Docker 101 : A dive into the Bridge networking model for containers
Docker uses a virtual Ethernet interface - veth - to connect the virtual docker bridge - virtual switch is created to connect containers to the host and to each other - to the containers.
Docker also assigns a network namespace - network stack, network interfaces, ... - to each container.
The virtual interface - veth - is like a virtual cable that connects the virtual docker bridge to the container's namespace.
Traffic coming from outside the host on port "88", will go through the bridge - docker0 - and it will be routed to the virtual interface of the container on port "80" as demonstrated in the below example:
Let's look at the below example:
Below is the command that allows us to do the port forwarding described above:
- Port "88" : represents the host's port.
- Port "80" : represents the container's port.
Remark:
Let's check the interfaces inside the nginx container:
We have among other interfaces, the virtual interface number 32 named eth0@if26 has the ID: 26.
We check the interfaces on the host and we see that the virtual interface vethfcc45a@if32 on the host is linked to the virtual interface eth0@if26 of the container as we can see below - interfaces on the host -:
The virtual interface vethfcc45a@if32 of the host and the virtual interface eth0@if26 in the container constitute the two ends of the virtual cable "veth".
The virtual interface vethfcc45a@if32 is connected to the virtual docker bridge - docker0 - which is also connected to the host's interface "eth0".
To allow containers to send packets outside of the host, we would need to allow masquerading - snat : Source Network Address Translation - using the postrouting iptables rules which are applied to a packet right before it leaves a network interface.
The snat - postrouting - rule are created for outgoing traffic, we could list then using the below command:
- 172.18.0.0/16 : is the pool of addresses assigned to the containers.
- 0.0.0.0/0 : represents any destination.
For the incoming packets to be able to reach the containers, docker creates a dnat - prerouting - rule as follows:
The dnat rule modifies the destination data - address, port - of the packet.
Remark:
The prerouting iptables rule are applied to a packet when it enters a network interface.
Comments