Master Docker Container Networking: 4 Modes, Configuration & Practical Commands

Docker Container Networking

After installation Docker automatically creates three default networks— bridge , host and none . You can list them with

# docker network ls
NETWORK ID   NAME      DRIVER   SCOPE
cd97bb997b84 bridge    bridge   local
0a04824fc9b6 host      host     local
4dcb8fbdb599 none      null     local

Docker uses Linux bridging to create a virtual bridge docker0 on the host. When a container starts, Docker assigns it a Container‑IP from the bridge subnet and sets docker0 as the default gateway, allowing containers on the same host to communicate directly.

Docker's Four Network Modes

Bridge Mode

When Docker starts, it creates the virtual bridge docker0. All containers attached to this bridge behave like devices on a Layer‑2 switch. Docker creates a veth pair for each container, places one end in the container as eth0 and the other on the host, then adds the host end to docker0. You can view the bridge with brctl show. Bridge is the default mode; using docker run -p creates DNAT rules in iptables for port forwarding.

Container Mode

This mode makes a new container share the network namespace of an existing container instead of the host. The new container does not get its own network interface or IP; it uses the same IP and port range as the target container, while file‑system and process isolation remain.

Host Mode

In host mode the container shares the host's network namespace. It uses the host's IP address and ports directly, eliminating NAT and improving network performance, but any port already used on the host cannot be reused by the container.

None Mode

With --network none Docker creates a network namespace but does not configure any interfaces. The container only has the loopback interface ( lo) and must be manually given interfaces, IP addresses, and routes. This isolation can improve security for tasks that do not need network access.

Application Scenarios

Running a container to process or transform data.

Executing background computation or batch tasks.

Docker Container Network Configuration

Linux Network Namespace Commands

The ip netns tool (from the iproute2 package) manages network namespaces. It requires sudo for modifications.

# ip netns help
Usage: ip netns list
       ip netns add NAME
       ip netns set NAME NETNSID
       ip netns delete NAME
       ip netns identify PID
       ip netns pids NAME
       ip netns exec NAME cmd ...
       ip netns monitor
       ip netns list-id

Creating a namespace:

# ip netns add ns0
# ip netns list
ns0

Each namespace gets its own interfaces, routing table, ARP table, and iptables rules.

Operating a Namespace

Execute commands inside a namespace with ip netns exec. For example, view interfaces:

# ip netns exec ns0 ip addr
1: lo < LOOPBACK > mtu 65536 state DOWN
    link/loopback 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo

Enable the loopback interface:

# ip netns exec ns0 ip link set lo up
# ip netns exec ns0 ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.029 ms

Transferring Devices Between Namespaces

Only veth devices are movable; other devices like lo, bridge, etc., cannot be transferred.

veth Pair

A veth pair consists of two linked virtual Ethernet interfaces; traffic entering one exits the other.

Create a pair:

# ip link add type veth
# ip a
4: veth0@veth1: < BROADCAST,MULTICAST > mtu 1500 state DOWN
5: veth1@veth0: < BROADCAST,MULTICAST > mtu 1500 state DOWN

Assign each end to a different namespace and configure IPs:

# ip netns add ns1
# ip link set veth0 netns ns0
# ip link set veth1 netns ns1
# ip netns exec ns0 ip link set veth0 up
# ip netns exec ns0 ip addr add 192.0.0.1/24 dev veth0
# ip netns exec ns1 ip link set veth1 up
# ip netns exec ns1 ip addr add 192.0.0.2/24 dev veth1

Ping between namespaces succeeds, demonstrating communication via the veth pair.

Configuring the Four Network Modes

Bridge Mode

# docker run -it --name ti --rm busybox
/ # ifconfig
eth0  inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0

Specifying --network bridge yields the same result.

None Mode

# docker run -it --name t1 --network none --rm busybox
/ # ifconfig -a
lo  inet addr:127.0.0.1  Mask:255.0.0.0

Container Mode

First container:

# docker run -dit --name b3 busybox

Second container sharing the first's network:

# docker run -it --name b2 --rm --network container:b3 busybox
/ # ifconfig
eth0  inet addr:172.17.0.2

File‑system remains isolated; only the network is shared.

Host Mode

# docker run -it --name b2 --rm --network host busybox
/ # ifconfig
docker0  inet addr:172.17.0.1
ens33   inet addr:192.168.203.138

The container can be accessed directly via the host's IP address.

Common Container Operations

Viewing and Setting Hostname

# docker run -it --name t1 --network bridge --rm busybox
/ # hostname
48cb45a0b2e7
# docker run -it --name t1 --network bridge --hostname ljl --rm busybox
/ # hostname
ljl

Specifying DNS and /etc/hosts

# docker run -it --name t1 --network bridge --dns 114.114.114.114 --rm busybox
/ # cat /etc/resolv.conf
nameserver 114.114.114.114
# docker run -it --name t1 --network bridge --add-host www.a.com:1.1.1.1 --rm busybox
/ # cat /etc/hosts
1.1.1.1 www.a.com

Exposing Container Ports

Use -p to map container ports to host ports. Formats include -p 80, -p 8080:80, -p 192.168.1.100::80, etc. Dynamic ports can be inspected with docker port.

# docker run -dit --name web1 -p 192.168.203.138::80 httpd
# docker port web1
80/tcp -> 192.168.203.138:49153

Customizing the docker0 Bridge

Edit /etc/docker/daemon.json to set a custom subnet:

{
  "bip": "192.168.1.5/24"
}

Reload and restart Docker.

Creating and Using a New Bridge

# docker network create mybr -d bridge --subnet 192.168.2.0/24 --gateway 192.168.2.1
# docker run -it --name b1 --network mybr busybox
/ # ifconfig
eth0  inet addr:192.168.2.2

Containers attached to different bridges have separate subnets and cannot reach each other without additional routing.