Docker’s four network modes are: 1. Host mode, specified with “–net=host”; 2. Container mode, specified with “–net=container:NAME_or_ID”; 3. none mode, specified with "-net=none" specified; 4. Bridge mode.
The operating environment of this tutorial: linux5.9.8 system, docker-1.13.1 version, Dell G3 computer.
Implementation Principle
Docker uses Linux bridging (refer to "Linux Virtual Network Technology") to virtualize a Docker container bridge (docker0) on the host. When Docker starts a container, it will be based on the Docker network The network segment of the bridge is assigned to the container an IP address, called Container-IP, and the Docker bridge is the default gateway for each container. Because containers in the same host are all connected to the same network bridge, containers can communicate directly through the container's Container-IP.
The Docker bridge is virtualized by the host and is not a real network device. It cannot be addressed by the external network, which also means that the external network cannot access the container through direct Container-IP. If the container wants to be accessible from the outside, you can map the container port to the host (port mapping), that is, enable it through the -p or -P parameter when docker run creates the container, and use [host IP] when accessing the container: [Container Port] Access the container.
Four types of network modes
| Docker network mode |
Configuration |
Instructions |
| host mode |
–net=host |
The container and the host share the Network namespace. |
| container mode |
–net=container:NAME_or_ID |
The container shares the Network namespace with another container. A pod in kubernetes is a Network namespace shared by multiple containers. |
| none mode |
–net=none |
The container has an independent Network namespace, but no network settings are made for it, such as assigning veth pair and bridge connection, configure IP, etc. |
| bridge mode |
–net=bridge |
(default is this mode) |
host mode
If you use host mode when starting a container, the container will not get an independent Network Namespace, but will share a Network Namespace with the host. The container will not virtualize its own network card, configure its own IP, etc., but use the host's IP and port. However, other aspects of the container, such as the file system, process list, etc., are still isolated from the host.
Containers using host mode can directly use the host's IP address to communicate with the outside world. The service port inside the container can also use the host's port. NAT is not required. The biggest advantage of host is that the network performance is relatively good. , but the ports already used on the docker host can no longer be used, and the network isolation is not good.
Host mode is as shown below:
container mode
This mode specifies the newly created container and An existing container shares a Network Namespace, not the host. The newly created container will not create its own network card and configure its own IP, but will share the IP, port range, etc. with a specified container. Similarly, apart from the network, the two containers are also isolated in other aspects such as file systems, process lists, etc. The processes of the two containers can communicate through the lo network card device.
Container mode diagram:
none mode
Using none mode, the Docker container has its own Network Namespace , however, does not perform any network configuration for the Docker container. In other words, this Docker container does not have network card, IP, routing and other information. We need to add network cards, configure IP, etc. to the Docker container ourselves.
In this network mode, the container only has the lo loopback network and no other network cards. none mode can be specified via --network=none when creating the container. This type of network cannot be connected to the Internet. A closed network can ensure the security of the container.
None mode diagram:
bridge mode
When the Docker process starts, it will be created on the host A virtual bridge named docker0. Docker containers started on this host will be connected to this virtual bridge. A virtual bridge works similarly to a physical switch, so that all containers on the host are connected to a Layer 2 network through the switch.
Assign an IP from the docker0 subnet to the container, and set the docker0 IP address as the default gateway of the container. Create a pair of virtual network card veth pair devices on the host. Docker places one end of the veth pair device in the newly created container and names it eth0 (the container's network card), and the other end in the host with a similar name like vethxxx. Name and add this network device to the docker0 bridge. You can view it through the brctl show command.
Bridge mode is docker’s default network mode. If you don’t write the --net parameter, it is bridge mode. When using docker run -p, docker actually makes DNAT rules in iptables to implement the port forwarding function. You can use iptables -t nat -vnL to view.
The bridge mode is shown in the figure below:
Recommended learning: "docker video tutorial"
The above is the detailed content of What are the four network modes of docker?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
