github.com/imran-kn/cilium-fork@v1.6.9/Documentation/gettingstarted/docker.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 http://docs.cilium.io 6 7 .. _gsg_docker: 8 9 ******************************* 10 Cilium with Docker & libnetwork 11 ******************************* 12 13 This tutorial leverages Vagrant and VirtualBox, thus should run on any 14 operating system supported by Vagrant, including Linux, macOS, and Windows. 15 16 Step 0: Install Vagrant 17 ======================= 18 19 If you don't already have Vagrant installed, refer to the :ref:`dev_guide` for links to installation instructions for Vagrant. 20 21 Step 1: Download the Cilium Source Code 22 ======================================= 23 24 Download the latest Cilium `source code <https://github.com/cilium/cilium/archive/master.zip>`_ 25 and unzip the files. 26 27 Alternatively, if you are a developer, feel free to clone the repository: 28 29 :: 30 31 $ git clone https://github.com/cilium/cilium 32 33 Step 2: Starting the Docker + Cilium VM 34 ======================================= 35 36 Open a terminal and navigate into the top of the ``cilium`` source directory. 37 38 Then navigate into ``examples/getting-started`` and run ``vagrant up``: 39 40 :: 41 42 $ cd examples/getting-started 43 $ vagrant up 44 45 The script usually takes a few minutes depending on the speed of your internet 46 connection. Vagrant will set up a VM, install the Docker container runtime and 47 run Cilium with the help of `Docker Compose`_. When the script completes successfully, 48 it will print: 49 50 :: 51 52 ==> cilium-1: Creating cilium-kvstore 53 ==> cilium-1: Creating cilium 54 ==> cilium-1: Creating cilium-docker-plugin 55 $ 56 57 If the script exits with an error message, do not attempt to proceed with the 58 tutorial, as later steps will not work properly. Instead, contact us on the 59 `Cilium Slack channel <https://cilium.herokuapp.com>`_. 60 61 .. _`Docker Compose`: https://docs.docker.com/compose/ 62 63 Step 3: Accessing the VM 64 ======================== 65 66 After the script has successfully completed, you can log into the VM using 67 ``vagrant ssh``: 68 69 :: 70 71 $ vagrant ssh 72 73 74 All commands for the rest of the tutorial below should be run from inside this 75 Vagrant VM. If you end up disconnecting from this VM, you can always reconnect 76 in a new terminal window just by running ``vagrant ssh`` again from the Cilium 77 directory. 78 79 80 Step 4: Confirm that Cilium is Running 81 ====================================== 82 83 The Cilium agent is now running as a system service and you can interact with 84 it using the ``cilium`` CLI client. Check the status of the agent by running 85 ``cilium status``: 86 87 :: 88 89 $ cilium status 90 KVStore: Ok Consul: 172.18.0.2:8300 91 ContainerRuntime: Ok 92 Kubernetes: Disabled 93 Cilium: Ok OK 94 NodeMonitor: Listening for events on 1 CPUs with 64x4096 of shared memory 95 Cilium health daemon: Ok 96 Controller Status: 6/6 healthy 97 Proxy Status: OK, ip 10.15.28.238, port-range 10000-20000 98 Cluster health: 1/1 reachable (2018-04-05T16:08:22Z) 99 100 The status indicates that all components are operational with the Kubernetes 101 integration currently being disabled. 102 103 Step 5: Create a Docker Network of Type Cilium 104 ============================================== 105 106 Cilium integrates with local container runtimes, which in the case of this demo 107 means Docker. With Docker, native networking is handled via a component called 108 libnetwork. In order to steer Docker to request networking of a container from 109 Cilium, a container must be started with a network of driver type "cilium". 