feat(lab-02): complete Phase 3 - Network & VPC lab

Implement Lab 02 with Docker bridge networks simulating VPC/Subnets. Test Infrastructure (RED phase): - 6 bash test scripts for network creation, isolation, INF-02 compliance - Fail-fast orchestration with run-all-tests.sh - Quick validation script for development Documentation (Diátaxis framework): - 3 tutorials: VPC creation, container deployment, isolation verification - 4 how-to guides: create network, inspect config, test isolation, cleanup - 3 reference docs: Docker network commands, Compose syntax, VPC mapping - 1 explanation: Docker ↔ VPC parallels (PARA-01/02/03/04) Infrastructure (GREEN phase): - docker-compose.yml with VPC networks (10.0.1.0/24, 10.0.2.0/24) - 5 services: web, app, db, test-public, test-private - INF-02 compliant: 127.0.0.1 bindings only, no 0.0.0.0 - Private network with --internal flag - Multi-homed app container (public + private networks) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-25 17:26:35 +01:00
parent d4c4f7d717
commit 5b2c8c37aa
22 changed files with 3988 additions and 12 deletions
--- a/labs/lab-02-network/reference/compose-network-syntax.md
+++ b/labs/lab-02-network/reference/compose-network-syntax.md
@@ -0,0 +1,284 @@
+# Reference: Sintassi Network Docker Compose
+
+Specifiche tecniche per definire reti in docker-compose.yml.
+
+## Struttura Base
+
+```yaml
+version: "3.8"
+
+networks:
+  network-name:
+    driver: bridge
+    name: actual-network-name
+    ipam:
+      driver: default
+      config:
+        - subnet: 10.0.1.0/24
+          gateway: 10.0.1.1
+
+services:
+  service-name:
+    image: image:tag
+    networks:
+      - network-name
+```
+
+## Sezione Networks
+
+### Configurazione Minima
+
+```yaml
+networks:
+  my-network:
+    driver: bridge
+```
+
+### Configurazione Completa
+
+```yaml
+networks:
+  vpc-public:
+    name: lab02-vpc-public        # Nome effettivo della rete
+    driver: bridge                 # Driver (bridge, overlay)
+    driver_opts:
+      com.docker.network.bridge.name: br-public  # Nome bridge host
+    ipam:
+      driver: default
+      config:
+        - subnet: 10.0.1.0/24
+          gateway: 10.0.1.1
+          ip_range: 10.0.1.128/25    # (opzionale) Range per container
+    internal: false                 # (opzionale) Isola rete
+    attachable: false               # (opzionale) Permette container esterni
+    labels:                        # (opzionale) Metadata
+      env: development
+```
+
+### Rete Interna (Privata)
+
+```yaml
+networks:
+  vpc-private:
+    driver: bridge
+    internal: true                 # Blocca accesso esterno
+    ipam:
+      config:
+        - subnet: 10.0.2.0/24
+          gateway: 10.0.2.1
+```
+
+### Rete Esterna (Preesistente)
+
+```yaml
+networks:
+  external-network:
+    name: existing-network         # Usa rete esistente
+    external: true
+```
+
+## Sezione Services
+
+### Container in Singola Rete
+
+```yaml
+services:
+  web:
+    image: nginx:alpine
+    networks:
+      - vpc-public
+```
+
+### Container con IP Statico
+
+```yaml
+services:
+  web:
+    image: nginx:alpine
+    networks:
+      vpc-public:
+        ipv4_address: 10.0.1.10
+```
+
+### Container in Multiple Reti (Multi-homed)
+
+```yaml
+services:
+  app:
+    image: myapp:latest
+    networks:
+      vpc-public:
+        ipv4_address: 10.0.1.20
+      vpc-private:
+        ipv4_address: 10.0.2.20
+```
+
+### Alias DNS Personalizzati
+
+```yaml
+services:
+  db:
+    image: postgres:16
+    networks:
+      vpc-private:
+        aliases:
+          - database
+          - postgres-primary
+```
+
+## Port Publishing (INF-02)
+
+### Sicuro (Locale Only)
+
+```yaml
+services:
+  web:
+    ports:
+      - "127.0.0.1:8080:80"    # Solo localhost (COMPLIANT)
+      - "127.0.0.1:8443:443"
+```
+
+### Non Sicuro (Tutte le Interfacce)
+
+```yaml
+services:
+  web:
+    ports:
+      - "8080:80"             # VIOLA INF-02 (0.0.0.0:8080)
+      - "0.0.0.0:8080:80"     # VIOLA INF-02 (esplicito)
+```
+
+### Nessuna Porta (Servizio Privato)
+
+```yaml
+services:
+  db:
+    # Nessuna sezione ports - completamente privato
+```
+
+## Priorita e Dipendenze
+
+```yaml
+services:
+  app:
+    image: myapp
+    networks:
+      - vpc-public
+    depends_on:
