Docker Networking Fundamentals: Types, Working and Usage

Docker networking is a vital part of this platform, providing the framework for managing communications between containers, as well as between containers and the external network.

Docker Networking Fundamentals: Types, Working and Usage

Docker networking is a crucial part of this platform, providing the framework for managing communications between containers, as well as between containers and the external network. Docker supports several network types, each tailored for specific use cases. This versatility in networking options ensures that Docker can cater to a wide array of application requirements, from single-host setups to complex, multi-host distributed applications. This blog will provide fundamentals of Docker Network and and its operation method.

>> Read more about Docker:

Docker Network Types

Docker has 5 built-in network drivers implementing core networking functionality, including:

  • Bridge;
  • Host;
  • Overlay;
  • IPvLAN;
  • Macvlan.

Network namespaces are a feature of the Linux kernel that provide isolation of network resources between different sets of processes. When it comes to Docker networks, network namespaces play a critical role in providing each container or set of containers with their own network environment. Let's dive into how network namespaces are utilized in each type of Docker network.

Bridge Network

  • Network Namespace Usage: Each container in a bridge network gets its own network namespace. This isolation ensures that the processes in one container cannot directly see the network interfaces or IP addresses of another container.
  • Interaction with Bridge Network: The Docker daemon creates a pair of virtual ethernet (veth) interfaces for each container. One end of the veth pair is placed inside the container's network namespace, acting as its network interface, while the other end is attached to the Docker bridge (docker0 by default), enabling communication with other containers and the host.

Host Network

  • Network Namespace Usage: Containers that use the host network do not have their own network namespace. Instead, they share the network namespace with the host.
  • Interaction with Host Network: This means that a container using the host network will see all network interfaces of the host directly and can open ports directly on the host's IP address. There's no network isolation between such containers and the host system.

Overlay Network

  • Network Namespace Usage: Similar to bridge networks, each container in an overlay network gets its own network namespace. This provides network isolation between containers on different hosts in a Docker Swarm.
  • Interaction with Overlay Network: Docker uses network drivers and overlay networks to manage communications between containers on different hosts. This involves complex routing and data encapsulation mechanisms (like VXLAN) to ensure that containers can communicate across different hosts as if they were on the same local network.

IPvLAN Network

  • Network Namespace Usage: Containers on an IPvLAN network also get their own network namespaces, ensuring process-level network isolation.
  • Interaction with IPvLAN Network: IPvLAN allows containers to have their own IP addresses while sharing the host's MAC address. This is particularly useful when you need containers to appear as regular network devices on your LAN, but still want to keep the network traffic of different containers isolated.

Macvlan Network

  • Network Namespace Usage: Similar to IPvLAN, each container in a macvlan network gets its own network namespace.
  • Interaction with Macvlan Network: Macvlan provides the ability for a container to have its own MAC and IP address, making it appear as a physical device on the network. This is useful for running services that require direct access to the physical network, but still benefit from the isolation provided by separate network namespaces.

How Does Docker Networking Work?

Docker networking's sophistication is largely abstracted from the end-user, providing a user-friendly interface while harnessing complex underlying mechanisms. Here's a breakdown of how Docker networking functions, focusing on the interaction between the host's network stack, iptables, network namespaces, and virtual network interfaces:

Use of Host's Network Stack

  • Docker relies on the host machine's network stack to route traffic to and from containers.
  • This design leverages the robustness and efficiency of the host's existing network infrastructure, avoiding the need for additional virtual networking layers unless necessary (as in the case of overlay networks).

Manipulating iptables

  • Docker dynamically manages iptables rules to control the flow of network traffic.
  • These rules determine how data packets are forwarded, filtered, or blocked, allowing Docker to isolate network traffic of different containers and networks securely.
  • iptables serves as the backbone for implementing network isolation, NAT (Network Address Translation), and port forwarding.

Network Namespaces

  • Docker utilizes network namespaces, a feature of the Linux kernel, to provide isolated network environments for containers.
  • Each container's network stack appears to be separate from others and the host, ensuring that processes in one container cannot directly interfere with those in another.
  • Network namespaces are critical for ensuring that containers have their own IP addresses, port ranges, routing tables, and socket listings.

Virtual Network Interfaces

  • Inside a container's network namespace, Docker sets up virtual network interfaces (like veth pairs) that bridge network communications.
  • These interfaces connect the isolated network namespaces of containers to the common bridge network or directly to the host network, facilitating inter-container communication and external network access.

