docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

engine: create a section for network drivers 

Signed-off-by: David Karlsson <david.karlsson@docker.com>
This commit is contained in:
David Karlsson 2023-04-24 15:17:27 +02:00
parent 7e3b366acc
commit 888b052389
35 changed files with 206 additions and 220 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_data/engine-cli/docker_service_create.yaml
View File

@ -1585,7 +1585,7 @@ examples: |-
The swarm extends my-network to each node running the service.
Containers on the same network can access each other using
[service discovery](/network/overlay/#container-discovery).
[service discovery](/network/drivers/overlay/#container-discovery).
Long form syntax of `--network` allows to specify list of aliases and driver options:
`--network name=my-network,alias=web1,driver-opt=field1=value1`

2
_data/glossary.yaml
View File

@ -233,7 +233,7 @@ service: |
service account: |
A service account is a Docker ID used for automated management of container images or containerized applications. Service accounts are typically used in automated workflows, and do not share Docker IDs with the members in a Docker Team or Docker Business subscription plan.
service discovery: |
Swarm mode [container discovery](/network/overlay/#container-discovery) is a DNS component internal to the swarm that automatically assigns each service on an overlay network in the swarm a VIP and DNS entry. Containers on the network share DNS mappings for the service through gossip so any container on the network can access the service through its service name.
Swarm mode [container discovery](/network/drivers/overlay/#container-discovery) is a DNS component internal to the swarm that automatically assigns each service on an overlay network in the swarm a VIP and DNS entry. Containers on the network share DNS mappings for the service through gossip so any container on the network can access the service through its service name.
You dont need to expose service-specific ports to make the service available to other services on the same overlay network. The swarms internal load balancer automatically distributes requests to the service VIP among the active tasks.
swarm: |

30
_data/toc.yaml
View File

@ -1350,22 +1350,24 @@ manuals:
section:
- path: /network/
title: Overview
- path: /config/containers/container-networking/
title: Container networking
- sectiontitle: Network drivers
section:
- path: /network/drivers/
title: Drivers overview
- path: /network/drivers/bridge/
title: Bridge
- path: /network/drivers/overlay/
title: Overlay
- path: /network/drivers/host/
title: Host
- path: /network/drivers/ipvlan/
title: IPvlan
- path: /network/drivers/macvlan/
title: Macvlan
- path: /network/drivers/none/
title: None
- path: /network/proxy/
title: Configure Docker to use a proxy server
- path: /network/bridge/
title: Bridge networks
- path: /network/overlay/
title: Overlay networks
- path: /network/host/
title: Host networking
- path: /network/ipvlan/
title: IPvlan networks
- path: /network/macvlan/
title: Macvlan networks
- path: /network/none/
title: Disable networking for a container
- sectiontitle: Networking tutorials
section:
- path: /network/network-tutorial-standalone/

