BestHub
Sign in
Cloud Native 27 min read

Six Diagrams Explain Docker Container Network Configuration

This article walks through Docker’s built‑in networks, details the four network modes (bridge, host, none, container), shows how to create and inspect network namespaces, configure veth pairs, map ports, set DNS and custom bridges, and provides concrete command‑line examples and diagrams.

Linux Tech Enthusiast
Linux Tech Enthusiast
Linux Tech Enthusiast
Six Diagrams Explain Docker Container Network Configuration

Docker default networks

After installation Docker creates three default networks that can be listed with docker network ls:

# docker network ls
NETWORK ID   NAME    DRIVER   SCOPE
cd97bb997b84 bridge  bridge   local
0a04824fc9b6 host    host     local
4dcb8fbdb599 none    null     local

Docker uses a Linux bridge (docker0) on the host. Each container receives an IP address from the bridge’s subnet (Container‑IP) and uses the bridge as its default gateway, allowing containers on the same host to communicate directly via their IPs.

Four Docker network modes

bridge – default mode; containers attach to the docker0 bridge.

host – the container shares the host’s network namespace; no separate IP is assigned.

none – the container gets its own namespace but no network devices are created.

container – the new container shares the network namespace of an existing container.

Bridge mode details

When Docker starts, it creates a virtual bridge docker0. A veth pair is created for each container; one end (eth0) stays inside the container, the other end is attached to docker0. Port mapping with -p creates DNAT rules in iptables.

Example questions

Can two containers on the same host reach each other directly?

Can the host reach a container’s service?

How to expose a service to another host (DNAT)?

Because the bridge is virtual, external hosts cannot reach a container by its Container‑IP. To expose a service, map the container port to the host with -p or -P.

Container mode

Using --network container:NAME_OR_ID makes a new container share the network namespace of an existing one. The containers share the same IP and ports but keep isolated filesystems. Example:

# docker run -it --name b2 --network container:b3 busybox
# ifconfig
eth0  Link encap:Ethernet  HWaddr 02:42:AC:11:00:02
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0

Both containers see the same network interfaces; a directory created in one is not visible in the other because the filesystem remains isolated.

Host mode

Running with --network host gives the container the host’s network namespace. The container can use the host’s IP directly, and services started inside are reachable via the host’s address.

# docker run -it --network host busybox
# ifconfig
docker0  Link encap:Ethernet  HWaddr 02:42:B8:7F:8E:2C
        inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0

None mode

With --network none the container only has a loopback interface. No IP, no routing, and no external connectivity. This can be useful for isolated batch jobs.

# docker run -it --network none busybox
# ifconfig
lo  Link encap:Local Loopback
    inet addr:127.0.0.1  Mask:255.0.0.0

Network namespace manipulation (ip netns)

Linux provides ip netns to create, list, and execute commands inside network namespaces.

# ip netns add ns0
# ip netns list
ns0

Inside a new namespace the loopback device exists but is down. Bring it up:

# ip netns exec ns0 ip link set lo up
# ip netns exec ns0 ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.029 ms

veth pair creation and linking namespaces

Create a veth pair and move each end into a different namespace:

# ip link add type veth
# ip link set veth0 netns ns0
# ip link set veth1 netns ns1
# ip netns exec ns0 ip link set veth0 up
# ip netns exec ns0 ip addr add 192.0.0.1/24 dev veth0
# ip netns exec ns1 ip link set veth1 up
# ip netns exec ns1 ip addr add 192.0.0.2/24 dev veth1

Ping between the namespaces succeeds, demonstrating inter‑namespace communication.

Port mapping

Use -p to expose container ports on the host. Formats include: -p containerPort – random host port. -p hostPort:containerPort – fixed host port. -p ip::containerPort – random port on a specific host IP. -p ip:hostPort:containerPort – fixed port on a specific host IP.

Example mapping a web server:

# docker run -dit --name web1 -p 192.168.203.138::80 httpd
# docker port web1
80/tcp -> 192.168.203.138:49153

Accessing http://192.168.203.138:49153 returns the default Apache page.

Custom bridge networks

Create a user‑defined bridge to isolate containers:

# docker network create mybridge -d bridge
# docker network ls
NETWORK ID   NAME       DRIVER   SCOPE
...          mybridge   bridge   local

Run a container on the custom bridge:

# docker run -it --network mybridge busybox
# ifconfig
eth0  inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0

Containers on different bridges cannot reach each other unless additional routing is configured.

Other useful options

Set container hostname: docker run --hostname myhost … Inject custom DNS: --dns 114.114.114.114 Add static host entries: --add-host www.example.com:1.1.1.1 All of the above commands are demonstrated with concrete output, showing how Docker’s networking can be inspected and tuned for various scenarios.

DockerBridgeContainer NetworkingVethNetwork ModesHostNone
Linux Tech Enthusiast
Written by

Linux Tech Enthusiast

Focused on sharing practical Linux technology content, covering Linux fundamentals, applications, tools, as well as databases, operating systems, network security, and other technical knowledge.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment