Master Docker Networking: Bridge, Host, Container & None Modes

Docker Container Networking

Docker automatically creates three default networks that can be listed with docker network ls:

NETWORK ID   NAME    DRIVER   SCOPE
cd97bb997b84 bridge  bridge   local
0a04824fc9b6 host    host     local
4dcb8fbdb599 none    null     local

Docker uses Linux bridge networking to create a virtual bridge docker0 on the host. When a container starts, it receives an IP address from the bridge subnet (Container‑IP) and the bridge acts as the default gateway, allowing containers on the same host to communicate directly.

Docker's 4 Network Modes

Bridge mode

When Docker starts, it creates a virtual bridge docker0. All containers are attached to this bridge via a pair of virtual Ethernet devices (veth pair). The host side of the pair is added to docker0 and the container side appears as eth0. The bridge works like a physical switch, providing a Layer‑2 network.

The bridge assigns an IP to each container and sets the bridge IP as the default gateway. The bridge can be inspected with brctl show. Bridge is Docker's default network mode; if no --network flag is given, Docker uses bridge. Port mapping is implemented by adding DNAT rules to iptables, which can be viewed with iptables -t nat -vnL.

Can two containers on the same host communicate directly?

Can the host access a container's service?

How to reach a container from another host (DNAT)?

External networks cannot reach a container's IP directly. To expose a service, map the container port to the host with -p or -P, then access it via [host IP]:[host port].

Container mode

In container mode, a new container shares the network namespace of an existing container instead of the host. The new container does not create its own network interface or IP; it uses the same IP and port range as the target container, while other resources (filesystem, processes) remain isolated.

Host mode

When a container is started with --network host, it shares the host's network namespace. The container uses the host's IP address and ports directly, eliminating NAT and improving network performance, but it loses network isolation and cannot use ports already occupied on the host.

None mode

In none mode, Docker creates a network namespace for the container but does not configure any network interfaces. The container only has the loopback interface lo. This mode is useful for isolated workloads that do not require network access.

Typical use cases include data‑format conversion containers and background compute tasks.

Container Common Operations

Viewing and Setting Hostname

# docker run -it --name t1 --network bridge --rm busybox
/ # hostname
48cb45a0b2e7

# docker run -it --name t1 --network bridge --hostname ljl --rm busybox
/ # hostname
ljl

Specifying DNS

# docker run -it --name t1 --network bridge --dns 114.114.114.114 --rm busybox
/ # cat /etc/resolv.conf
search localdomain
nameserver 114.114.114.114

Adding Host Entries

# docker run -it --name t1 --network bridge --add-host www.a.com:1.1.1.1 --rm busybox
/ # cat /etc/hosts
1.1.1.1 www.a.com
172.17.0.3 ljl

Port Mapping

Use -p to map container ports to host ports. Formats include -p containerPort, -p hostPort:containerPort, -p ip::containerPort, etc. Dynamic ports are assigned randomly and can be inspected with docker port.

# docker run -dit --name web1 -p 192.168.203.138::80 httpd
# docker port web1
80/tcp -> 192.168.203.138:49153

Access the service via curl http://192.168.203.138:49153.

Custom Bridge Networks

Modify /etc/docker/daemon.json to change the default bridge subnet, then reload Docker.

{
  "registry-mirrors": ["https://4hygggbu.mirror.aliyuncs.com/"],
  "bip": "192.168.1.5/24"
}

Create a new bridge network:

# docker network create mybridge -d bridge --subnet "192.168.2.0/24" --gateway "192.168.2.1"
# docker network ls
NETWORK ID   NAME      DRIVER   SCOPE
mybridge     bridge    bridge   local

Run a container on the custom bridge:

# docker run -it --name b1 --network mybridge busybox
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:C0:A8:02:02
          inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0

Network Namespace Manipulation

Create a network namespace:

# ip netns add ns0
# ip netns list
ns0

Inspect the namespace:

# ip netns exec ns0 ip addr
1: lo: <LOOPBACK> mtu 65536 state DOWN
    inet 127.0.0.1/8 scope host lo
# ip netns exec ns0 ip link set lo up
# ip netns exec ns0 ping 127.0.0.1

Create a veth pair and move each end into different namespaces:

# ip link add type veth
# ip link set veth0 netns ns0
# ip link set veth1 netns ns1
# ip netns exec ns0 ip link set veth0 up
# ip netns exec ns0 ip addr add 192.0.0.1/24 dev veth0
# ip netns exec ns1 ip link set veth1 up
# ip netns exec ns1 ip addr add 192.0.0.2/24 dev veth1
# ip netns exec ns1 ping 192.0.0.1

The veth pair enables communication between the two namespaces.