Development

Docker Bootcamp – Networking

Mailbox

Welcome back to my Docker Bootcamp Series. In my last post, I showed you how to have persistent storage for your containers. In this post, we’ll look at networking. I’ve included some basic network terminology, which is not directly related to Docker, for some extra background.

Terminology

Docker Network Types

Docker provides four different network configurations. Closed, Bridged, Joined, Open. Each configuration has different security implications.

  • Docker Network Type: Bridged – A container that has both a loopback interface and an ethernet interface that is connected to the docker bridge interface. This is the default network type. All containers using this type are part of Docker’s virtual network and can communicate with one another.  They are not accessible from the host machine by default.
  • Docker Network Type: Closed – A container that has a loopback interface but not an ethernet interface. Nothing outside the container can connect in. Programs running inside the container cannot connect out.  The most secure docker network type.  Use when your container does not require network access.
  • Docker Network Type: Joined – Two or more containers that share the same loopback and ethernet interfaces. The containers still have their own isolated memory and file systems.  Use when two containers need to communicate directly through the shared loopback interface.
  • Docker Network Type: Open – A container that has full access to the host’s network interface bypassing the docker virtual network. The container can bind to protected ports on the host, but not modify the network interfaces.  This is the least secure docker network type and should be used with caution.

Interfaces

  • Bridge Interface – Used to connect multiple networks together so they function as a single network.
  • Ethernet Interface – Used to connect one network interface to other external network interfaces. Think of it like a driveway that connects to the network of roads.
  • Loopback Interface – Used to connect one network interface back to the same internal network interface. Think of it like a circular driveway that does not connect to the network of roads.
  • Network Interface – Represents the location and address of a network device. Think of it like a house located at a street address with a mailbox. Messages are delivered for people at the address.  Messages are sent out for delivery for people at other addresses.

Additional Terms

  • Domain Name Service (DNS) – A protocol for mapping user-friendly names to IP addresses.
  • IP Address – Represents the location of a network interface on a network. Think of it as a mailing address. Containers are assigned a unique IP address at startup and lose the IP when stopped.
  • Port – Represents the sender or recipient of a message. Think of it as multiple people at the same house that can send and receive mail using the same mailbox (network interface) but have their own designated slot in the mailbox (network interface).
  • Protocol – A “language” that two parties agree upon so they can understand how to communicate. Some examples of protocols include HTTP, FTP, TCP, and IP.
  • Routing – The path a message takes to get from one network interface to another. Think of this like a letter going from one mailbox (a network interface), to the local post office (a network interface), to the regional post office (a network interface), to another regional post office (a network interface), down to the nearest local post office (a network interface), and finally being delivered to the correct mailbox (a network interface).
  • Virtual Network – Separate from the host’s physical network interface. Used to provide container isolation.  Docker maintains its own virtual network that is attached to the host. This interface is called docker0.

Commands

  • create – Create a new container in a stopped state

Command Details

You can find a full list of commands and all available flags at https://docs.docker.com/engine/reference/commandline/docker/.

create

docker create [options] image [command] [args…]
Outputs: ContainerID

–network O Connect a container to a network

  • none – Creates a closed container
  • bridge – Creates a bridged container (default)
  • container:[containername] – Creates a joined container
  • host – Creates an open container

 

Examples

 

Closed Container

  • Create, start and run an interactive container with a closed network
    • docker run -it –network none –name netclosed busybox /bin/sh
  • View network settings
    • ip addr show
      • Notice only the loopback interface exists (IP 127.0.0.1)
  • Try to ping an external network interface
    • ping -c 2 8.8.8.8 (Google’s public dns server)
      • Notice message “network is unreachable”
  • Stop the container
    • exit

Bridged Container

  • Create, start and run an interactive container with a bridged network
    • docker run -it –network bridge –name netbridge1 busybox /bin/sh
      • Since bridged is the default type you can omit the network flag
  • View network settings
    • ip addr show
      • Notice the loopback interface exists (IP 127.0.0.1)
      • Notice the ethernet interface exists (IP will vary by machine)
        • Make a note of the ip address (mine was 172.17.0.2)
  • Try to ping an external network interface
    • ping -c 2 8.8.8.8 (Google’s public dns server)
      • Notice ping results
  • Create, start and run an interactive container with a bridged network
    • docker run -it –network bridge –name netbridge2 busybox /bin/sh
  • View network settings
    • ip addr show
      • Notice the loopback interface exists (IP 127.0.0.1)
      • Notice the ethernet interface exists (IP will vary by machine)
        • Make a note of the ip address (mine was 172.17.0.3)
  • Try to ping the netbridge1 container from within netbridge2
    • ping -c 2 172.17.0.2
      • Notice ping results
  • Try to ping the netbridge2 container from within netbridge1
    • ping -c 2 172.17.0.3
      • Notice ping results
  • Try to ping the netbridge1 container from the host
    • ping 172.17.0.2
      • Notice the request timed out message.
  • Stop the containers
    • docker stop netbridge1 netbridge2

Joined Container

  • Create, start and run an interactive container with a bridged network
    • docker run -it –network bridge –name netjoin1 busybox /bin/sh
  • View network settings
    • ip addr show
      • Notice the loopback interface exists (IP 127.0.0.1)
      • Notice the ethernet interface exists (IP will vary by machine)
        • Make a note of the ip address (mine was 172.17.0.2)
  • Create, start and run an interactive container with a joined network
    • docker run -it –network container:netjoin1 –name netjoin2 busybox /bin/sh
  • View network settings
    • ip addr show
      • Notice the loopback interface exists (IP 127.0.0.1)
      • Notice the ethernet interface exists
        • The ip address matches that of netjoin1
  • Stop the containers
    • docker stop netjoin1 netjoin2

Open Container

  • Create, start and run an interactive container with an open network
    • docker run -it –network host –name netopen busybox /bin/sh
  • View network settings
    • ip addr show
      • Notice all the host network interfaces are listed including the docker0 virtual network
  • Stop the container
    • exit

Stay tuned for my next post in this series and don’t forget to clean up your containers!  Until next time, happy containers!

About the Author

More from this Author

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to the Weekly Blog Digest:

Sign Up
Categories