84
config/containers/container-networking.md
View File

@ -1,84 +0,0 @@
---
title: Container networking
description: How networking works from the container's point of view
keywords: networking, container, standalone
redirect_from:
- /engine/userguide/networking/configure-dns/
- /engine/userguide/networking/default_network/configure-dns/
- /engine/userguide/networking/default_network/binding/
- /engine/userguide/networking/default_network/container-communication/
---
A container has no information about what kind of network it's attached to,
whether it's a [bridge](../../network/bridge.md), an [overlay](../../network/overlay.md),
a [macvlan network](../../network/macvlan.md), or a custom network plugin.
A container only sees a network interface with an IP address,
a gateway, a routing table, DNS services, and other networking details.
That is, unless the container uses the `none` network driver.
This page describes networking from the point of view of the container.
## Published ports
By default, when you create or run a container using `docker create` or `docker run`,
the container doesn't expose any of its ports to the outside world.
To make a port available to services outside of Docker,
or to Docker containers running on a different network,
use the `--publish` or `-p` flag.
This creates a firewall rule in the container,
mapping a container port to a port on the Docker host to the outside world.
Here are some examples:
| Flag value | Description |
| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
| `-p 8080:80` | Map TCP port 80 in the container to port `8080` on the Docker host. |
| `-p 192.168.1.100:8080:80` | Map TCP port 80 in the container to port `8080` on the Docker host for connections to host IP `192.168.1.100`. |
| `-p 8080:80/udp` | Map UDP port 80 in the container to port `8080` on the Docker host. |
| `-p 8080:80/tcp -p 8080:80/udp` | Map TCP port 80 in the container to TCP port `8080` on the Docker host, and map UDP port `80` in the container to UDP port `8080` on the Docker host. |
## IP address and hostname
By default, the container gets an IP address for every Docker network it attaches to.
A container receives an IP address out of the IP pool of the network it attaches to.
The Docker daemon effectively acts as a DHCP server for each container.
Each network also has a default subnet mask and gateway.
When a container starts, it can only attach to a single network, using the `--network` flag.
You can connect a running container to multiple networks using the `docker network connect` command.
When you start a container using the `--network` flag,
you can specify the IP address for the container on that network using the `--ip` or `--ip6` flags.
When you connect an existing container to a different network using `docker network connect`,
you can use the `--ip` or `--ip6` flags on that command
to specify the container's IP address on the additional network.
In the same way, a container's hostname defaults to be the container's ID in Docker.
You can override the hostname using `--hostname`.
When connecting to an existing network using `docker network connect`,
you can use the `--alias` flag to specify an additional network alias for the container on that network.
## DNS services
By default, containers inherit the DNS settings of the host, as defined in the `/etc/resolv.conf` configuration file.
Containers that attach to the default `bridge` network receive a copy of this file.
Containers that attach to a
[custom network](../../network/network-tutorial-standalone.md#use-user-defined-bridge-networks)
use Docker's embedded DNS server.
The embedded DNS server forwards external DNS lookups to the DNS servers configured on the host.
Custom hosts, defined in `/etc/hosts` on the host machine, aren't inherited by containers.
To pass additional hosts into container, refer to
[add entries to container hosts file](../../engine/reference/commandline/run.md#add-host)
in the `docker run` reference documentation.
You can override these settings on a per-container basis.
| Flag | Description |
| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `--dns` | The IP address of a DNS server. To specify multiple DNS servers, use multiple `--dns` flags. If the container can't reach any of the IP addresses you specify, it uses Google's public DNS server at `8.8.8.8`. This allows containers to resolve internet domains. |
| `--dns-search` | A DNS search domain to search non-fully-qualified hostnames. To specify multiple DNS search prefixes, use multiple `--dns-search` flags. |
| `--dns-opt` | A key-value pair representing a DNS option and its value. See your operating system's documentation for `resolv.conf` for valid options. |
| `--hostname` | The hostname a container uses for itself. Defaults to the container's ID if not specified. |
## Proxy server
If your container needs to use a proxy server, see
[Use a proxy server](../../network/proxy.md).

1
config/daemon/ipv6.md
View File

@ -37,4 +37,3 @@ addresses using the `--ip6` flag.
## Next steps
- [Networking overview](../../network/index.md)
- [Container networking](../containers/container-networking.md)

2
engine/faq.md
View File

@ -101,7 +101,7 @@ thousands or even millions of containers.
### How do I connect Docker containers?
Currently the recommended way to connect containers is via the Docker network
feature. You can see details of [how to work with Docker networks](../network/bridge.md).
feature. You can see details of [how to work with Docker networks](../network/drivers/bridge.md).
### How do I run more than one process in a Docker container?

