Getting started with Docker networking
In this article we are going to learn how to create a network and use the network.
Listing All the Docker networks
Output below
docker network ls
NETWORK ID NAME DRIVER SCOPE
e152bd78da bridge bridge local
7e94216ea4 host host local
9eb7b364ec none null local
You can above command output. You can driver name is bridge. So by default bridge driver gets created on docker.
If you don't specify the name then default network driver bridge is created. Bridge network is used when your application runs in standalone containers that need to communicate.
There is HOST network as well. For standalone container, remove network isolation between container and docker host.
User defined bridge networks are used when you need multiple containers to communicate on the same docker host.
Host networks are best when the network stack should not be isolated from docker host. Container shares the host's networking namespace. And container does not get allocated it's own IPAddress.
Overlay networks are best when containers are running on different docker host to communicate, or multiple applications work together swarm services.
Docker with IPTables
Docker manipulates iptables rules to provide network isolation. If you are running Docker on a Host which is exposed to the Internet, you will probably want to have iptables policies in place to prevent unauthorized access to containers or any other services that are running on the host system.
Docker installs two custom iptables chains named DOCKER-USER and DOCKER and it ensures that incoming packets are always checked by these two chains first.
All of Docker's iptables rules are added to the Docker chain. Don't manipulate this chain manually. If you need to add rules which load before Docker's rules, add them to the DOCKER-USER chain. These rules are applied before any rules Docker creates automatically.
To create HOST network
docker run --rm -d --network host --name my_nginx nginx
verify that no new IP was created.
Now run container using HOST network
docker run --rm -d --network host --name my_nginx nginx
--rm : remove stopped containers
Create user defined bridge network
docker network create new_net
You can inspect the new network
docker inspect new_net
[
{
"Name": "new_net",
"Id": "8cd40b2f992bd6045824c70163dbe93462200d46897dbff18fe71",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": {},
"Config": [
{
"Subnet": "172.xx.0.0/16",
"Gateway": "172.xx.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {
"f9dca1401da2e6a42f124799c282592f5586cd8587c665ec32bc284": {
"Name": "my_nginx",
"EndpointID": "0e14e2e057c56e6583ddb7a6fed7a2545f08d3c0ec95314b3f290c2fc5678",
}
},
"Options": {},
"Labels": {}
}
]
Now lets run a container on this network
docker run --rm -d --network new_net --name my_nginx nginx
Suppose if container is already running the how we can connect this network using that running container?
docker network connect new_net nginx
Lets disconnect the container from user defined bridge network
docker network disconnect new_net alp
Restrict Connections to the Docker Host
By default all external source IPs are allowed to connect to Docker host. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER-USER filter chain. For example, the below rule restricts external access from all IP addresses except 192.168.1.1 :
iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.1 -j DROP
Please note that you will need to change ext_if to correspond with your host’s actual external interface. You could instead allow connections from a source subnet. The following rule only allows access from the subnet 192.168.1.0/20:
iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/20 -j DROP
That was it , a very short article where I could have been explain on basic networking on Docker.
but I'll try to add more on networking in upcoming days.
