Docker: Where Does It Leave the Network Admin?

t’s the end of the year, and a good time for thinking back. I’m thinking back to a dark past long ago, when physical servers ran server operating systems, and ran applications—when those servers plugged into a switch, and each endpoint was a single server. The network team could see every device, endpoint, or switch, and could trace packets from end to end. Network admins would tell you that those were Golden Days, when troubleshooting was easy and networks were simple. Then, ten or so years ago, along came server virtualization. All of a sudden there were multiple servers on any given endpoint, and worse, the servers would move between endpoints not only at will, but mid-flow. Troubleshooting became Hard, with a capital H.

Out of this came innovations such as VMware’s dvSwitch and the Cisco 1000V distributed vSwitch. These gave network admins the tools they required to push their traces deeper into the virtualization systems and to regain the end-to-end connectivity they desired. As time progressed, the ability to mirror flows and to extend technologies such as NetFlow into the hypervisor brought the VM world back into network admins’ view. As time advanced further, network functions virtualization (NFV) moved some of the functions of the network into the hypervisor, or into VMs, but the interaction between the flows remained fairly constant. The more recent developments of overlay/underlay networks have again pushed the end-to-end traffic flows into the twilight of tunnels (encrypted or not). The two-tier network model has made troubleshooting harder again, with layer 2 networks tunneled through layer 3 switch interconnects. Now Docker is throwing another spanner in the works.

to continue reading