This chapter discusses the semantics and syntax of Docker networking in detail, exposing strengths and weaknesses of the current Docker network paradigm.
It covers the following topics:
- Configuring the IP stack for Docker
- IPv4 support
- Issues with IPv4 address management
- IPv6 support
- Configuring DNS
- DNS basics
- Multicast DNS
- Configuring the Docker bridge
- Overlay networks and underlay networks
- What are they?
- How does Docker use them?
- What are some of their advantages?
Docker uses the IP stack to interact with the outside world using TCP or UDP. It supports the IPv4 and IPv6 addressing infrastructures, which are explained in the following subsections.
By default, Docker provides IPv4 addresses to each container, which are attached to the default docker0 bridge. The IP address range can be specified while starting the Docker daemon using the --fixed-cidr flag, as shown in the following code:
$ sudo docker –d --fixed-cidr=192.168.1.0/25
We will discuss more about this in the Configuring the Docker bridge section.
The Docker daemon can be listed on an IPv4 TCP endpoint in addition to a Unix socket:
$ sudo docker -H tcp://127.0.0.1:2375 -H unix:///var/run/docker.sock -d &
IPv4 and IPv6 can run together; this is called a dual stack. This dual stack support is enabled by running the Docker daemon with the --ipv6 flag. Docker will set up the docker0 bridge with the IPv6 link-local address fe80::1. All packets shared between containers flow through this bridge.
To assign globally routable IPv6 addresses to your containers, you have to specify an IPv6 subnet to pick the addresses from.
The following commands set the IPv6 subnet via the --fixed-cidr-v6 parameter while starting Docker and also add a new route to the routing table:
# docker –d --ipv6 --fixed-cidr-v6="1553:ba3:2::/64" # docker run -t -i --name c0 ubuntu:latest /bin/bash
The following figure shows a Docker bridge configured with an IPv6 address range:
If you check the IP address range using ifconfig inside a container, you will notice that the appropriate subnet has been assigned to the eth0 interface, as shown in the following code:
#ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:ac:11:00:01
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe11:1/64 Scope:Link
inet6 addr: 1553:ba3:2::242:ac11:1/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:738 (738.0 B) TX bytes:836 (836.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)All the traffic to the 1553:ba3:2::/64 subnet will be routed via the docker0 interface.
The preceding container is assigned using fe80::42:acff:fe11:1/64 as the link-local address and 1553:ba3:2::242:ac11:1/64 as the global routable IPv6 address.