aar's log
Alles wat aar zoal meemaakt

4047Graphing Docker networks

posted by on januari 22nd, 2017

On fully containerized systems, the actual network configuration can become a bit fuzzy and I’ve been looking for a way to graph the setup.
The solution for me is to generate a ‘dot’ input file for Graphviz.

This example shows the setup of a real world production Docker host using these kinds of networks:

  • The default ‘bridge’ that all containers use for external traffic
  • A dedicated database network for www-database pairs and hosts sharing a single database
  • One common network, connecting all (MySQL) database containers to a phpMyAdmin container
  • One common network connecting all WWW containers to the main Proxy container
  • A few others, connecting related containers for email, monitoring, etc.

The generated graph looks like this (please enlarge!:

The code for this graph is generated by a simple shell script:

#!/bin/bash
# Generate a network graph from Docker network configuration information using graphviz
# Install Graphviz on your docker host and simply run this script. BASEDIR can be changed.
# Arie Jan Kraai, 2017
# This version reverses the pair when the default bridge called "bridge" is involved.

BASEDIR=${HOME}
DNOW=$(date +%Y%m%d)
OFILE=${BASEDIR}/$(uname -n)_${DNOW}.dot

mkdir -p ${BASEDIR}
echo "// Networks on Docker host $(uname -n) ${DNOW}" > ${OFILE}
echo "graph \"$(uname -n)_${DNOW}\" {" >> ${OFILE}
echo -e "\tratio=\"0.4\"" >> ${OFILE}

for DNETW in $(docker network ls |grep bridge |awk '{ print $2 }'); do
	echo "" >> ${OFILE}
	# List the network name and set attributes
	echo -e "\t//Network ${DNETW}" >> ${OFILE}
	if [ ${DNETW} = "bridge" ]; then
	  echo -e "\t\t\"${DNETW}\" [shape=doubleoctagon];" >> ${OFILE}
	    else
	  echo -e "\t\t\"${DNETW}\" [shape=octagon];" >> ${OFILE}
	fi

	# Create the edges per network
	docker network inspect ${DNETW} |grep "\"Name\"" |while read HOSTLINE; do
		HNAME=$(echo ${HOSTLINE} | cut -d'"' -f4)
		if [ ${HNAME} != ${DNETW} ]; then
			if [ ${DNETW} = "bridge" ]; then
			  echo -e "\t\t\"${HNAME}\"\t--\t\"${DNETW}\";" >> ${OFILE}
			    else
			  echo -e "\t\t\"${DNETW}\"\t--\t\"${HNAME}\";" >> ${OFILE}
			fi
		fi
	done
done
echo "}" >> ${OFILE}

# Generate the graph
dot -Tpng ${OFILE} -o $(echo ${OFILE} |cut -d'.' -f1).png

This at least helps a little bit to untangle rather complex production Docker networks. The only thing missing in the overview are dedicated firewall rules, like the one redirecting all outgoing SMTP traffic back into the email container for checking and sending.

This entry was posted on zondag, januari 22nd, 2017 at 14:23 and is categorized in IT, TechStuff. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

 

2 Responses

001: Burhan Irmikci,

januari 31st, 2017 at 03:06

you can build an image from a dockerfile in which you’ll install graphviz and add this script along with the docker-client binary. it will surely make this setup a lot easier to run on any machine having docker installed when all the dependencies are included in the image. the only thing you then need to do will be create a container from that image which also bind-mounts the docker unix socket from host to allow the docker-client binary running inside it to communicate with docker daemon.

002: Aar,

februari 5th, 2017 at 13:25

Merhaba Burhan,

Sounds like a very good idea; I’ll give it a try soon!

 

Geef een reactie

Je e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *

Time limit is exhausted. Please reload CAPTCHA.