Feature Overview
- Virtual Ethernet Switch
- Fast Data Path
- Seamless Docker Integration
- Docker Network Plugin
- CNI Plugin
- Address Allocation (IPAM)
- Naming and Discovery
- Application Isolation
- Network Policy
- Dynamic Network Attachment
- Security
- Host Network Integration
- Service Export
- Service Import
- Service Binding
- Service Routing
- Multi-cloud Networking
- Multi-hop Routing
- Dynamic Topologies
- Container Mobility
- Fault Tolerance
For step-by-step instructions on how to use Weave Net, see Launching Weave Net.
Virtual Ethernet Switch
Weave Net creates a virtual network that connects Docker containers deployed across multiple hosts. To application containers, the network established by Weave resembles a giant Ethernet switch, where all containers are connected and can easily access services from one another.
Because Weave Net uses standard protocols, your favorite network tools and applications, developed over decades, can still be used to configure, secure, monitor, and troubleshoot a container network.
Broadcast and Multicast protocols can also be used over Weave Net.
To start using Weave Net, see Installing Weave Net and Launching Weave Net.
Fast Datapath
Weave Net automatically chooses the fastest available method to transport data between peers. The best performing of these (the ‘fast datapath’) offers near-native throughput and latency.
See Using Fast Datapath and How Fast Datapath Works.
Seamless Docker Integration (Weave Docker API Proxy)
Weave Net includes a Docker API Proxy, which can be used to start containers using the Docker command-line interface or the remote API, and attach them to the Weave network before they begin execution.
To use the proxy, run:
host1$ eval $(weave env)
and then start and manage containers with standard Docker commands.
Containers started in this way that subsequently restart, either
by an explicit docker restart
command or by Docker restart
policy, are re-attached to the Weave network by the Weave Docker API Proxy
.
See Integrating Docker via the API Proxy.
Weave Network Docker Plugin
Weave Net can also be used as a Docker plugin. A Docker network
named weave
is created by weave launch
, which is used as follows:
$ docker run --net=weave -ti alpine:latest
Using the Weave plugin enables you to take advantage of Docker’s network functionality.
There are two plugin implementations for Weave Net: the “Legacy” plugin which doesn’t require an external cluster store, and the “V2” plugin which supports Docker swarm mode.
Weave Network CNI Plugin
Weave can be used as a plugin to systems that support the Container Network Interface, such as Kubernetes and Mesosphere.
See Integrating Kubernetes and Mesos via the CNI Plugin for more details.
IP Address Management (IPAM)
Containers are automatically allocated a unique IP address. To view the addresses allocated by Weave, run weave ps
.
Instead of allowing Weave to automatically allocate addresses, an IP address and a network can be explicitly specified. See How to Manually Specify IP Addresses and Subnets for instructions.
For a discussion on how Weave Net uses IPAM, see Automatic IP Address Management. And also review the the basics of IP addressing for an explanation of addressing and private networks.
Naming and Discovery
Containers with a hostname are automatically registered in weaveDNS, and are discoverable by using standard, simple name lookups:
host1$ docker run -dti --name=service --hostname=service.weave.local alpine:latest
host1$ docker run -ti alpine:latest
root@7b21498fb103:/# ping service
WeaveDNS also supports load balancing, fault resilience and hot swapping.
See Discovering Containers with WeaveDNS.
Application Isolation
A single Weave network can host multiple, isolated applications, with each application’s containers being able to communicate with each other but not with the containers of other applications.
To isolate applications, Weave Net can make use of the isolation-through-subnets technique. This common strategy is an example of how with Weave many “on metal” techniques can be used to deploy your applications to containers.
See Isolating Applications for information on how to use the isolation-through-subnets technique with Weave Net.
Network Policy
The Weave Kubernetes Addon includes a network policy controller that implements Kubernetes Network Policies.
Dynamic Network Attachment
At times, you may not know the application network for a given container in advance. In these cases, you can take advantage of Weave’s ability to attach and detach running containers to and from any network.
See Dynamically Attaching and Detaching Containers for details.
Security
In keeping with our ease-of-use philosophy, the cryptography in Weave Net is intended to satisfy a particular user requirement: strong, out-of-the-box security without a complex setup or the need to wade your way through the configuration of cipher suite negotiation, certificate generation or any of the other things needed to properly secure an IPsec or TLS installation.
Weave Net communicates via TCP and UDP on a well-known port, so you can adapt whatever is appropriate to your requirements - for example an IPsec VPN for inter-DC traffic, or VPC/private network inside a data-center.
For cases when this is not convenient, Weave Net provides a secure, authenticated encryption mechanism which you can use in conjunction with or as an alternative to any other security technologies you have running alongside Weave.
Weave Net implements encryption and security using the Go version of Daniel J. Bernstein’s NaCl library, and, additionally in the case of encrypted fast datapath using the cryptography framework of the Linux kernel.
For information on how to secure your Docker network connections, see Securing Connections Across Untrusted Networks and for a more technical discussion on how Weave implements encryption see, Weave Encryption and How Weave Implements Encryption.
Host Network Integration
Weave Net application networks can be integrated with a host’s network, and establish connectivity between the host and application containers anywhere.
See Integrating with the Host Network.
Managing Services: Exporting, Importing, Binding and Routing
- Exporting Services - Services running in containers on a Weave network can be made accessible to the outside world or to other networks.
- Importing Services - Applications can run anywhere, and yet still be made accessible by specific application containers or services.
- Binding Services - A container can be bound to a particular IP and port without having to change your application code, while at the same time will maintain its original endpoint.
- Routing Services - By combining the importing and exporting features, you can connect to disjointed networks, even when separated by firewalls and where there may be overlapping IP addresses.
See Managing Services - Exporting, Importing, Binding and Routing for instructions on how to manage services on a Weave container network.
Multi-Cloud Networking
Weave can network containers hosted in different cloud providers or data centers. For example, you can run an application consisting of containers that run on Google Compute Engine (GCE), Amazon Elastic Compute Cloud (EC2) and in a local data centre all at the same time.
See Enabling Multi-Cloud networking and Muti-hop Routing.
Multi-Hop Routing
A network of containers across more than two hosts can be established even when there is only partial connectivity between the hosts. Weave Net routes traffic between containers as long as there is at least one path of connected hosts between them.
See Enabling Multi-Cloud networking and Multi-hop Routing.
Dynamic Topologies
Hosts can be added to or removed from a Weave network without stopping or reconfiguring the remaining hosts. See Adding and Removing Hosts Dynamically.
Container Mobility
Containers can be moved between hosts without requiring any reconfiguration or, in many cases, restarts of other containers. All that is required is for the migrated container to be started with the same IP address as it was given originally.
See Managing Services - Exporting, Importing, Binding and Routing, in particular, Routing Services for more information on container mobility.
Fault Tolerance
Weave Net peers continually exchange topology information, and monitor and (re)establish network connections to other peers. So if hosts or networks fail, Weave can “route around” the problem. This includes network partitions, where containers on either side of a partition can continue to communicate, with full connectivity being restored when the partition heals.
The Weave Net Router container is very lightweight, fast and and disposable.
For example, should Weave Net ever run into difficulty, one can
simply stop it (with weave stop
) and restart it. Application
containers do not have to be restarted in that event, and
if the Weave Net container is restarted quickly enough,
may not experience a temporary connectivity failure.