2
engine/release-notes/23.0.md
View File

@ -468,7 +468,7 @@ To mitigate this, the previous build cache must be discarded. `docker builder pr
#### ipvlan networks ([tracking issue](https://github.com/moby/moby/issues/44925))
When upgrading to the 23.0 branch, the existence of any [ipvlan](/network/ipvlan/) networks will prevent the daemon from starting:
When upgrading to the 23.0 branch, the existence of any [ipvlan](../../network/drivers/ipvlan.md) networks will prevent the daemon from starting:
```
panic: interface conversion: interface {} is nil, not string

2
engine/security/index.md
View File

@ -281,4 +281,4 @@ pull requests, or comments on the Docker community forums.
* [Seccomp security profiles for Docker](seccomp.md)
* [AppArmor security profiles for Docker](apparmor.md)
* [On the Security of Containers (2014)](https://medium.com/@ewindisch/on-the-security-of-containers-2c60ffe25a9e)
* [Docker swarm mode overlay network security model](../../network/overlay.md)
* [Docker swarm mode overlay network security model](../../network/drivers/overlay.md)

2
engine/swarm/networking.md
View File

@ -231,7 +231,7 @@ endpoint mode with an external load balancer, or use multiple smaller overlay ne
Management and control plane data related to a swarm is always encrypted.
For more details about the encryption mechanisms, see the
[Docker swarm mode overlay network security model](../../network/overlay.md).
[Docker swarm mode overlay network security model](../../network/drivers/overlay.md).
Application data among swarm nodes is not encrypted by default. To encrypt this
traffic on a given overlay network, use the `--opt encrypted` flag on `docker

2
engine/swarm/services.md
View File

@ -546,7 +546,7 @@ $ docker service update --network-rm my-network my-web
For more information on overlay networking and service discovery, refer to
[Attach services to an overlay network](networking.md) and
[Docker swarm mode overlay network security model](../../network/overlay.md).
[Docker swarm mode overlay network security model](../../network/drivers/overlay.md).
### Grant a service access to secrets

21
network/bridge.md → network/drivers/bridge.md
View File

@ -1,5 +1,5 @@
---
title: Use bridge networks
title: Bridge network driver
description: All about using user-defined bridge networks and the default bridge
keywords: network, bridge, user-defined, standalone
redirect_from:
@ -8,6 +8,7 @@ redirect_from:
- /engine/userguide/networking/default_network/build-bridges/
- /engine/userguide/networking/work-with-networks/
- /config/containers/bridges/
- /network/bridge/
---
In terms of networking, a bridge network is a Link Layer device
@ -37,7 +38,7 @@ network.**
- **User-defined bridges provide automatic DNS resolution between containers**.
Containers on the default bridge network can only access each other by IP
addresses, unless you use the [`--link` option](links.md), which is
addresses, unless you use the [`--link` option](../links.md), which is
considered legacy. On a user-defined bridge network, containers can resolve
each other by name or alias.
@ -80,7 +81,7 @@ network.**
- **Linked containers on the default bridge network share environment variables**.
Originally, the only way to share environment variables between two containers
was to link them using the [`--link` flag](links.md). This type of
was to link them using the [`--link` flag](../links.md). This type of
variable sharing is not possible with user-defined networks. However, there
are superior ways to share environment variables. A few ideas:
@ -91,8 +92,8 @@ network.**
compose file can define the shared variables.
- You can use swarm services instead of standalone containers, and take
advantage of shared [secrets](../engine/swarm/secrets.md) and
[configs](../engine/swarm/configs.md).
advantage of shared [secrets](../../engine/swarm/secrets.md) and
[configs](../../engine/swarm/configs.md).
Containers connected to the same user-defined bridge network effectively expose all ports
to each other. For a port to be accessible to containers or non-Docker hosts on
@ -110,7 +111,7 @@ $ docker network create my-net
You can specify the subnet, the IP address range, the gateway, and other
options. See the
[docker network create](../engine/reference/commandline/network_create.md#specify-advanced-options)
[docker network create](../../engine/reference/commandline/network_create.md#specify-advanced-options)
reference or the output of `docker network create --help` for details.
Use the `docker network rm` command to remove a user-defined bridge
@ -167,7 +168,7 @@ $ docker network disconnect my-net my-nginx
## Use IPv6
If you need IPv6 support for Docker containers, you need to
[enable the option](../config/daemon/ipv6.md) on the Docker daemon and reload its
