Docker Network Fundamentals

Computer Network Model

Network Interfaces in Linux

(1) View network interfaces (NICs)
    ip link show
    ls /sys/class/net
    ip a
    ifconfig
(2) Network Interface Details
- Interpreting `ip a` output:
    State: UP/DOWN/UNKNOWN
    link/ether: MAC address
    inet: Assigned IP address
- Configuration files:
    cat /etc/sysconfig/network-scripts/ifcfg-eth0
- Adding an IP address to an interface:
    - Edit the ifcfg-* file directly.
    - Use commands:
        - Add IP address:
            ip addr add 192.168.0.100/24 dev eth0
        - Remove IP address:
            ip addr delete 192.168.0.100/24 dev eth0
- Starting and stopping an interface:
    Restart networking: service network restart / systemctl restart network
    Start/Stop a specific interface: ifup/ifdown eth0 or ip link set eth0 up/down

Network Namespace

In Linux, network isolation is managed by network namespaces. Different network namespaces are isolated from each other.

Managing network namespaces:
    ip netns list   # View namespaces
    ip netns add ns1 # Create a namespace
    ip netns delete ns1 # Delete a namespace

Practical example:
(1) Create a network namespace.
    ip netns add ns1
(2) Check network interfaces within the namespace.
    ip netns exec ns1 ip a
(3) Start the loopback interface inside ns1 (two methods).
    ip netns exec ns1 ifup lo
    ip netns exec ns1 ip link set lo up
(4) Check again. The state should now be UNKNOWN.
(5) Create a second network namespace.
    ip netns add ns2
(6) Connect the two namespaces. Use a Virtual Ethernet Pair (veth pair), which are two connected virtual interfaces.
(7) Create a veth pair.
    ip link add veth1 type veth peer name veth2
(8) View link status.
    ip link
(9) Move veth1 into ns1 and veth2 into ns2.
    ip link set veth1 netns ns1
    ip link set veth2 netns ns2
(10) Check link status on the host, ns1, and ns2.
    ip link
    ip netns exec ns1 ip link
    ip netns exec ns2 ip link
(11) Assign IP addresses to the interfaces. Currently they have none.
    ip netns exec ns1 ip addr add 192.168.0.11/24 dev veth1
    ip netns exec ns2 ip addr add 192.168.0.12/24 dev veth2
(12) Check again. The state is DOWN and the IP addresses are not yet active.
    ip netns exec ns1 ip link
    ip netns exec ns2 ip link
(13) Bring the interfaces up.
    ip netns exec ns1 ip link set veth1 up
    ip netns exec ns2 ip link set veth2 up
(14) Verify the interfaces are now UP and have their assigned IPs.
    ip netns exec ns1 ip a
    ip netns exec ns2 ip a
(15) Test connectivity between the two namespaces.
    ip netns exec ns1 ping 192.168.0.12
    ip netns exec ns2 ping 192.168.0.11

Docker Container Networking - Bridge Mode

(1) Docker's default bridge network is docker0.

Q: How can the CentOS host communicate with containers?
A: The container (e.g., tomcat01) has an interface (eth0) which is one end of a veth pair. The other end (e.g., veth3) is connected too the host's docker0 bridge.

Confirm this using the bridge utility:
    yum install bridge-utils
    brctl show

Q: How can containers communictae with each other?
This is achieved using the Bridge network mode, which is Docker's default. View Docker's network modes:

docker network ls
Inspect the default bridge network:
docker network inspect bridge

Containers can access the external internet through this bridge.

Creating a Custom Network

(1) Create a network of type 'bridge'.
    docker network create my-bridge-net
    # Or specify a subnet:
    docker network create --subnet=172.18.0.0/24 my-bridge-net
(2) List all networks.
    docker network ls
(3) Inspect the new network's details.
    docker network inspect my-bridge-net
(4) Run a container attached to this custom network.
    docker run -d --name custom-net-container --network my-bridge-net tomcat
(5) Check the container's network information.
    docker exec -it custom-net-container ip a
(6) View bridge interface connections.
    brctl show

Q: Why can't the new container ping a container on the default bridge (e.g., tomcat01)?
They are on separate, isolated networks. Connect the existing container to the custom network:

docker network connect my-bridge-net tomcat01
Inspect 'my-bridge-net' again. Both containers will now be listed.
Containers on the same bridge can ping each other by IP address and by container name.

Host and None Network Modes

Host Mode

(1) Run a container using the host's network stack.
    docker run -d --name host-mode-tomcat --network host tomcat
(2) Check its network interfaces. It will share the host's network namespace.
    docker exec -it host-mode-tomcat ip a

None Mode

(1) Run a container with no network interfaces.
    docker run -d --name none-mode-tomcat --network none tomcat
(2) Check its network. Only a loopback interface will be present.
    docker exec -it none-mode-tomcat ip a

Multi-Host Container Commmunication

(1) Enable communication between container networks across different hosts.
(2) Ensure container IP addresses do not conflict across hosts.
(3) Tunnel container network traffic through the hosts' physical interfaces.
(4) Achieved using VXLAN (Virtual Extensible LAN) technology.
(5) Terminology:
    Underlay Network: The physical network infrastructure (host IPs).
    Overlay Network: The virtual network built on top (container IPs).

Tags: docker Linux networking Network Namespace Virtual Ethernet Pair Bridge Network

Posted on Mon, 18 May 2026 01:12:04 +0000 by Fractal

Hot Tags

©2026 Freaks City