a long time, I reviewed the network and learned more. Make a note of its contents here. If you make a mistake or have any advice, it would be helpful if you kindly tell me ~

TCP Thanks to L3, it is possible to send packets to the other party, but I do not know if it actually arrived. So, the other party received the packet when it arrived! It is TCP. (Details are omitted) that has a rule to teach

You need to specify the PORT number when sending the packet. In the case of TCP, it is also necessary to receive packets from the other party, so the requester also specifies the PORT number used for this communication. The source PORT number is selected from [Dynamic / Private port number (49152–65535)]. In other words, if you do not devise a simultaneous TCP connection to the outside that exceeds 65535-49152 = 16383, which exceeds the port number for this out, it is basically impossible. Source PORT is also required for UDP.

ARP http://www5e.biglobe.ne.jp/aji/3min/26.html

ARP is an L3 protocol, and by broadcasting an ARP Request, you can receive the ARP Reply included in the ARP Request. It arrives with the requested MAC address included in the ARP Reply. By using this, packets can be delivered even if the ARP table does not have a destination mac address.

ARP usecase part 4

If you have never communicated externally with the static ip address set manually, the mac address is not recorded in the ARP table of the bridge or Router. In such a situation, Router uses ARP to find out the Mac Address of the received destination IP.

firewall I often open only port 80 with a firewall. In that case, if all packets with ports other than port 80 are set to be lost, even packets with dynamic port numbers will be discarded. In that case, you will not be able to communicate using TCP. So, of course, it's basically for in and out, and security considerations and settings change. By the way, in the case of UDP, it is not necessary to secure a port for response with a dynamic port number, so if there is a client that is guaranteed to only make UDP requests, data can be sent to the outside even if all ports are closed. Masu.

NIC eh0 is the 0th nic and eth1 is the 1st nic Basically it's okay to recognize ethN == nic When sending a packet to the physical layer, send a packet to eth, and eth sends it to eth's peer. (Nic is connected to a paired nic such as bridge or router through a basic Ethernet cable etc. The pair is called peer.

Router creation concept

http://redhatlinux.kt.fc2.com/cont/router.htm This site is detailed. If you don't know how to read route -n, take a look at this site. https://xtech.nikkei.com/it/article/COLUMN/20080520/303086/ http://linux.kororo.jp/cont/intro/dgate.php

The simplest Router, which has been set aside for convergence, can be realized only by ip forward, which is a technology that sends packets received from one NIC to another NIC. To enable ip forward on linux, add net.ipv4.ip_forward = 1 to /etc/sysctl.conf and restart the network to enable the ip forward feature.

ifconfig vs ip command ifconfig is a command included in the net-tools package. Other frequently used commands such as route, netstat, and arp are also included in the net-tools package. The net-tools package is currently deprecated.

How to make a virtual bridge

bridge can be created from any of the following

Real devices such as eth0 and virtual devices such as veth can be connected to the bridge.

How to create a virtual network

If you create a virtual nic and connect it to a virtual bridge, you can create a virtual private network.

However, at this rate, the private network cannot communicate with the Internet. If you connect directly to eth0, eth0 will be occupied this time, and those who do not belong to the private network will not be able to connect to the Internet. So you can do it by using iptables and ip masquerading. So, if you delete the ip masquerade setting of bridge such as docker, you can completely disconnect from the network.

ip masquerade (NAPT

You can use ip masquerade by using iptables. If you use ip masquerade, you can do port forwarding and security as well as NAPT functions.

port forward https://qiita.com/Ayaka14/items/449e2236af4b8c2beb81 Like this You can also do it with iptables Packets arriving at a specific port can be forwarded to a port with a specific ip address. Can be used as a proxy for L2. It can also be used to connect network segments. You can build VXLAN by connecting network segments.

VXLAN https://tech.uzabase.com/entry/2017/08/23/175813 This site is detailed.

Redundancy

Since we want to place a single microservice on multiple hosts, basically because of fault tolerance, we deploy one microservice on multiple network segments.

Impressions of VXLAN

After all, it felt like a routing setting. It feels like I'm giving various special names such as port forward to the setting of specific items of routing.

VRRP When scaling out an application, put a load balancer in front and have it sort it out later. However, if there is only one load balancer, that is a single point of failure. Therefore, in order to make the load balancer redundant, keepalived etc. that implements VRRP is used. With this, multiple hosts were given the same virtual IP and virtual MAC address (derived from the virtual IP), and if the host with the highest priority did not contact for 3 seconds, the next highest priority was waiting. The host becomes the holder of that IP and MAC and handles the request. For more information on how the VRRP protocol works, see this article or google it appropriately.

Notes for MySQL Master Slave configuration

In the case of Master Slave configuration, HAProxy is the major proxy for load balancing to master or slave by looking at the contents of Query. Or, in client load balancing, if you want to issue a series of queries including update, issue it to Master, and if it is only Read, pass Query to Slave. In that case, there are various methods of load balancing of Slave, but the redundant configuration of Loadbalancer with TCP Loadbalancer + keepalive of NGINX seems to be good. It can be done and it seems to be simple.

References

Recommended Posts

For me: Infrastructure and network notes
Notes for me python csv graph
Network (mainly Linux) notes
Easily build network infrastructure and EC2 with AWS CDK Python
With me, cp, and Subprocess
Notes on tf.function and Tracing
Notes on * args and ** kargs
Python Tkinter notes (for myself)
Learning memorandum for me w
Notes on pyenv and Atom
Pitfalls and workarounds for pandas.DataFrame.to_sql
py, shebang, venv and me
Notes for HHKB Programming Contest 2020
With me, NER and Flair
Tips for data analysis ・ Notes