[enable the option](../../config/daemon/ipv6.md) on the Docker daemon and reload its
configuration, before creating any IPv6 networks or assigning containers IPv6
addresses.
@ -209,7 +210,7 @@ If you do not specify a network using the `--network` flag, and you do specify a
network driver, your container is connected to the default `bridge` network by
default. Containers connected to the default `bridge` network can communicate,
but only by IP address, unless they are linked using the
[legacy `--link` flag](links.md).
[legacy `--link` flag](../links.md).
### Configure the default bridge network
@ -239,7 +240,7 @@ user-defined bridges, you can't selectively disable IPv6 on the default bridge.
## Next steps
- Go through the [standalone networking tutorial](network-tutorial-standalone.md)
- Learn about [networking from the container's point of view](../config/containers/container-networking.md)
- Go through the [standalone networking tutorial](../network-tutorial-standalone.md)
- Learn about [networking from the container's point of view](../index.md)
- Learn about [overlay networks](overlay.md)
- Learn about [Macvlan networks](macvlan.md)

8
network/host.md → network/drivers/host.md
View File

@ -1,7 +1,9 @@
---
title: Use host networking
title: Host network driver
description: All about exposing containers on the Docker host's network
keywords: network, host, standalone
redirect_from:
- /network/host/
---
If you use the `host` network mode for a container, that container's network
@ -39,8 +41,8 @@ given swarm node.
## Next steps
- Go through the [host networking tutorial](network-tutorial-host.md)
- Learn about [networking from the container's point of view](../config/containers/container-networking.md)
- Go through the [host networking tutorial](../network-tutorial-host.md)
- Learn about [networking from the container's point of view](../index.md)
- Learn about [bridge networks](bridge.md)
- Learn about [overlay networks](overlay.md)
- Learn about [Macvlan networks](macvlan.md)

0
network/images/ipvlan-l3.gliffy → network/drivers/images/ipvlan-l3.gliffy
View File

0
network/images/ipvlan-l3.png → network/drivers/images/ipvlan-l3.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 18 KiB

0
network/images/ipvlan-l3.svg → network/drivers/images/ipvlan-l3.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 43 KiB

After

Width:  |  Height:  |  Size: 43 KiB

0
network/images/ipvlan_l2_simple.gliffy → network/drivers/images/ipvlan_l2_simple.gliffy
View File

0
network/images/ipvlan_l2_simple.png → network/drivers/images/ipvlan_l2_simple.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 20 KiB

0
network/images/ipvlan_l2_simple.svg → network/drivers/images/ipvlan_l2_simple.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 39 KiB

After

Width:  |  Height:  |  Size: 39 KiB

0
network/images/macvlan-bridge-ipvlan-l2.gliffy → network/drivers/images/macvlan-bridge-ipvlan-l2.gliffy
View File

0
network/images/macvlan-bridge-ipvlan-l2.png → network/drivers/images/macvlan-bridge-ipvlan-l2.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 14 KiB

0
network/images/macvlan-bridge-ipvlan-l2.svg → network/drivers/images/macvlan-bridge-ipvlan-l2.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 53 KiB

After

Width:  |  Height:  |  Size: 53 KiB

0
network/images/vlans-deeper-look.gliffy → network/drivers/images/vlans-deeper-look.gliffy
View File

0
network/images/vlans-deeper-look.png → network/drivers/images/vlans-deeper-look.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 38 KiB

After

Width:  |  Height:  |  Size: 38 KiB

0
network/images/vlans-deeper-look.svg → network/drivers/images/vlans-deeper-look.svg
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 108 KiB

After

Width:  |  Height:  |  Size: 108 KiB

70
network/drivers/index.md Normal file
View File

@ -0,0 +1,70 @@
---
title: Network drivers overview
description: Overview of Docker network drivers and related concepts
keywords: networking, drivers, bridge, routing, routing mesh, overlay, ports
---
Docker's networking subsystem is pluggable, using drivers. Several drivers
exist by default, and provide core networking functionality:
- `bridge`: The default network driver. If you don't specify a driver, this is
the type of network you are creating. **Bridge networks are usually used when
your applications run in standalone containers that need to communicate.** See
[bridge networks](bridge.md).
- `host`: For standalone containers, remove network isolation between the
container and the Docker host, and use the host's networking directly. See
[use the host network](host.md).
- `overlay`: Overlay networks connect multiple Docker daemons together and
enable swarm services to communicate with each other. You can also use overlay