110 111 With Cilium, all containers are connected to a single logical network, with 112 isolation added not based on IP addresses but based on container labels (as we 113 will do in the steps below). So with Docker, we simply create a single network 114 named 'cilium-net' for all containers: 115 116 :: 117 118 $ docker network create --ipv6 --subnet ::1/112 --driver cilium --ipam-driver cilium cilium-net 119 120 121 Step 6: Start an Example Service with Docker 122 ============================================ 123 124 In this tutorial, we'll use a container running a simple HTTP server to 125 represent a microservice application which we will refer to as *app1*. As a result, we 126 will start this container with the label "id=app1", so we can create Cilium 127 security policies for that service. 128 129 Use the following command to start the *app1* container connected to the 130 Docker network managed by Cilium: 131 132 :: 133 134 $ docker run -d --name app1 --net cilium-net -l "id=app1" cilium/demo-httpd 135 e5723edaa2a1307e7aa7e71b4087882de0250973331bc74a37f6f80667bc5856 136 137 138 This has launched a container running an HTTP server which Cilium is now 139 managing as an :ref:`endpoint`. A Cilium endpoint is one or more application 140 containers which can be addressed by an individual IP address. 141 142 143 Step 7: Apply an L3/L4 Policy With Cilium 144 ========================================= 145 146 When using Cilium, endpoint IP addresses are irrelevant when defining security 147 policies. Instead, you can use the labels assigned to the VM to define 148 security policies, which are automatically applied to any container with that 149 label, no matter where or when it is run within a container cluster. 150 151 We'll start with an overly simple example where we create two additional 152 apps, *app2* and *app3*, and we want *app2* containers to be able 153 to reach *app1* containers, but *app3* containers should not be allowed 154 to reach *app1* containers. Additionally, we only want to allow *app1* 155 to be reachable on port 80, but no other ports. This is a simple policy that 156 filters only on IP address (network layer 3) and TCP port (network layer 4), so 157 it is often referred to as an L3/L4 network security policy. 158 159 Cilium performs stateful ''connection tracking'', meaning that if a policy allows 160 *app2* to contact *app1*, it will automatically allow return 161 packets that are part of *app1* replying to *app2* within the context 162 of the same TCP/UDP connection. 163 164 **L4 Policy with Cilium and Docker** 165 166 .. image:: images/cilium_dkr_demo_l3-l4-policy-170817.png 167 168 We can achieve that with the following Cilium policy: 169 170 .. literalinclude:: ../../examples/policies/getting-started/cilium_dkr_demo_l3-l4-policy-170817.json 171 172 Save this JSON to a file named l3_l4_policy.json in your VM, and apply the 173 policy by running: 174 175 :: 176 177 $ cilium policy import l3_l4_policy.json 178 Revision: 1 179 180 181 Step 8: Test L3/L4 Policy 182 ========================= 183 184 185 You can now launch additional containers that represent other services attempting to 186 access *app1*. Any new container with label "id=app2" will be allowed 187 to access *app1* on port 80, otherwise the network request will be dropped. 188 189 To test this out, we'll make an HTTP request to *app1* from a container 190 with the label "id=app2" : 191 192 :: 193 194 $ docker run --rm -ti --net cilium-net -l "id=app2" cilium/demo-client curl -m 20 http://app1 195 <html><body><h1>It works!</h1></body></html> 196 197 We can see that this request was successful, as we get a valid HTTP response. 198 199 Now let's run the same HTTP request to *app1* from a container that has 200 label "id=app3": 201 202 :: 203 204 $ docker run --rm -ti --net cilium-net -l "id=app3" cilium/demo-client curl -m 10 http://app1 205 206 You will see no reply as all packets are dropped by the Cilium security policy. 207 The request will time-out after 10 seconds. 208 209 So with this we see Cilium's ability to segment containers based purely on a 210 container-level identity label. This means that the end user can apply 211 security policies without knowing anything about the IP address of the 212 container or requiring some complex mechanism to ensure that containers of a 213 particular service are assigned an IP address in a particular range. 