Background:
I have recently been reading up on Docker and general web infrastructure. My current understanding, as it relates to this question:
- Each server connected to Internet has an IP address.
- Each server has a table mapping ports to services running on the server (one port per service).
- If a browser requests a webpage from a server, it hits the server’s IP address (found via DNS lookup) through port 80. Once the server gets a request on port 80, it sees from its port table that port 80 maps to its running HTTP server (a service) and passes the request to that service. The HTTP server then responds with the page data, which is sent by the server back to the client.
- The HTTP server is just one of the services running on the server, in containers spun up by Docker.
Assumptions:
- We have a server with Docker Engine installed.
- Docker has spun up a few replica containers, each running identical HTTP servers serving a web app.
- We have published port 80:3000 for the web service, so Docker knows to route host requests on port 80 to port 3000 inside the container (which maps to the running HTTP server).
Question:
When the browser sends a request to the server’s IP address on port 80, how does the server know that it should route the traffic to Docker?
I get how Docker routes a request to the correct service (i.e. via published ports), but not how the server initially knows that the request should be sent to the Docker Engine. Presumably, Docker is only one of many executables running on the server.
2
Answers
(This answer is going to be highly Linux-centric, since that’s the platform I have the most experience with.)
It uses the same mechanism that any program which wants to listen to a port does.
When a program wants to listen to a TCP port, it calls
bind()to listen to the port, followed byaccept4()to accept a connection.Docker does the same thing. When you create a container which has a published port and does not use host networking, it starts a program called docker-proxy, whose job is to listen for TCP connections, and relay them to the IP address and port of the container.
In some circumstances, it can avoid using docker-proxy, and use nftables to forward packets to the container.
Basically Docker registers as a service with the operating system to receive traffic for IP & Port combinations the containers are mapped to. It then uses its own routing logic to forward that traffic to the containers.
It’s worth noting that servers may actually have multiple IP addresses. They may have more than one network card, each card may be connected to multiple VLANs and each VLAN connection may have have several IP addresses. Docker can create a virtual network and set up a virtual router with one of the router’s IPs exposed through the hosts network cards. It can also set the server’s network card up as a bridge to extend the network virtually. This allows it to do all kinds of complex networking on behalf of the containers.
For further information I’d suggest reading the Networking section of the Docker documentation.