Docker networking is the native container SDN solution you have at your disposal when working with Docker. In a nutshell, there are four modes available for Docker networking: bridge mode, host mode, container mode, or no networking. We will have a closer look at each of those modes relevant for a single-host setup and conclude at the end of this article with some general topics such as security.
Docker network
To view Docker networks, run:
# docker network ls
To get further details on networks, run:
# docker network inspect
Default Docker Networks
Docker creates three networks automatically on install: bridge, none, and host. Specify which network a container should use with the –net flag. If you create a new network test_docker_nw, you can connect your container (test_container) with:
# docker run test_container --net=test_docker_nw
Bridge
All Docker installations represent the docker0 network with bridge; Docker connects to bridge by default. Run ifconfig on the Linux host to view the bridge network.
When you run the following command in your console, Docker returns a JSON object describing the bridge network.
# docker network inspect bridge
Docker automatically creates a subnet and gateway for the bridge network, and docker run automatically adds containers to it. If you have containers running on your network, docker network inspect displays networking information for your containers.
Any containers on the same network may communicate with one another via IP addresses. Docker does not support automatic service discovery on bridge. You must connect containers with the –link option in your docker run command.
The Docker bridge supports port mappings and docker run –link allowing communications between containers on the docker0 network. However, these error-prone techniques require unnecessary complexity. Just because you can use them, does not mean you should. It’s better to define your own networks instead.
None
This offers a container-specific network stack that lacks a network interface. This container only has a local loopback interface (i.e., no external network interface).
Host
This enables a container to attach to your host’s network (meaning the configuration inside the container matches the configuration outside the container).
Defining your own networks
You can create multiple networks with Docker and add containers to one or more networks. Containers can communicate within networks but not across networks. A container with attachments to multiple networks can connect with all of the containers on all of those networks. This lets you build a “hub” of sorts to connect to multiple networks and separate concerns.
Creating a bridge network
Bridge networks (similar to the default docker0 network) offer the easiest solution to creating your own Docker network. While similar, you do not simply clone the default0 network, so you get some new features and lose some old ones. Follow along below to create your own my_first_ever_bridge_network and run your nginx container my_nginx on that network:
# docker network create --driver bridge my_first_ever_bridge_network
27de0cb13467ed96d63a2d3f6063de2b914142c2ca0b2e6e47cb4d67a6211e4a
# docker network inspect my_first_ever_bridge_network
# docker network ls
NETWORK ID NAME DRIVER SCOPE
f7294467814c bridge bridge local
06551c66f206 host host local
27de0cb13467 my_first_ever_bridge_network bridge local
9ef81245913e none null local
# docker run --net=my_first_ever_bridge_network --name=nx_web_server nginx
# docker network inspect my_first_ever_bridge_network
Any other container you create on this network can immediately connect to any other container on this network. The network isolates containers from other (including external) networks. However, you can expose and publish container ports on the network, allowing portions of your bridge access to an outside network.
To Read more: Docker networking DNS configuration Fix
Creating an overlay network
If you want native multi-host networking, you need to create an overlay network. These networks require a valid key-value store service, such as Consul, Etcd, or ZooKeeper. You must install and configure your key-value store service before creating your network. Your Docker hosts (you can use multiple hosts with overlay networks) must communicate with the service you choose. Each host needs to run Docker. You can provision the hosts with Docker Machine.
Open the following ports between each of your hosts:
Protocol Port Purpose udp 4789 data tcp/udp 7946 control
Check your key-value store service documentation; your service may need more ports open.
Create an overlay network by configuring options on each Docker daemon you wish to use with the network. You may set the following options:
Option Description
–cluster-store=PROVIDER://URL Describes the location of the key-value store service
–cluster-advertise=HOST_IP
or
–cluster-advertise=HOST_IFACE:PORT The IP address or interface corresponding to the clustering host
–cluster-store-opt=KEY-VALUE OPTIONS Additional options, like a TLS certificate
- Create the overlay network in a similar manner to the bridge network (network name my_multi_host_network):
# docker network create --driver overlay my_multi_host_network
- Launch containers on each host; make sure you specify the network name:
# docker run -itd -net=my_multi_host_network my_test-dontainer
Once you connect, every container on the network has access to all the other containers on the network, regardless of the Docker host serving the container.