Abstraction and User Experience

  • While the underlying mechanisms are complex and involve low-level network manipulations, Docker abstracts these intricacies.
  • Users interact with high-level commands and definitions (like Dockerfiles and Docker Compose files), and Docker handles the background work of configuring network namespaces, iptables rules, and virtual interfaces.
  • This abstraction makes Docker networking powerful yet accessible, allowing developers to deploy, connect, and scale containerized applications without needing deep networking expertise.

Docker's networking capabilities are both powerful and versatile, supporting a wide range of application deployment scenarios. Whether you're running a few containers on a single host or orchestrating a multi-host, swarm-enabled cluster, Docker provides the tools to connect your containers efficiently and securely.

For advanced configurations or troubleshooting, Docker's documentation and community forums are valuable resources for understanding and leveraging the full potential of Docker networking.

How to Use Docker Networks?

Using Docker networks effectively involves understanding how to create, manage, and interact with networks and containers within those networks. Here's a guide on how to use Docker networks, covering network creation, connecting containers, inspecting network configurations, and cleaning up networks.

Creating Networks

To create a new network, use the [docker network create command](https://docs.docker.com/reference/cli/docker/network/create/). You can specify the driver to use, such as bridge or host, by setting the -d flag. A bridge network will be created if you omit the flag.

Run the following in your first terminal window:

docker network create demo-network -d bridge
699ff1aaec607358e6c77f66eba4767bac7760ec82a1e50d115a43ff0c158b4d

The ID of the created network is emitted to your terminal. The new network’s useless at the moment because no containers have been connected.

Connecting Containers to Networks

When you run a container, you can connect it to a network using the --network flag.

docker run -it --rm --name demo-container1 --network demo-network busybox:latest

In case, your local machine does not have busybox:latest image. The docker engine will help me download it from docker hub.

We can also connect existing container to a network by using the command below:

docker network connect demo-network demo_container2

In this mode, the container shares the host's networking namespace, and the IP address of the container will be the same as the host's IP address.

Disabling Networking

Disabling networking for a Docker container means that the container will operate in complete network isolation, with no access to internal or external network traffic. This can be useful for security-sensitive applications where you want to ensure that a container cannot communicate with other containers, the host, or the internet.

docker run -it --rm --network none busybox:latest

Network Isolation: The container is not attached to any network. It does not have an IP address, cannot send or receive traffic, and cannot make any network requests.

Use Cases: This setup is often used for:

  • Running applications that require strict security and should not communicate with any external services.
  • Running batch jobs or computations that do not require network access and where network isolation ensures that the container's operation is not affected by network-related issues.
  • Testing or debugging applications in an environment without network access to understand how they behave in absence of any external communication.

Accessing the Container: Even though the container has no network access, you can still interact with it using Docker commands like docker exec to run commands inside the container or docker logs to view its logs.

Limited Capabilities: Containers with networking disabled might not be suitable for applications that require internet access for fetching updates or that need to communicate with other services for distributed processing or data retrieval.

We can try to enter this command ping [google.com](<http://google.com>) on your terminal then see the results ping: bad address 'google.com.

Removing Containers from Networks

We can attach a network into a container and also we can removing the container from any networks by using the command below:

docker network disconnect demo-network demo_container2

The change you make will apply immediately. To make sure it works you can jump into demo_container1 and try to run command ping demo_container2 to make sure the network is disconnected.

Managing Networks

  • Listing Networks

To list all networks on your Docker host, use the docker network ls command. This will display a list of all networks along with their details like network ID, name, and driver.

docker network ls

Here is the result that listing all network on our machine:

the result that listing all network on our machine

  • Inspecting a Network

To view detailed information about a specific network, including which containers are connected to it, IP addresses, and options, use the docker network inspect command followed by the network name or ID.

docker network inspect network_id_or_network_name
  • Pruning Unused Networks

To clean up and remove all networks not used by any containers, use the docker network prune command. This helps in maintaining a clean environment by removing any unnecessary network resources.

docker network prune

If you remember that in the previous part we are also mentioned about docker network connect , docker network disconect and also docker network create command. Those are some command we are usually use to manage the docker network.

Conclusion

Docker's networking system offers a robust and adaptable framework for orchestrating communication between containers, the Docker host, and beyond, ensuring containers can interact seamlessly either through names or IP addresses.

The platform supports a variety of pluggable network drivers such as bridge, host, overlay, and macvlan, catering to a wide spectrum of networking needs and allowing for custom, use-case-specific network configurations.

While leveraging the host's network stack, Docker ensures network isolation using Linux namespaces, providing a balance between isolation and performance. Particularly notable is the macvlan driver, which permits containers to mimic physical network devices, integrating smoothly with existing network setups.

>>> Follow and Contact Relia Software for more information!

  • development