+      - db
+
+  db:
+    image: postgres
+    networks:
+      - vpc-private
+```
+
+## Esempio Completo
+
+```yaml
+version: "3.8"
+
+services:
+  web:
+    image: nginx:alpine
+    container_name: lab02-web
+    networks:
+      vpc-public:
+        ipv4_address: 10.0.1.10
+    ports:
+      - "127.0.0.1:8080:80"
+    restart: unless-stopped
+
+  app:
+    image: myapp:latest
+    container_name: lab02-app
+    networks:
+      vpc-public:
+        ipv4_address: 10.0.1.20
+      vpc-private:
+        ipv4_address: 10.0.2.20
+    ports:
+      - "127.0.0.1:8081:8080"
+    depends_on:
+      - db
+    restart: unless-stopped
+
+  db:
+    image: postgres:16-alpine
+    container_name: lab02-db
+    environment:
+      POSTGRES_PASSWORD: secret
+    networks:
+      vpc-private:
+        ipv4_address: 10.0.2.10
+    volumes:
+      - db-data:/var/lib/postgresql/data
+    restart: unless-stopped
+
+volumes:
+  db-data:
+
+networks:
+  vpc-public:
+    name: lab02-vpc-public
+    driver: bridge
+    ipam:
+      config:
+        - subnet: 10.0.1.0/24
+          gateway: 10.0.1.1
+
+  vpc-private:
+    name: lab02-vpc-private
+    driver: bridge
+    internal: true
+    ipam:
+      config:
+        - subnet: 10.0.2.0/24
+          gateway: 10.0.2.1
+```
+
+## Comandi di Verifica
+
+```bash
+# Valida configurazione
+docker compose -f docker-compose.yml config
+
+# Mostra rete generate
+docker compose -f docker-compose.yml config | grep -A 20 "Networks:"
+
+# Crea rete senza avviare servizi
+docker compose -f docker-compose.yml up --no-deps --no-start
+
+# Ispeziona rete creata
+docker network inspect lab02-vpc-public
+```
+
+## Troubleshooting
+
+### Subnet Conflicts
+
+```bash
+# Verifica subnet in uso
+docker network ls -q | xargs docker network inspect --format '{{.Name}}: {{range .IPAM.Config}}{{.Subnet}}{{end}}'
+
+# Cambia subnet nel compose
+ipam:
+  config:
+    - subnet: 10.0.10.0/24    # Usa CIDR diverso
+```
+
+### Container Non Ottengono IP
+
+```bash
+# Rimuovi IP statici
+# (lascia Docker assegnare automaticamente)
+services:
+  web:
+    networks:
+      - vpc-public    # Rimuovi ipv4_address
+```
+
+## Vedi Anche
+
+- [Tutorial: Deploy Container](../tutorial/02-deploy-containers-networks.md)
+- [Reference: Docker Network Commands](./docker-network-commands.md)
--- a/labs/lab-02-network/reference/docker-network-commands.md
+++ b/labs/lab-02-network/reference/docker-network-commands.md
@@ -0,0 +1,179 @@
+# Reference: Comandi Docker Network
+
+Riferimento rapido per i comandi Docker network.
+
+## Comandi Principali
+
+### Creare una Rete
+
+```bash
+docker network create [OPTIONS] NETWORK
+
+# Sintassi base
+docker network create my-network
+
+# Con subnet personalizzata
+docker network create --subnet 10.0.1.0/24 --gateway 10.0.1.1 my-network
+
+# Rete interna (isolata)
+docker network create --internal my-internal-network
+
+# Specifica driver
+docker network create --driver bridge my-bridge-network
+```
+
+### Lista Reti
+
+```bash
+# Tutte le reti
+docker network ls
+
+# Con dettagli
+docker network ls --no-trunc
+
+# Solo reti custom
+docker network ls --filter 'type=custom'
+
+# Format output
+docker network ls --format "table {{.Name}}\t{{.Driver}}\t{{.Scope}}"
+```
+
+### Ispezionare una Rete
+
+```bash
+# Output JSON completo
+docker network inspect NETWORK
+
+# Output specifico
+docker network inspect NETWORK --format '{{.IPAM.Config}}'
+docker network inspect NETWORK --format '{{.Driver}}'
+docker network inspect NETWORK --format '{{.Containers}}'
+```
+
+### Collegare Container a Rete
+
+```bash
+# Collega container a rete
+docker network connect NETWORK CONTAINER
+
+# Con IP specifico
+docker network connect NETWORK CONTAINER --ip 10.0.1.100
+
+# Con alias DNS
+docker network connect NETWORK CONTAINER --alias my-service
+```
+
+### Scollegare Container da Rete
+
+```bash
+# Scollega container
+docker network disconnect NETWORK CONTAINER
+
+# Forza (se in uso)
+docker network disconnect -f NETWORK CONTAINER
+```
+
+### Rimuovere Reti
+
+```bash
+# Rimuovi rete specifica
+docker network rm NETWORK
+
+# Rimuovi piu reti
+docker network rm NETWORK1 NETWORK2 NETWORK3
+
+# Rimuovi reti non usate
+docker network prune
+
+# Rimuovi tutte le reti custom (attenzione!)
