The docker0
bridge is the heart of default networking. When the Docker service is started, a Linux bridge is created on the host machine. The interfaces on the containers talk to the bridge, and the bridge proxies to the external world. Multiple containers on the same host can talk to each other through the Linux bridge.
docker0
can be configured via the --net
flag and has, in general, four modes:
--net default
--net=none
--net=container:$container2
--net=host
With this flag, the container created shares its network namespace with the container called $container2
.
With this mode, the container created shares its network namespace with the host.
In this section, we look at how container ports are mapped to host ports. This mapping can either be done implicitly by Docker Engine or can be specified.
If we create two containers called Container1 and Container2, both of them are assigned an IP address from a private IP address space and also connected to the docker0 bridge, as shown in the following figure:
Both the preceding containers will be able to ping each other as well as reach the external world.
For external access, their port will be mapped to a host port.
As mentioned in the previous section, containers use network namespaces. When the first container is created, a new network namespace is created for the container. A vEthernet link is created between the container and the Linux bridge. Traffic sent from eth0
of the container reaches the bridge through the vEthernet interface and gets switched thereafter. The following code can be used to show a list of Linux bridges:
# show linux bridges $ sudo brctl show
The output will be similar to the one shown as follows, with a bridge name and the veth
interfaces on the containers it is mapped to:
bridge name bridge id STP enabled interfaces docker0 8000.56847afe9799 no veth44cb727 veth98c3700
How does the container connect to the external world? The iptables nat
table on the host is used to masquerade all external connections, as shown here:
$ sudo iptables -t nat -L –n ... Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 172.17.0.0/16 !172.17.0.0/16 ...
How to reach containers from the outside world? The port mapping is again done using the iptables nat
option on the host machine.