networks to facilitate communication between a swarm service and a standalone
container, or between two standalone containers on different Docker daemons.
This strategy removes the need to do OS-level routing between these
containers. See [overlay networks](overlay.md).
- `ipvlan`: IPvlan networks give users total control over both IPv4 and IPv6
addressing. The VLAN driver builds on top of that in giving operators complete
control of layer 2 VLAN tagging and even IPvlan L3 routing for users
interested in underlay network integration. See [IPvlan networks](ipvlan.md).
- `macvlan`: Macvlan networks allow you to assign a MAC address to a container,
making it appear as a physical device on your network. The Docker daemon
routes traffic to containers by their MAC addresses. Using the `macvlan`
driver is sometimes the best choice when dealing with legacy applications that
expect to be directly connected to the physical network, rather than routed
through the Docker host's network stack. See
[Macvlan networks](macvlan.md).
- `none`: For this container, disable all networking. Usually used in
conjunction with a custom network driver. `none` is not available for swarm
services. See
[disable container networking](none.md).
- [Network plugins](/engine/extend/plugins_services/): You can install and use
third-party network plugins with Docker.
### Network driver summary
- **User-defined bridge networks** are best when you need multiple containers to
communicate on the same Docker host.
- **Host networks** are best when the network stack should not be isolated from
the Docker host, but you want other aspects of the container to be isolated.
- **Overlay networks** are best when you need containers running on different
Docker hosts to communicate, or when multiple applications work together using
swarm services.
- **Macvlan networks** are best when you are migrating from a VM setup or
need your containers to look like physical hosts on your network, each with a
unique MAC address.
- **Third-party network plugins** allow you to integrate Docker with specialized
network stacks.
## Networking tutorials
Now that you understand the basics about Docker networks, deepen your
understanding using the following tutorials:
- [Standalone networking tutorial](../network-tutorial-standalone.md)
- [Host networking tutorial](../network-tutorial-host.md)
- [Overlay networking tutorial](../network-tutorial-overlay.md)
- [Macvlan networking tutorial](../network-tutorial-macvlan.md)

6
network/ipvlan.md → network/drivers/ipvlan.md
View File

@ -1,14 +1,16 @@
---
title: Use IPvlan networks
title: IPvlan network driver
description: All about using IPvlan to make your containers appear like physical machines on the network
keywords: network, ipvlan, l2, l3, standalone
redirect_from:
- /network/ipvlan/
---
The IPvlan driver gives users total control over both IPv4 and IPv6 addressing.
The VLAN driver builds on top of that in giving operators complete control of
layer 2 VLAN tagging and even IPvlan L3 routing for users interested in underlay
network integration. For overlay deployments that abstract away physical constraints
see the [multi-host overlay](network-tutorial-overlay.md) driver.
see the [multi-host overlay](../network-tutorial-overlay.md) driver.
IPvlan is a new twist on the tried and true network virtualization technique.
The Linux implementations are extremely lightweight because rather than using

9
network/macvlan.md → network/drivers/macvlan.md
View File

@ -1,10 +1,11 @@
---
title: Use macvlan networks
title: macvlan network driver
description: All about using macvlan to make your containers appear like physical machines on the network
keywords: network, macvlan, standalone
redirect_from:
- /engine/userguide/networking/get-started-macvlan/
- /config/containers/macvlan/
- /network/macvlan/
---
Some applications, especially legacy applications or applications which monitor
@ -94,7 +95,7 @@ $ docker network create -d ipvlan \
## Use IPv6
If you have [configured the Docker daemon to allow IPv6](../config/daemon/ipv6.md),
If you have [configured the Docker daemon to allow IPv6](../../config/daemon/ipv6.md),
you can use dual-stack IPv4/IPv6 `macvlan` networks.
```console
@ -108,8 +109,8 @@ $ docker network create -d macvlan \
## Next steps
- Go through the [macvlan networking tutorial](network-tutorial-macvlan.md)
- Learn about [networking from the container's point of view](../config/containers/container-networking.md)
- Go through the [macvlan networking tutorial](../network-tutorial-macvlan.md)
- Learn about [networking from the container's point of view](../index.md)
- Learn about [bridge networks](bridge.md)
- Learn about [overlay networks](overlay.md)
- Learn about [host networking](host.md)