+docker network ls -q | xargs docker network rm
+```
+
+## Opzioni Comuni
+
+| Opzione | Descrizione | Esempio |
+|---------|-------------|---------|
+| `--driver` | Driver di rete | `--driver bridge` |
+| `--subnet` | CIDR subnet | `--subnet 10.0.1.0/24` |
+| `--gateway` | Gateway IP | `--gateway 10.0.1.1` |
+| `--internal` | Isola rete | `--internal` |
+| `--attachable` | Permette container stand-alone | `--attachable` |
+| `--ip-range` | Range IP per container | `--ip-range 10.0.1.128/25` |
+
+## Driver di Rete
+
+| Driver | Descrizione | Uso |
+|--------|-------------|-----|
+| `bridge` | Bridge Linux (default) | Reti isolate su singolo host |
+| `overlay` | Overlay Swarm | Multi-host networking |
+| `host` | Host networking | Nessuna isolamento |
+| `macvlan` | MACVLAN | MAC address univoco per container |
+| `none` | Nessuna rete | Container senza rete |
+
+## Output Format
+
+### Template Format
+
+```bash
+# Nome e driver
+docker network ls --format '{{.Name}}: {{.Driver}}'
+
+# Subnet
+docker network inspect NETWORK --format '{{range .IPAM.Config}}{{.Subnet}}{{end}}'
+
+# Container con IP
+docker network inspect NETWORK --format '{{range .Containers}}{{.Name}}: {{.IPv4Address}}{{end}}'
+
+# JSON completo
+docker network inspect NETWORK --format '{{json}}'
+```
+
+### Placeholder Disponibili
+
+| Placeholder | Descrizione |
+|-------------|-------------|
+| `{{.Name}}` | Nome rete |
+| `{{.Id}}` | ID rete |
+| `{{.Driver}}` | Driver |
+| `{{.Scope}}` | Scope (local/swarm) |
+| `{{.Internal}}` | Flag internal |
+| `{{.IPAM.Config}}` | Configurazione IPAM |
+| `{{.Containers}}` | Container collegati |
+| `{{.Options}}` | Opzioni rete |
+
+## Esempi Pratici
+
+### Creare VPC con Subnets
+
+```bash
+# Public subnet
+docker network create --driver bridge \
+  --subnet 10.0.1.0/24 \
+  --gateway 10.0.1.1 \
+  vpc-public
+
+# Private subnet
+docker network create --driver bridge \
+  --subnet 10.0.2.0/24 \
+  --gateway 10.0.2.1 \
+  --internal \
+  vpc-private
+```
+
+### Debug Reti
+
+```bash
+# Mostra container in una rete
+docker network inspect vpc-public --format '{{json .Containers}}' | jq -r '.[] | .Name'
+
+# Verifica IP di container
+docker inspect container --format '{{range $n, $c := .NetworkSettings.Networks}}{{$n}}: {{$c.IPAddress}}{{end}}'
+
+# Trova reti di un container
+docker inspect container --format '{{range .NetworkSettings.Networks}}{{$}}{{end}}'
+```
+
+## Vedi Anche
+
+- [Tutorial: Creare Reti VPC](../tutorial/01-create-vpc-networks.md)
+- [Reference: Compose Network Syntax](./compose-network-syntax.md)
--- a/labs/lab-02-network/reference/vpc-network-mapping.md
+++ b/labs/lab-02-network/reference/vpc-network-mapping.md
@@ -0,0 +1,125 @@
+# Reference: Mapping VPC Docker Network
+
+Tabella di riferimento rapido per i parallelismi tra reti Docker e VPC cloud.