214 215 216 Step 9: Apply and Test an L7 Policy with Cilium 217 ================================================ 218 219 In the simple scenario above, it was sufficient to either give *app2* / 220 *app3* full access to *app1's* API or no access at all. But to 221 provide the strongest security (i.e., enforce least-privilege isolation) 222 between microservices, each service that calls *app1's* API should be 223 limited to making only the set of HTTP requests it requires for legitimate 224 operation. 225 226 For example, consider a scenario where *app1* has two API calls: 227 * GET /public 228 * GET /private 229 230 Continuing with the example from above, if *app2* requires access only to 231 the GET /public API call, the L3/L4 policy alone has no visibility into the 232 HTTP requests, and therefore would allow any HTTP request from *app2* 233 (since all HTTP is over port 80). 234 235 To see this, run: 236 237 :: 238 239 $ docker run --rm -ti --net cilium-net -l "id=app2" cilium/demo-client curl 'http://app1/public' 240 { 'val': 'this is public' } 241 242 and 243 244 :: 245 246 $ docker run --rm -ti --net cilium-net -l "id=app2" cilium/demo-client curl 'http://app1/private' 247 { 'val': 'this is private' } 248 249 Cilium is capable of enforcing HTTP-layer (i.e., L7) policies to limit what 250 URLs *app2* is allowed to reach. Here is an example policy file that 251 extends our original policy by limiting *app2* to making only a GET /public 252 API call, but disallowing all other calls (including GET /private). 253 254 **L7 Policy with Cilium and Docker** 255 256 .. image:: images/cilium_dkr_demo_l7-policy-230817.png 257 258 The following Cilium policy file achieves this goal: 259 260 .. literalinclude:: ../../examples/policies/getting-started/cilium_dkr_demo_l7-policy-230817.json 261 262 Create a file with this contents and name it l7_aware_policy.json. Then 263 import this policy to Cilium by running: 264 265 :: 266 267 $ cilium policy delete --all 268 Revision: 2 269 $ cilium policy import l7_aware_policy.json 270 Revision: 3 271 272 :: 273 274 $ docker run --rm -ti --net cilium-net -l "id=app2" cilium/demo-client curl -si 'http://app1/public' 275 HTTP/1.1 200 OK 276 Accept-Ranges: bytes 277 Content-Length: 28 278 Date: Tue, 31 Oct 2017 14:30:56 GMT 279 Etag: "1c-54bb868cec400" 280 Last-Modified: Mon, 27 Mar 2017 15:58:08 GMT 281 Server: Apache/2.4.25 (Unix) 282 Content-Type: text/plain; charset=utf-8 283 284 { 'val': 'this is public' } 285 286 and 287 288 :: 289 290 $ docker run --rm -ti --net cilium-net -l "id=app2" cilium/demo-client curl -si 'http://app1/private' 291 HTTP/1.1 403 Forbidden 292 Content-Type: text/plain; charset=utf-8 293 X-Content-Type-Options: nosniff 294 Date: Tue, 31 Oct 2017 14:31:09 GMT 295 Content-Length: 14 296 297 Access denied 298 299 As you can see, with Cilium L7 security policies, we are able to permit 300 *app2* to access only the required API resources on *app1*, thereby 301 implementing a "least privilege" security approach for communication between 302 microservices. 303 304 We hope you enjoyed the tutorial. Feel free to play more with the setup, read 305 the rest of the documentation, and reach out to us on the `Cilium 306 Slack channel <https://cilium.herokuapp.com>`_ with any questions! 307 308 309 Step 10: Clean-Up 310 ================= 311 312 Exit the vagrant VM by typing ``exit``. 313 314 When you are done with the setup and want to tear-down the Cilium + Docker VM, 315 and destroy all local state (e.g., the VM disk image), open a terminal in the 316 cilium/examples/getting-started directory and type: 317 318 :: 319 320 $ vagrant destroy cilium-1 321 322 You can always re-create the VM using the steps described above. 323 324 If instead you just want to shut down the VM but may use it later, 325 ``vagrant halt cilium-1`` will work, and you can start it again later.