Docker notes (IX): Network Management

Docker applications run in a container, between each other or how the communication between the external, which involves knowledge, this sort of content. Due to network face more involved in this, so only from the perspective of everyday use or understand, too professional not explored in depth.

1. Docker default network topology

Docker in Note (2): The managed objects Docker introduced or implemented Docker interconnection between the container and the outer container by some drivers, including Bridge (bridge default virtual form), Host (shared with the host network stack) , overlay (cross-Docker Daemon interconnection between the container), macvlan (mac address assigned to the vessel), none (disabling all network) and so on.

By default, it creates a virtual bridge docker0 when Docker start, can be understood as a software switch. When creating a Docker container when the pair is created at the interface veth pair (when a packet is sent to the interface, another interface may receive the same data packet). This end of the interface in the container, i.e. eth0; forward at the other end and is mounted to the local host docker0 bridge name begins Veth, such veth340c305, docker0 will mount thereon between the network port, enabling mutual communication between the host and the container and between the container and the container. Docker default network topology is as follows:

We can view the network interfaces ifconfig on the host,

~$ ifconfig
docker0: flags=4163 mtu 1500
inet netmask broadcast
inet6 fe80::42:46ff:fe26:ce0b prefixlen 64 scopeid 0x20
ether 02:42:46:26:ce:0b txqueuelen 0 (Ethernet)
RX packets 16868344 bytes 127838098551 (127.8 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17929275 bytes 137867853738 (137.8 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

veth340c305: flags=4163 mtu 1500
inet6 fe80::50f7:7ff:fe8f:6e72 prefixlen 64 scopeid 0x20
ether 52:f7:07:8f:6e:72 txqueuelen 0 (Ethernet)
RX packets 8093606 bytes 126893792744 (126.8 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8795102 bytes 10834735399 (10.8 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

veth6c803b7: flags=4163 mtu 1500
inet6 fe80::1045:4cff:fe66:7f5a prefixlen 64 scopeid 0x20
ether 12:45:4c:66:7f:5a txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 140 bytes 9832 (9.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0


By brctl show to see mount the network interface,

~$ brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.02424626ce0b no veth340c305


As can be seen from the above network interface veth340c305, veth6c803b7 hanged on the virtual bridge docker0.

2. container and external interconnection

We start in front of many containers commands have similar add -p 8080: 8080 parameter to specify the host port mapping to the container port, so by accessing the host IP: host port address to access the corresponding service container port. Full format ported to the host IP: host port: the port of the container, wherein both the first two can be taken, or just choose one

    IP host: the host port: the port of the container: a designated IP port specified host port mapped to a container, such as

    Host IP: :Container port: Map a random port of the specified host IP to the container port. If the host has multiple IPs, this format allows you to specify one of the host IPs to be bound with a random port range of 49000~49900

    Host port: the port of the container: the host all network interface IP maps to the specified port of the container port, 8090: 8080 is equivalent to means that all the network interface address)

Container ID may be used docker port names or port or container docker ps port mapping command to view the situation, such as

~$ docker port test-dev 8080

~$ docker ps
696a76944e72 cnbots:dev "/bin/sh -c '/usr/lo…" 23 minutes ago Up 23 minutes>8080/tcp test-dev


When the container starts, can be repeatedly used to specify the mapping -p plurality of ports.

If the host port is not particularly specified, it is used -P (upper case) were randomly assigned to a port of the host (in the range of 49,000 ~ 49,900), as docker run -d -P –name test-dev test: dev, then to see the specific mapping to which port the vessel by docker port ID or name of the container port or docker ps command.

3. The interconnection between the container

Container under the same Docker Daemon, between each other through the container can visit each other’s IP (IP how to view the container? Docker inspect containers with name ID or command), the name can be accessed directly through the container between the two containers if you want to achieve, it can be self-built a docker network.

