Master Docker Container Networking: Modes, Bridges, and Custom Configurations

Docker Container Networking

After installation Docker automatically provides three networks, viewable with docker network ls:

# docker network ls
NETWORK ID   NAME      DRIVER   SCOPE
cd97bb997b84 bridge    bridge   local
0a04824fc9b6 host      host     local
4dcb8fbdb599 none      null     local

Docker uses a Linux bridge (docker0) on the host. When a container starts, Docker assigns it an IP from the bridge subnet (Container‑IP) and sets docker0 as the default gateway, allowing containers on the same host to communicate directly.

Docker's Four Network Modes

host – --network host: container shares the host's network namespace.

container – --network container:NAME_OR_ID: container shares another container's network namespace.

none – --network none: container gets its own namespace but no network interfaces are created.

bridge – --network bridge (default): container connects to the docker0 bridge.

Bridge Mode Details

When Docker starts, it creates a virtual bridge named docker0. All containers attached to this bridge behave like devices on a Layer‑2 switch, receiving IPs from the bridge subnet and using the bridge IP as their default gateway. Port mapping with -p creates DNAT rules in iptables to expose container ports.

Container Mode Details

In this mode a new container shares the network namespace of an existing container, thus using the same IP and ports while keeping separate file systems and process lists. Communication occurs via the loopback interface.

Host Mode Details

The container uses the host's network namespace directly, sharing the host's IP and ports. This provides the best network performance but eliminates isolation of ports and can cause conflicts with services already bound on the host.

None Mode Details

The container gets its own namespace but no network interfaces are configured. Only the loopback interface ( lo) exists. This mode is useful for tasks that do not require network access, such as data‑processing jobs.

Linux Network Namespace Management

The ip netns command (from the iproute2 package) creates and manipulates network namespaces. Example:

# ip netns add ns0
# ip netns list
ns0

Inside a namespace you can view interfaces, e.g.,

# ip netns exec ns0 ip addr
1: lo < LO... >

Enable the loopback interface:

# ip netns exec ns0 ip link set lo up

veth Pair Creation and Use

A virtual Ethernet pair (veth) connects two namespaces. Create it with:

# ip link add type veth

Assign each end to a namespace, set IP addresses, and bring them up:

# ip link set veth0 netns ns0
# ip link set veth1 netns ns1
# ip netns exec ns0 ip link set veth0 up
# ip netns exec ns0 ip addr add 192.0.0.1/24 dev veth0
# ip netns exec ns1 ip link set veth1 up
# ip netns exec ns1 ip addr add 192.0.0.2/24 dev veth1

Ping between namespaces confirms connectivity.

Custom Bridge Networks

Docker allows creation of user‑defined bridge networks with specific subnets and gateways:

# docker network create --driver bridge --subnet 192.168.2.0/24 --gateway 192.168.2.1 br0

Containers launched with --network br0 receive IPs from this custom subnet, while containers using the default bridge continue to use the Docker‑provided subnet.

Common Container Operations

Show container hostname: docker run --rm busybox hostname Set hostname at start: --hostname myhost Specify DNS server: --dns 114.114.114.114 Add custom host entry: --add-host www.example.com:1.1.1.1 Expose ports with -p (e.g., -p 8080:80) and view mapping via docker port.

Port mappings generate corresponding iptables NAT rules that are automatically removed when the container stops.

Inspecting Networks

Use docker network inspect bridge to view detailed bridge configuration.

For more examples and diagrams, refer to the original tutorial.