8
network/none.md → network/drivers/none.md
View File

@ -1,7 +1,9 @@
---
title: Disable networking for a container
title: None network driver
description: How to disable networking by using the none driver
keywords: network, none, standalone
redirect_from:
- /network/none/
---
If you want to completely disable the networking stack on a container, you can
@ -47,8 +49,8 @@ only the loopback device is created. The following example illustrates this.
## Next steps
- Go through the [host networking tutorial](network-tutorial-host.md)
- Learn about [networking from the container's point of view](../config/containers/container-networking.md)
- Go through the [host networking tutorial](../network-tutorial-host.md)
- Learn about [networking from the container's point of view](../index.md)
- Learn about [bridge networks](bridge.md)
- Learn about [overlay networks](overlay.md)
- Learn about [Macvlan networks](macvlan.md)

9
network/overlay.md → network/drivers/overlay.md
View File

@ -1,10 +1,11 @@
---
title: Use overlay networks
title: Overlay network driver
description: All about using overlay networks
keywords: network, overlay, user-defined, swarm, service
redirect_from:
- /engine/userguide/networking/overlay-security-model/
- /config/containers/overlay/
- /network/overlay/
---
The `overlay` network driver creates a distributed network among multiple
@ -187,7 +188,7 @@ from the swarm.
4. Create or re-create the `docker_gwbridge` bridge manually with your custom
settings, using the `docker network create` command.
This example uses the subnet `10.11.0.0/16`. For a full list of customizable
options, see [Bridge driver options](../engine/reference/commandline/network_create.md#bridge-driver-options).
options, see [Bridge driver options](../../engine/reference/commandline/network_create.md#bridge-driver-options).
```console
$ docker network create \
@ -286,7 +287,7 @@ For most situations, you should connect to the service name, which is load-balan
## Next steps
- Go through the [overlay networking tutorial](network-tutorial-overlay.md)
- Learn about [networking from the container's point of view](../config/containers/container-networking.md)
- Go through the [overlay networking tutorial](../network-tutorial-overlay.md)
- Learn about [networking from the container's point of view](../index.md)
- Learn about [standalone bridge networks](bridge.md)
- Learn about [Macvlan networks](macvlan.md)

1
network/images/multi_tenant_8021q_vlans.gliffy
View File

File diff suppressed because one or more lines are too long

BIN
network/images/multi_tenant_8021q_vlans.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 18 KiB

1
network/images/multi_tenant_8021q_vlans.svg
View File

File diff suppressed because one or more lines are too long
Side by Side

Before

Width:  |  Height:  |  Size: 48 KiB

156
network/index.md
View File

@ -1,103 +1,95 @@
---
title: Networking overview
description: Overview of Docker networks and networking concepts
keywords: networking, bridge, routing, routing mesh, overlay, ports
description: How networking works from the container's point of view
keywords: networking, container, standalone
redirect_from:
- /engine/userguide/networking/
- /engine/userguide/networking/dockernetworks/
- /articles/networking/
- /engine/userguide/networking/configure-dns/
- /engine/userguide/networking/default_network/configure-dns/
- /engine/userguide/networking/default_network/binding/
- /engine/userguide/networking/default_network/container-communication/
- /engine/userguide/networking/
- /engine/userguide/networking/dockernetworks/
- /articles/networking/
- /config/containers/container-networking/
---
One of the reasons Docker containers and services are so powerful is that
you can connect them together, or connect them to non-Docker workloads. Docker
containers and services do not even need to be aware that they are deployed on
Docker, or whether their peers are also Docker workloads or not. Whether your
Docker hosts run Linux, Windows, or a mix of the two, you can use Docker to
manage them in a platform-agnostic way.
Container networking refers to the ability for containers to connect to and
communicate with each other, or to non-Docker workloads.
This topic defines some basic Docker networking concepts and prepares you to
design and deploy your applications to take full advantage of these
capabilities.
A container has no information about what kind of network it's attached to,
or whether their peers are also Docker workloads or not.
A container only sees a network interface with an IP address,
a gateway, a routing table, DNS services, and other networking details.
That is, unless the container uses the `none` network driver.
This page describes networking from the point of view of the container.
## Scope of this topic
This page describes the concepts around container networking.
This page doesn't describe OS-specific details about how Docker networks work.
For information about how Docker manipulates `iptables` rules on Linux,
see [Docker and iptables](iptables.md).
This topic does **not** go into OS-specific details about how Docker networks
work, so you will not find information about how Docker manipulates `iptables`
rules on Linux or how it manipulates routing rules on Windows servers, and you
will not find detailed information about how Docker forms and encapsulates
packets or handles encryption. See [Docker and iptables](iptables.md).
## Published ports
In addition, this topic does not provide any tutorials for how to create,
manage, and use Docker networks. Each section includes links to relevant
tutorials and command references.
By default, when you create or run a container using `docker create` or `docker run`,
the container doesn't expose any of its ports to the outside world.
To make a port available to services outside of Docker,
or to Docker containers running on a different network,
use the `--publish` or `-p` flag.
This creates a firewall rule in the container,
mapping a container port to a port on the Docker host to the outside world.
Here are some examples:
## Network drivers
| Flag value | Description |
| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
| `-p 8080:80` | Map TCP port 80 in the container to port `8080` on the Docker host. |
| `-p 192.168.1.100:8080:80` | Map TCP port 80 in the container to port `8080` on the Docker host for connections to host IP `192.168.1.100`. |
| `-p 8080:80/udp` | Map UDP port 80 in the container to port `8080` on the Docker host. |
| `-p 8080:80/tcp -p 8080:80/udp` | Map TCP port 80 in the container to TCP port `8080` on the Docker host, and map UDP port `80` in the container to UDP port `8080` on the Docker host. |
Docker's networking subsystem is pluggable, using drivers. Several drivers
exist by default, and provide core networking functionality:
## IP address and hostname
- `bridge`: The default network driver. If you don't specify a driver, this is
the type of network you are creating. **Bridge networks are usually used when
your applications run in standalone containers that need to communicate.** See
[bridge networks](bridge.md).
By default, the container gets an IP address for every Docker network it attaches to.
A container receives an IP address out of the IP pool of the network it attaches to.
The Docker daemon effectively acts as a DHCP server for each container.
Each network also has a default subnet mask and gateway.
- `host`: For standalone containers, remove network isolation between the
container and the Docker host, and use the host's networking directly. See
[use the host network](host.md).
When a container starts, it can only attach to a single network, using the `--network` flag.
You can connect a running container to multiple networks using the `docker network connect` command.
When you start a container using the `--network` flag,
you can specify the IP address for the container on that network using the `--ip` or `--ip6` flags.
- `overlay`: Overlay networks connect multiple Docker daemons together and
enable swarm services to communicate with each other. You can also use overlay
networks to facilitate communication between a swarm service and a standalone
container, or between two standalone containers on different Docker daemons.
This strategy removes the need to do OS-level routing between these
containers. See [overlay networks](overlay.md).
When you connect an existing container to a different network using `docker network connect`,
you can use the `--ip` or `--ip6` flags on that command