# Create a custom network, -d indicates the network type, can bridge (a bridge, a software switch), or overlay (interconnection between cross-Docker Daemon container) ~ $ docker network create -d bridge my-net0c97fc265ed1cab67d84b9376d6914c9558419c73bb5abc040e75c945cd99f0a # start a centos container centos1, specify a custom network ~ $ docker run -it --name centos1 --network my-net centos by --network: 7.3.1611 bash [root @ 3dcf507bd12a /] # # centos restarting a container centos2 (open another a window), specify the same custom network ~ $ docker run -it --name centos2 --network my-net centos: 7.3.1611 bash [root @ 16dcce660a89 /] # # directly ping centos2 [root @ container in centos1 3dcf507bd12a /] # ping centos2PING centos2 ( 56 (84) bytes of data.64 bytes from ( icmp_seq = 1 ttl = 64 time = 0.111 ms64 bytes from net ( icmp_seq = 2 ttl = 64 time = 0.058 ms # directly ping centos1 [root @ 16dcce660a89 /] # ping centos1PING centos1 ( 56 (84) bytes of the vessel centos2 data.64 bytes from ( icmp_seq = 1 ttl = 64 time = 0.061 ms64 bytes from ( icmp_seq = 2 ttl = 64 time = 0.054 ms


Clear from the name of the container can be accessed by each other through the container custom bridge connection. If desired interconnection between the plurality of containers, can be used Docker Compose.

4. Configuring DNS for Containers

If you want to customize all containers DNS, you can increase the /etc/docker/daemon.json

"dns" : [


You can also specify a single container vessel at startup by DNS configuration parameters, – dns = IP_ADDRESS, which will specify the DNS address to the /etc/resolv.conf file container, the container to use this DNS server to resolve all not in the / etc / hostname hosts in.

5. Docker underlying implementations of networks

Container network access control is mainly implemented and managed through the IPtables firewall on Linux.

1. container vessel access the external network to access the external network, you need to, you can view the following command forwarding by forwarding the local system is turned on

$sysctl net.ipv4.ip_forwardnet.ipv4.ip_forward = 1# for 1 for open, 0 is not open. You can open $sysctl -w net.ipv4 by parameter —ip-forward=true when the Docker service starts. ip_forward=1

All container access to the external network, the source address will be NAT as the IP address of the local system. This is achieved using the source address of iptables camouflage operation,

~# iptables -t nat -nL
target prot opt source destination

The above rules dynamically disguise traffic from all network segments with a source address at (the network segment on which the container IP is located) to any network segment (including the external network) as originating from the system network card. The advantage of MASQUERADE and traditional SNAT is that it dynamically obtains addresses from a network card.

2. External access to the container

Specify port mapping via -p or -P to allow external access to container ports, essentially adding appropriate rules to the nat table of the local iptable, such as

~# iptables -t nat -nL
Chain DOCKER (2 references)
target prot opt source destination
DNAT tcp -- tcp dpt:3306 to:
DNAT tcp -- tcp dpt:11090 to:


The rule here maps, meaning that traffic from the host will be accepted from all network interfaces.

3. There are two conditions that need to be met: 1) whether the container’s network topology is connected. By default, the container is connected to the docker0 bridge, which is connected by default. 2) Whether the firewall iptables of the local system is allowed through. When the container is connected via —link, the corresponding rules are created in iptables.

6. Summarizing

This article has collated the Docker network knowledge, and should have a certain understanding of the communication mechanism between containers and between containers and outside. In addition to the default network implementation, Docker also provides configuration and customization of the network. For the sake of space, this article describes it here.


Related Reading

Docker Note (a): What is the Docker

Docker Note (2): The Object Management Docker Docker notes (c): Installation and Configuration Docker Docker notes (four): Notes Docker Docker image management (e): a whole image Docker own notes (VI): Management container

Docker notes (seven): Common Services installation –Nginx, MySql, Redis

Docker notes (VIII): Data Management

My micro-channel public number: jboost-ksxy (a technique not only dry numbers of the public are welcome attention, timely access to updates)


Leave a Reply