Docker Networking
Intro
Docker networking refers to the system that allows communication between Docker containers, as well as between containers and the host machine or external networks. Docker provides various networking options that enable containers to connect and communicate with each other, forming distributed applications or microservices.
Network types
Docker supports different types of networks, including bridge networks, host networks, overlay networks, and macvlan networks.
-
Bridge networks: This is the default networking mode in Docker. Containers connected to the same bridge network can communicate with each other, and the host machine can also communicate with containers on the bridge network.
-
Host networks: In this mode, containers share the host machine's network stack directly. They use the host's IP address, and there is no isolation between the host and containers in terms of networking.
-
Overlay networks: Overlay networks enable communication between containers across multiple Docker hosts, forming a swarm cluster. This allows you to create distributed applications that span multiple machines.
-
Macvlan networks: Macvlan networks allow containers to have their own MAC addresses and appear as separate devices on the physical network. This can be useful in scenarios where you need containers to have direct access to the physical network.
Inspect networks
To check the existing Docker networks on your system, you can use the Docker CLI and run the following command:
docker network ls
NETWORK ID NAME DRIVER SCOPE
cb86147a15bd bridge bridge local
5dab3e75f42d host host local
e8f44c5252de none null local
In this example, you can see multiple networks listed, including the default bridge network (bridge), and host network (host).
In Docker, the
nullnetwork type is a special type of network that provides a container with no networking capabilities. When a container is connected to thenullnetwork, it effectively isolates the container from all forms of network communication, including communication with other containers, the host machine, and external networks. We will see an example during the practice scenario.
To get more detailed information about a specific network, you can use the docker network inspect command followed by the network name or ID. For example:
docker network inspect <network>
You can apply inspect command on each container to find container network datails:
docker inspect <container_id_or_name>
This command will provide detailed information about the container, including its network configuration. The output will include a section called NetworkSettings that contains the network-related details, such as the container's IP address, connected networks, exposed ports, and more:
[
{
...
"NetworkSettings": {
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": [
"container_name"
],
"NetworkID": "network_id",
"EndpointID": "endpoint_id",
"Gateway": "gateway_ip",
"IPAddress": "container_ip",
"IPPrefixLen": 24,
...
}
}
}
...
}
]
Custom network
Creating custom networks in Docker provides flexibility, better organization, and control over network communication within your containerized applications. It allows for easier management, improved security, and scalability, making it a valuable tool for various use cases.
You can create a custom network using the belwo command:
docker network create <network_name>
bridge or overlay network drivers. If you have a custom network driver installed, you can also specify it here. If no --driver option is provided, the command defaults to creating a bridge network (The above command). Upon Docker Engine installation, a bridge network is automatically created, corresponding to the docker0 bridge that Engine traditionally relies on. When launching a container with docker run, it automatically connects to this default bridge network. Although the default bridge network cannot be removed, you can create additional networks using the network create command.
Then you can assign the network to any conatiner using --network switch:
docker run --network=<network_name> <image>
If you want to add a container to a network after the container is already running, use the
docker network connectsubcommand.
You can connect multiple containers to the same network. Once connected, the containers can communicate using only another container’s IP address or name.
You can disconnect a container from a network using the
docker network disconnectcommand.
You can read more details about docker networking in Docker Networking Overview and find docker network create deatils here: docker network create.
Host type
The "host" network mode in Docker is primarily used in specific scenarios where you need maximum performance and want containers to share the network stack of the host machine. Here are a few common use cases for the "host" network mode:
Performance Optimization: In some cases, you may have applications that require low latency and high network throughput. By using the "host" network mode, containers can directly leverage the host machine's network stack, eliminating any network virtualization overhead and achieving maximum performance.
Host Networking Dependencies: Certain applications or services may have dependencies on specific network configurations or services running on the host machine. By using the "host" network mode, containers can directly access these host services without any additional network configuration. This can simplify the deployment and reduce potential networking issues.
Network Troubleshooting and Monitoring: When troubleshooting or monitoring network-related issues, the "host" network mode can be beneficial. Containers in the "host" mode have visibility into the entire host network stack, allowing you to analyze network traffic, monitor network performance, or troubleshoot connectivity problems effectively.
Limited Network Isolation Requirements: In some cases, network isolation may not be a requirement. For example, if you are running a single container on a host and network isolation is not necessary, using the "host" network mode can simplify the setup and eliminate the need for network configuration within the container.
It's important to note that using the "host" network mode removes network isolation between containers and the host machine. Containers in the "host" mode share the same network namespace as the host, meaning they use the same IP address, network interfaces, and ports. This can potentially expose services within the containers to the host network, which may have security implications. Therefore, it's crucial to carefully consider the security requirements and potential risks before using the "host" network mode.
Exposing ports
Docker port mapping and exposing are mechanisms that allow you to make specific ports within a container accessible to the host machine or external networks. They enable communication with services running inside the container from outside sources.
- Port Mapping (Publishing):
Port mapping, also known as port publishing, allows you to map a port exposed by a container to a port on the host machine or external network. It establishes a communication pathway between the host and the container.
When running a container, you can use the-por--publishoption with the docker run command to specify the port mapping. For example:
docker run -p <host_port>:<container_port> <image_name>
Here, <host_port> represents the port on the host machine, and <container_port> represents the port exposed by the container. By specifying the port mapping, incoming connections to the host port will be forwarded to the corresponding container port.
- Port Exposing (Documenting):
Port exposing, on the other hand, is used to document the ports that the container listens on. It is achieved using the
EXPOSEinstruction in the Dockerfile.
The EXPOSE instruction informs Docker that the container listens on specific ports. It serves as documentation for other users, administrators, or developers to know which ports are intended to be used when interacting with the container.
For example, in a Dockerfile:
...
EXPOSE 8080
EXPOSE 9000/tcp
...
Here, the Dockerfile states that the container listens on ports 8080 and 9000.
We will read more about Dockerfile in the next session.
DNS Service
Different networks provide different communication patterns (for example by IP address only, or by container name) between containers depending on network type and whether it’s a Docker default or a user-defined network.
By default, containers inherit the DNS settings of the host, as defined in the /etc/resolv.conf configuration file. Containers that attach to the default bridge network receive a copy of this file. Containers that attach to a custom network use Docker’s embedded DNS server. The embedded DNS server forwards external DNS lookups to the DNS servers configured on the host.
You can configure DNS resolution on a per-container basis, using flags for the docker run or docker create command used to start the container. For example, the below command create a container with a custom DNS and hostname:
docker run --dns <custom_dns> --hostname <custom_hostname> <image_name>
--hostnameis the hostname of the container. Defaults to the container’s ID if not specified. Custom hosts, defined in/etc/hostson the host machine, aren’t inherited by containers.
Practice your knowledge
You can practice these tasks in a terminal or command prompt with Docker installed on your machine. Make sure you have Docker properly installed and configured before starting the practice scenario.
Remember to refer to Docker's official documentation for detailed information on each command and its usage. Happy learning!
Scenario
Implement the diagram below in your Docker lab:
