- Virtual Ethernet Switch
- Fast Data Path
- Seamless Docker Integration
- Docker Network Plugin
- CNI Plugin
- Address Allocation (IPAM)
- Naming and Discovery
- Application Isolation
- Network Policy
- Dynamic Network Attachment
- Host Network Integration
- Service Export
- Service Import
- Service Binding
- Service Routing
- Multi-cloud Networking
- Multi-hop Routing
- Dynamic Topologies
- Container Mobility
- Fault Tolerance
For step-by-step instructions on how to use Weave Net, see Launching Weave Net.
Weave Net creates a virtual network that connects Docker containers deployed across multiple hosts. To application containers, the network established by Weave resembles a giant Ethernet switch, where all containers are connected and can easily access services from one another.
Because Weave Net uses standard protocols, your favorite network tools and applications, developed over decades, can still be used to configure, secure, monitor, and troubleshoot a container network.
Broadcast and Multicast protocols can also be used over Weave Net.
Weave Net automatically chooses the fastest available method to transport data between peers. The best performing of these (the ‘fast datapath’) offers near-native throughput and latency.
Weave Net includes a Docker API Proxy, which can be used to start containers using the Docker command-line interface or the remote API, and attach them to the Weave network before they begin execution.
To use the proxy, run:
host1$ eval $(weave env)
and then start and manage containers with standard Docker commands.
Containers started in this way that subsequently restart, either
by an explicit
docker restart command or by Docker restart
policy, are re-attached to the Weave network by the
Weave Docker API Proxy.
Weave Net can also be used as a Docker plugin. A Docker network
weave is created by
weave launch, which is used as follows:
$ docker run --net=weave -ti weaveworks/ubuntu
Using the Weave plugin enables you to take advantage of Docker’s network functionality.
Weave can be used as a plugin to systems that support the Container Network Interface, such as Kubernetes and Mesosphere.
See Integrating Kubernetes and Mesos via the CNI Plugin for more details.
Containers are automatically allocated a unique IP address. To view the addresses allocated by Weave, run
Instead of allowing Weave to automatically allocate addresses, an IP address and a network can be explicitly specified. See How to Manually Specify IP Addresses and Subnets for instructions.
Named containers are automatically registered in weaveDNS, and are discoverable by using standard, simple name lookups:
host1$ docker run -dti --name=service weaveworks/ubuntu host1$ docker run -ti weaveworks/ubuntu root@7b21498fb103:/# ping service
A single Weave network can host multiple, isolated applications, with each application’s containers being able to communicate with each other but not with the containers of other applications.
To isolate applications, Weave Net can make use of the isolation-through-subnets technique. This common strategy is an example of how with Weave many “on metal” techniques can be used to deploy your applications to containers.
See Isolating Applications for information on how to use the isolation-through-subnets technique with Weave Net.
At times, you may not know the application network for a given container in advance. In these cases, you can take advantage of Weave’s ability to attach and detach running containers to and from any network.
See Dynamically Attaching and Detaching Containers for details.
In keeping with our ease-of-use philosophy, the cryptography in Weave Net is intended to satisfy a particular user requirement: strong, out-of-the-box security without a complex setup or the need to wade your way through the configuration of cipher suite negotiation, certificate generation or any of the other things needed to properly secure an IPsec or TLS installation.
Weave Net communicates via TCP and UDP on a well-known port, so you can adapt whatever is appropriate to your requirements - for example an IPsec VPN for inter-DC traffic, or VPC/private network inside a data-center.
For cases when this is not convenient, Weave Net provides a secure, authenticated encryption mechanism which you can use in conjunction with or as an alternative to any other security technologies you have running alongside Weave.
Weave Net implements encryption and security using the Go version of Daniel J. Bernstein’s NaCl library, and, additionally in the case of encrypted fast datapath using the cryptography framework of the Linux kernel.
For information on how to secure your Docker network connections, see Securing Connections Across Untrusted Networks and for a more technical discussion on how Weave implements encryption see, Weave Encryption and How Weave Implements Encryption.
Weave Net application networks can be integrated with a host’s network, and establish connectivity between the host and application containers anywhere.
- Exporting Services - Services running in containers on a Weave network can be made accessible to the outside world or to other networks.
- Importing Services - Applications can run anywhere, and yet still be made accessible by specific application containers or services.
- Binding Services - A container can be bound to a particular IP and port without having to change your application code, while at the same time will maintain its original endpoint.
- Routing Services - By combining the importing and exporting features, you can connect to disjointed networks, even when separated by firewalls and where there may be overlapping IP addresses.
See Managing Services - Exporting, Importing, Binding and Routing for instructions on how to manage services on a Weave container network.
Weave can network containers hosted in different cloud providers or data centers. For example, you can run an application consisting of containers that run on Google Compute Engine (GCE), Amazon Elastic Compute Cloud (EC2) and in a local data centre all at the same time.
A network of containers across more than two hosts can be established even when there is only partial connectivity between the hosts. Weave Net routes traffic between containers as long as there is at least one path of connected hosts between them.
Hosts can be added to or removed from a Weave network without stopping or reconfiguring the remaining hosts. See Adding and Removing Hosts Dynamically.
Containers can be moved between hosts without requiring any reconfiguration or, in many cases, restarts of other containers. All that is required is for the migrated container to be started with the same IP address as it was given originally.
See Managing Services - Exporting, Importing, Binding and Routing, in particular, Routing Services for more information on container mobility.
Weave Net peers continually exchange topology information, and monitor and (re)establish network connections to other peers. So if hosts or networks fail, Weave can “route around” the problem. This includes network partitions, where containers on either side of a partition can continue to communicate, with full connectivity being restored when the partition heals.
The Weave Net Router container is very lightweight, fast and and disposable.
For example, should Weave Net ever run into difficulty, one can
simply stop it (with
weave stop) and restart it. Application
containers do not have to be restarted in that event, and
if the Weave Net container is restarted quickly enough,
may not experience a temporary connectivity failure.