-1

First, I'm not good at network programming and english.

I want to create new bridge to alternate docker default bridge to limit outgress bandwidth.

I tried to using tc to control container's outgress bandwidth.

After several attempts, I thought that to limit container outgress bandwidth, tc must run in container. but in my environment, it is not allowed.

So i considered about using openvswitch(ovs).

But create ovs bridge as docker default bridge is not working.

So I created docker container using option --net=none and attach ovs veth peer to container. It works, but some features are restricted that something like can not see net I/O in docker stats.

Main question is below.

I want to limit container's outgress bandwidth using docker default bridge "docker0" and ovs.

enter image description here

My Idea is create ovs bridge and locate between eth0 and docker0. But I don't have any knowledge to judge this idea can be implemented.

There are possibility that this idea can be implemented?

If yes, please let me know what should i study for this can be work.

If also tc can be work for limiting container outgress bandwidth, please teach me.

devarrns
  • 3
  • 4

1 Answers1

1

It's possible to create any funky chain of bridges in Linux:

The trick is how to join to bridges together. There are two options: 1) Use so-called 'patch' link type in OVS (works only between two OVS bridges). (The first found article about this on the internet: https://blog.scottlowe.org/2012/11/27/connecting-ovs-bridges-with-patch-ports/)

2) Universal way to join any two bridges (even OVS with br-tools, or any other bridge-like things together): use veth.

Veth is a virtal ethernet interface: when you create it, it creates two interfaces at once (f.e. veth0 and veth1). All traffic coming into veth0 coming out of veth1, all traffic coming into veth1 coming out of veth0. You can plug veth0 into your docker0 bridge and veth1 into bridge of your choice (let's say mybrige).

Commands to do this:

ip link add type veth  # check out ip link list command to see new interfaces
ip link set up dev veth0 # names may be different
ip link set up dev veth1
ovs-vsctl add-br mybridge
ovs-vsctl add-port mybridge veth0
ovs-vsctl add-port mybrige eth0
brctl addif docker0 veth1 # I'm not sure what kind of bridge docker uses, may be it's ovs-vsctl add-port docker0 veth1

Bonus fact: veth is a proper linux eth interface and it can be shaped/filtered as you wish.

George Shuklin
  • 6,952
  • 10
  • 39
  • 80
  • Hi. I've done what you told me, but I do not know how to route packets through the bridge **mybridge**. Can i route packets through the bridge by using iptables? – devarrns Jul 31 '18 at 12:31
  • Bridges cannot route anything, they work on L2 (routing is L3). Bridges can pass ethernet frames between ports, that's all. – George Shuklin Aug 01 '18 at 12:59