simple example of docker client/server network

Author: Craig Ringer

docker/network_partition/Dockerfile

@@ -0,0 +1,7 @@
+FROM debian:10
+ENV DEBIAN_FRONTEND noninteractive
+RUN apt-get -y update && \
+    apt-get -y install iproute2 socat iptables
+ADD server /usr/local/bin/server
+ADD client /usr/local/bin/client
+RUN chmod a+x /usr/local/bin/server /usr/local/bin/client

docker/network_partition/README.md

@@ -0,0 +1,85 @@
+A demo of docker networking between containers with ability to isolate
+communication between the nodes while not granting excessive priviliges.
+
+Uses user defined locally scoped bridge network.
+
+## Run the demo
+
+Run with
+
+    docker-compose up
+
+You'll see chatter between the nodes on stderr. Now you can mess with their
+networking externally using the methods below.
+
+## Detach and attach containers
+
+To break connectivity:
+
+    docker disconnect unstable network_partition_client_1
+
+to resume connectivity
+
+    docker connect unstable network_partition_client_1
+
+This will make the containers nonroutable. If there are existing TCP
+connections they won't break straight away, they'll keep retrying until their
+timeouts are hit, and they'll buffer sent data for retry.
+
+## Messing with connectivity using iptables
+
+You can use iptables within each container. Because each container has its own
+network namespace, this won't mess up the host's iptables rules.
+
+Within either container, it's possible to do things like:
+
+    # blackhole from other container
+    iptables -A INPUT -s client -j DROP
+
+    # delete blackhole
+    iptables -D INPUT 1
+
+    # send TCP RST for other container
+    iptables -A INPUT -s client -j DROP
+
+    # restore connectivity
+    iptables -D INPUT 1
+
+You can run this with `docker exec` e.g.
+
+    docker exec network_partition_client_1 iptables -A INPUT -s server -j DROP
+
+## Docker-compose not required
+
+Example uses docker compose, but it's simple to do with plain docker using the
+`docker network create` command and the `--network` and `--cap-add NET_ADMIN`
+flags to `docker run`.
+
+e.g.
+
+    docker build -t net-demo .
+
+    docker network create unstable
+
+    docker run \
+        --detach -n network_partition_client_1 \
+        --entrypoint /usr/local/bin/client \
+        --network unstable \
+        net-demo
+
+    docker run \
+        --detach -n network_partition_server_1 \
+        --entrypoint /usr/local/bin/server \
+        --network unstable \
+        net-demo
+
+## Note on docker and network namespaces
+
+Docker uses network namespaces, but `ip netns` won't see them. Docker tracks it
+in `/var/run/docker/netns` but `ip netns` tracks them in `/var/run/netns`.
+
+You can hack around this with 
+
+    sudo rmdir /var/run/netns
+    sudo ln -s /var/run/docker/netns /var/run/netns
+

docker/network_partition/client

@@ -0,0 +1,4 @@
+#!/bin/bash
+while : ; do
+	( while : ; do date -Isec; sleep 1; done ) | socat -d -v STDIN tcp:server:9999
+done

docker/network_partition/docker-compose.yml

@@ -0,0 +1,20 @@
+version: "3.9"
+services:
+  server:
+    build: .
+    networks:
+      - unstable
+    entrypoint: /usr/local/bin/server
+    cap_add:
+      - NET_ADMIN
+  client:
+    build: .
+    networks:
+      - unstable
+    entrypoint: /usr/local/bin/client
+    cap_add:
+      - NET_ADMIN
+networks:
+  unstable:
+    name: unstable
+    driver: bridge

docker/network_partition/server

@@ -0,0 +1,4 @@
+#!/bin/bash
+while : ; do
+	socat -d -v tcp-listen:9999 stdout
+done