Docker networking overview

Fundamentals of docker networking

view on github

Docker networking

Table of contents

  1. Docker network drivers
  2. Docker networking commands

Docker network drivers

  • The docker networking subsystem allows containers to communicate with the outside using drivers :

Bridge network

  • Default network driver + a default bridge network is initialized by the daemon at startup (legacy, do not use).
  • A bridge network is managed by a single docker daemon, thus only containers running on a single host can connect to it.
  • Containers connected to the same bridge network can communicate with each other.
  • Containers connected to the same bridge network are isolated from the rest of the network.
  • Hostname resolution between containers can only happen on user defined bridge networks.
  • All containers ports are published to each other if the containers are connected to the same bridge network.
# create a used defined bridge network
docker network create -d bridge "$network"

# inspect a network (output connected containers names and addresses, network subnet, gateway etc...)
docker network inspect "$network"

# creates a new container $container from $image in interactive mode, connects it to $network and runs $command
docker container run --network "$network" --rm --name "$container" -i -t "$image" "$command"

# connects a running container from an existing network
docker network connect "$container" "$network"

# disconnects a running container from an existing network
docker network disconnect "$container" "$network"

Host network

  • The container's network stack is not isolated from the host (it shares the host's networking namespace).
  • As opposed to the bridge driver, it won't create a new network interface on the host.
  • From a networking point of view, it is the same level of isolation as if the container's command was running directly into the host.
  • You don't want to use the host driver on 2 or more containers running on the same host to avoid ports conflicts.
  • The ports publication options (-p) are ignored when using this network driver.
# creates an interactive container from the busybox image using the host network driver
# typing ip addr show in the container will print the same network interfaces list as the host's
# any process listening to a port inside the container will effectively listen to the host's port
docker container run --network host --rm -i -t busybox /bin/sh

Overlay network

  • Creates a distributed network among multiple hosts running docker daemons, which sits on top (overlays) the host-specific networks.

  • Connected containers can communicate securely when encryption is enabled (-o encrypted). Docker handles packets routing to the relevant host/daemon/container.

  • Each time a daemon initializes or joins a swarm, two networks are created on the host running the daemon :

    name usage
    ingress Default overlay network, handles control and traffic related to swarm services
    docker_gwbridge Built-in bridge network that connects deamon to other daemons of the swarm

  • The following ports have to be open to traffic to and from each host participating on an overlay network :

    proto number usage
    TCP 2377 Cluster management communications
    TCP 7946 Communication among nodes
    UDP 7946 Communication among nodes
    UDP 4789 overlay network traffic itself

  • Notes :

    • User-defined overlay networks can only be created if ingress network is present.
    • User-defined overlay networks can only be created on the swarm manager.
    • Docker services may then use the user-defined overlay network to deploy containers on a distributed network of nodes.
    • Docker services and stacks can only be created and deployed on the swarm manager.

Docker networking commands

  • Initialize a docker swarm on host1 :
# the address advertising is optional (the command will return the join token)
docker swarm init --advertise-addr="$ipadress_host1"
  • Initialize host2 as a worker, join swarm :
# make 'host2' join the swarm managed by 'host1' using the join token
docker swarm join --token "$token" --advertise-addr "$ipadress_host2" "$ipadress_host1:2377"
  • Create a user defined overlay network on host1 (swarm manager) :
# swarm management traffic encryption is enabled by default
# application data encryption is enabled (--opt encrypted)
# the above is not supported on windows nodes, such nodes won't be able to communicate
docker network create -o encrypted -d overlay "$network"
  • Create a docker service named $service on host 1 (swarm manager) from $image using 5 replicas, publish service port 80 to node port 3000 :
# use service name $service
# start 5 replicas (containers) from the image $image
# publish service port 80 to node port 3000 (container port publishing is obviously irrelevant in swarm mode)
# set up service to use the user defined overlay network $network
docker service create --name "$service" --replicas=5 --publish target=80,published=3000 --network "$network" "$image"
  • For simplicity's sake, we will assume that overlay networks will always be used for service creation and stack deployments on swarms.