+
+## Tabella Parallelismi Principali
+
+| Concetto Docker | AWS VPC Equivalente | Descrizione |
+|-----------------|---------------------|-------------|
+| Bridge Network | VPC | Rete virtuale isolata |
+| Subnet (10.0.x.0/24) | Subnet CIDR | Segmento IP all'interno VPC |
+| Container | EC2 Instance | Entita di calcolo nella rete |
+| `--internal` flag | Private Subnet (no IGW) | Isolamento da internet |
+| `--gateway` | Subnet Gateway | Gateway predefinito subnet |
+| DNS embedded | Route 53 Resolver | Risoluzione nomi |
+| `docker network connect` | Attach Network Interface | Collegamento a rete |
+| Port mapping (`8080:80`) | Security Group + NAT | Regole accesso + NAT |
+
+## Comandi a Confronto
+
+### Creazione VPC/Subnet
+
+| Operazione Locale | Comando AWS |
+|-------------------|-------------|
+| `docker network create --driver bridge --subnet 10.0.1.0/24 vpc-main` | `aws ec2 create-vpc --cidr-block 10.0.0.0/16` |
+| `--subnet 10.0.1.0/24 --gateway 10.0.1.1` | `aws ec2 create-subnet --vpc-id VPC_ID --cidr-block 10.0.1.0/24` |
+| `--internal` | No route to Internet Gateway |
+
+### Gestione Reti
+
+| Operazione Locale | Comando AWS |
+|-------------------|-------------|
+| `docker network ls` | `aws ec2 describe-vpcs` |
+| `docker network inspect vpc-main` | `aws ec2 describe-vpcs --vpc-ids VPC_ID` |
+| `docker network rm vpc-main` | `aws ec2 delete-vpc --vpc-id VPC_ID` |
+
+### Container in Rete
+
+| Operazione Locale | Comando AWS |
+|-------------------|-------------|
+| `docker run --network vpc-main nginx` | `aws ec2 run-instances --subnet-id SUBNET_ID` |
+| `docker network connect vpc-main container` | `aws ec2 attach-network-interface` |
+| `docker network disconnect vpc-main container` | `aws ec2 detach-network-interface` |
+
+## CIDR Blocks Standard
+
+| Tipo Locale | Cloud CIDR | Uso |
+|-------------|------------|-----|
+| `10.0.0.0/16` | `10.0.0.0/16` | VPC principale |
+| `10.0.1.0/24` | `10.0.1.0/24` | Public subnet (1a) |
+| `10.0.2.0/24` | `10.0.2.0/24` | Private subnet (1a) |
+| `10.0.3.0/24` | `10.0.3.0/24` | Private subnet (1b) |
+| `10.0.4.0/24` | `10.0.4.0/24` | Public subnet (1b) |
+
+## Nomenclatura Cloud (PARA-02)
+
+### Pattern di Naming
+
+```
+[Rolle]-[Ambiente]-[Tipo]-[Zona]
+
+Esempi:
+  lab02-vpc-public       (VPC pubblica lab)
+  lab02-vpc-private      (VPC privata lab)
+  prod-vpc-main          (VPC produzione)
+  dev-app-public-1a       (Public subnet dev, AZ 1a)
+```
+
+### Tag Docker Networks
+
+```bash
+# Aggiungi metadata alle reti
+docker network create \
+  --label env=development \
+  --label tier=frontend \
+  --label owner=lab02 \
+  frontend-network
+```
+
+## Security Groups ↔ Docker Isolation
+
+| Security Group AWS | Docker Equivalente |
+|--------------------|---------------------|
+| All traffic from SG | Containers in same network |
+| No ingress rules | `--internal` network |
+| Specific port allow | Port mapping `127.0.0.1:PORT:CONTAINER` |
+| SG reference type | Multi-network container |
+
+## Routing AWS ↔ Docker Bridge
+
+| AWS Route | Docker Bridge |
+|-----------|---------------|
+| Internet Gateway | Container host routing |
+| NAT Gateway | Container port mapping |
+| VPC Peering | `docker network connect` (shared) |
+| Transit Gateway | Multi-network container (router) |
+
+## Limitazioni
+
+| Aspetto | Docker Locale | AWS Cloud |
+|---------|---------------|-----------|
+| Host scope | Singolo host | Multi-AZ, multi-region |
+| External access | NAT/Port mapping | Internet Gateway, NAT Gateway |
+| DNS resolution | Embedded DNS | Route 53 |
+| Network ACL | Non disponibile | Network ACLs disponibili |
+| Flow logs | Non disponibile | VPC Flow Logs disponibili |
+
+## Comandi Utili
+
+```bash
+# Verifica subnet di una rete
+docker network inspect vpc-public --format '{{range .IPAM.Config}}{{.Subnet}}{{end}}'
+
+# Trova container per IP
+docker ps -q | xargs docker inspect --format '{{range .NetworkSettings.Networks}}{{.IPAddress}} {{end}}{{.Name}}'
+
+# Simula VPC topology multi-tier
+docker network create --subnet 10.0.1.0/24 public
+docker network create --subnet 10.0.2.0/24 private
+docker network create --subnet 10.0.3.0/24 data
+```
+
+## Vedi Anche
+
+- [Explanation: Docker VPC Parallels](../explanation/docker-network-vpc-parallels.md)
+- [How-To: Create Custom Network](../how-to-guides/create-custom-network.md)