Docker 101 : A short overview of Docker networking
In docker, each container has its own networking stack.
This isolation is possible through the use of the Linux kernel network namespaces.
The "docker0" bridge, the link between containers:
The docker0 bridge is a Linux virtual bridge, that gets creates after we install docker on a system.
"docker0" bridge: offers a way for containers to communicate with each other in a private network.
Proxy: uses iptables to make the containers reachable from the "outside" through the host's network interface "eth0".
Docker networking options:
Docker offers different options when it comes to the containers network.
Using the "--network" option with the "docker run" command, we can pick the network type we want to use as we can see below:
Below are some of the networking option available to us:
- none: there is no network connection for the containers.
- container:shared_container: the created container shares its network namespace with "shared_container" namespace. "shared_container" could be a container name or a container ID.
- host: the container shares its network stack with the host.
Below is a diagram illustrating the "host" networking:
Remark:
The default network option is the "bridge", where a virtual bridge is created to connect the containers in a private network.
Displaying "docker" networks:
To display the available docker networks on a host, we use the below command:
We can display the virtual bridge devices on our host using the below command:
Iptables rules for NAT:
We could see the iptables mapping (NAT), that allows the containers to connect to the "outside world" through the host's IP address using the below command:
The default "docker0" network:
In this mode, the containers are connected to each other via the Linux bridge docker0.
To be able to reach the "outside", the containers map their private IP addresses to the host IP address using iptables for Network Address Translation or Masquerading.
To be able to reach the "outside", the containers map their private IP addresses to the host IP address using iptables for Network Address Translation or Masquerading.
Displaying the bridge devices:
We can display the virtual bridge devices on our host using the below command:
Comments