Container networking refers to the ability for containers to connect to andcommunicate with each other, or to non-Docker workloads.
Containers have networking enabled by default, and they can make outgoingconnections. A container has no information about what kind of network it'sattached to, or whether their peers are also Docker workloads or not. Acontainer only sees a network interface with an IP address, a gateway, arouting table, DNS services, and other networking details. That is, unless thecontainer uses the none network driver.
This page describes networking from the point of view of the container,and the concepts around container networking.This page doesn't describe OS-specific details about how Docker networks work.For information about how Docker manipulates iptables rules on Linux,seePacket filtering and firewalls.
User-defined networksYou can create custom, user-defined networks, and connect multiple containersto the same network. Once connected to a user-defined network, containers cancommunicate with each other using container IP addresses or container names.
The following example creates a network using the bridge network driver andrunning a container in the created network:
$ docker network create -d bridge my-net$ docker run --network=my-net -itd --name=container3 busyboxDriversThe following network drivers are available by default, and provide corenetworking functionality:
DriverDescriptionbridgeThe default network driver.hostRemove network isolation between the container and the Docker host.noneCompletely isolate a container from the host and other containers.overlayOverlay networks connect multiple Docker daemons together.ipvlanIPvlan networks provide full control over both IPv4 and IPv6 addressing.macvlanAssign a MAC address to a container.For more information about the different drivers, seeNetwork driversoverview.
Container networksIn addition to user-defined networks, you can attach a container to anothercontainer's networking stack directly, using the --network container: flag format.
The following flags aren't supported for containers using the container:networking mode:
--add-host--hostname--dns--dns-search--dns-option--mac-address--publish--publish-all--exposeThe following example runs a Redis container, with Redis binding tolocalhost, then running the redis-cli command and connecting to the Redisserver over the localhost interface.
$ docker run -d --name redis example/redis --bind 127.0.0.1$ docker run --rm -it --network container:redis example/redis-cli -h 127.0.0.1Published portsBy default, when you create or run a container using docker create or docker run,containers on bridge networks don't expose any ports to the outside world.Use the --publish or -p flag to make a port available to servicesoutside the bridge network.This creates a firewall rule in the host,mapping a container port to a port on the Docker host to the outside world.Here are some examples:
Flag valueDescription-p 8080:80Map port 8080 on the Docker host to TCP port 80 in the container.-p 192.168.1.100:8080:80Map port 8080 on the Docker host IP 192.168.1.100 to TCP port 80 in the container.-p 8080:80/udpMap port 8080 on the Docker host to UDP port 80 in the container.-p 8080:80/tcp -p 8080:80/udpMap TCP port 8080 on the Docker host to TCP port 80 in the container, and map UDP port 8080 on the Docker host to UDP port 80 in the container.Important
Publishing container ports is insecure by default. Meaning, when you publisha container's ports it becomes available not only to the Docker host, but tothe outside world as well.
If you include the localhost IP address (127.0.0.1, or ::1) with thepublish flag, only the Docker host and its containers can access thepublished container port.
$ docker run -p 127.0.0.1:8080:80 -p '[::1]:8080:80' nginxWarning
Hosts within the same L2 segment (for example, hosts connected to the samenetwork switch) can reach ports published to localhost.For more information, seemoby/moby#45610
If you want to make a container accessible to other containers,it isn't necessary to publish the container's ports.You can enable inter-container communication by connecting the containers to thesame network, usually abridge network.
Ports on the host's IPv6 addresses will map to the container's IPv4 addressif no host IP is given in a port mapping, the bridge network is IPv4-only,and --userland-proxy=true (default).
For more information about port mapping, including how to disable it and usedirect routing to containers, seepacket filtering and firewalls.
IP address and hostnameBy default, the container gets an IP address for every Docker network it attaches to.A container receives an IP address out of the IP subnet of the network.The Docker daemon performs dynamic subnetting and IP address allocation for containers.Each network also has a default subnet mask and gateway.
You can connect a running container to multiple networks,either by passing the --network flag multiple times when creating the container,or using the docker network connect command for already running containers.In both cases, you can use the --ip or --ip6 flags to specify the container's IP address on that particular network.
In the same way, a container's hostname defaults to be the container's ID in Docker.You can override the hostname using --hostname.When connecting to an existing network using docker network connect,you can use the --alias flag to specify an additional network alias for the container on that network.
DNS servicesContainers use the same DNS servers as the host by default, but you canoverride this with --dns.
By default, containers inherit the DNS settings as defined in the/etc/resolv.conf configuration file.Containers that attach to the default bridge network receive a copy of this file.Containers that attach to acustom networkuse Docker's embedded DNS server.The embedded DNS server forwards external DNS lookups to the DNS servers configured on the host.
You can configure DNS resolution on a per-container basis, using flags for thedocker run or docker create command used to start the container.The following table describes the available docker run flags related to DNSconfiguration.
FlagDescription--dnsThe IP address of a DNS server. To specify multiple DNS servers, use multiple --dns flags. DNS requests will be forwarded from the container's network namespace so, for example, --dns=127.0.0.1 refers to the container's own loopback address.--dns-searchA DNS search domain to search non-fully qualified hostnames. To specify multiple DNS search prefixes, use multiple --dns-search flags.--dns-optA key-value pair representing a DNS option and its value. See your operating system's documentation for resolv.conf for valid options.--hostnameThe hostname a container uses for itself. Defaults to the container's ID if not specified.Custom hostsYour container will have lines in /etc/hosts which define the hostname of thecontainer itself, as well as localhost and a few other common things. Customhosts, defined in /etc/hosts on the host machine, aren't inherited bycontainers. To pass additional hosts into a container, refer toadd entries tocontainer hosts file in thedocker run reference documentation.
Proxy serverIf your container needs to use a proxy server, seeUse a proxy server.