Calico adds simple, highly efficient networking with fine grained security policy to Docker 1.7 release

Calico adds simple, highly efficient networking with fine grained security policy to Docker 1.7 release

Right from its inception, the Project Calico team has been focused on delivering a virtual networking solution that works equally well for virtual machines and containers. We first demonstrated Calico working with containers back in November 2014, and, together with the folks at Docker, we’ve continued to extend and harden our Docker solution since then.

One of the key challenges with third-party networking solutions for Docker has been how to make the user experience seamless. Up to now, we’ve relied on Powerstrip which provides a tool for prototyping extensions to Docker. We were excited when Docker announced their intention to integrate a networking plug-in capability into their core distribution, and have been working closely with the Docker team and broader community to provide input to the evolving API definition. And we are thrilled that, as of Docker 1.7, libnetwork will be integrated with Docker to provide an API for networking with support for third-party plugins in the Docker experimental channel.

We have been developing Calico in parallel with the evolution of libnetwork over recent months. And so we are pleased to be able to announce that the latest release of Calico includes a driver for libnetwork that implements the Docker Container Network Model and supports networking of Docker containers the Calico way.

If you’re new to Calico, here’s a quick summary of how the Calico solution provides network connectivity for containers:

  • Every container gets its own IP address (or multiple addresses). No NAT or port mapping is used. Both IPv4 and IPv6 are supported.
  • By default, containers with endpoints connected to the same network can communicate freely among themselves, but are firewalled off from other networks.
  • Security policy can be fine-tuned by defining rules that control which groups of containers can reach which other groups (or the outside world) on which ports. You can think of Calico as providing a fully distributed lightweight firewall sitting in front of all of your containers.
  • All traffic between containers is routed at L3 via the Linux kernel’s native IP forwarding engine in each host. Calico uses BGP (Border Gateway Protocol) as its control plane to advertise routes to individual containers across the physical network fabric. BGP is the routing protocol that powers the Internet, so scalability is one of Calico’s strong points.
  • Containers networked with Calico can communicate directly (and securely) over IP with other containers, physical appliances, virtual machines and the public Internet without the need for any kind of specialized gateway function in the network.
  • The entire solution is open source, just like Docker itself, and available today.

It’s perhaps also worth saying what Calico is not: it is not an overlay networking solution. Calico emphasizes simplicity, and connects containers directly to the IP fabric in the data center. This simplicity makes Calico easy to deploy, easy to use, easy to troubleshoot and highly efficient. Just as containers provide a “lightweight” solution to deploying apps in the cloud, so Calico provides a “lightweight” solution to networking those apps. Philosophically, Calico is very well aligned with Docker.

The Calico team has worked very hard to deliver the Docker networking driver in a highly compressed timescale, and is immensely proud to be among the first third-party solutions to implement Docker’s new approach to networking. We very much look forward to continuing our work with Docker as libnetwork evolves.

To try out Calico networking for Docker visit the calico-docker GitHub page and follow one of the tutorials for getting started on Vagrant/VirtualBox, AWS, GCE, or Digital Ocean.  Or watch the one minute Calico Docker install video on projectcalico.org.

Alex Pollitt is an Evangelist and VP Engineering for Project Calico. He is passionate about supporting the full diversity of the emerging container ecosystem, and promoting the best developer and operator experience through collaboration across the ecosystem players.