to specify the container's IP address on the additional network.
- `ipvlan`: IPvlan networks give users total control over both IPv4 and IPv6
addressing. The VLAN driver builds on top of that in giving operators complete
control of layer 2 VLAN tagging and even IPvlan L3 routing for users
interested in underlay network integration. See [IPvlan networks](ipvlan.md).
In the same way, a container's hostname defaults to be the container's ID in Docker.
You can override the hostname using `--hostname`.
When connecting to an existing network using `docker network connect`,
you can use the `--alias` flag to specify an additional network alias for the container on that network.
- `macvlan`: Macvlan networks allow you to assign a MAC address to a container,
making it appear as a physical device on your network. The Docker daemon
routes traffic to containers by their MAC addresses. Using the `macvlan`
driver is sometimes the best choice when dealing with legacy applications that
expect to be directly connected to the physical network, rather than routed
through the Docker host's network stack. See
[Macvlan networks](macvlan.md).
## DNS services
- `none`: For this container, disable all networking. Usually used in
conjunction with a custom network driver. `none` is not available for swarm
services. See
[disable container networking](none.md).
By default, containers inherit the DNS settings of the host, as defined in the `/etc/resolv.conf` configuration file.
Containers that attach to the default `bridge` network receive a copy of this file.
Containers that attach to a
[custom network](network-tutorial-standalone.md#use-user-defined-bridge-networks)
use Docker's embedded DNS server.
The embedded DNS server forwards external DNS lookups to the DNS servers configured on the host.
- [Network plugins](/engine/extend/plugins_services/): You can install and use
third-party network plugins with Docker. These plugins are available from
[Docker Hub](https://hub.docker.com/search?category=network&q=&type=plugin)
or from third-party vendors. See the vendor's documentation for installing and
using a given network plugin.
Custom hosts, defined in `/etc/hosts` on the host machine, aren't inherited by containers.
To pass additional hosts into container, refer to
[add entries to container hosts file](../engine/reference/commandline/run.md#add-host)
in the `docker run` reference documentation.
You can override these settings on a per-container basis.
| Flag | Description |
| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `--dns` | The IP address of a DNS server. To specify multiple DNS servers, use multiple `--dns` flags. If the container can't reach any of the IP addresses you specify, it uses Google's public DNS server at `8.8.8.8`. This allows containers to resolve internet domains. |
| `--dns-search` | A DNS search domain to search non-fully-qualified hostnames. To specify multiple DNS search prefixes, use multiple `--dns-search` flags. |
| `--dns-opt` | A key-value pair representing a DNS option and its value. See your operating system's documentation for `resolv.conf` for valid options. |
| `--hostname` | The hostname a container uses for itself. Defaults to the container's ID if not specified. |
### Network driver summary
## Proxy server
- **User-defined bridge networks** are best when you need multiple containers to
communicate on the same Docker host.
- **Host networks** are best when the network stack should not be isolated from
the Docker host, but you want other aspects of the container to be isolated.
- **Overlay networks** are best when you need containers running on different
Docker hosts to communicate, or when multiple applications work together using
swarm services.
- **Macvlan networks** are best when you are migrating from a VM setup or
need your containers to look like physical hosts on your network, each with a
unique MAC address.
- **Third-party network plugins** allow you to integrate Docker with specialized
network stacks.
## Networking tutorials
Now that you understand the basics about Docker networks, deepen your
understanding using the following tutorials:
- [Standalone networking tutorial](network-tutorial-standalone.md)
- [Host networking tutorial](network-tutorial-host.md)
- [Overlay networking tutorial](network-tutorial-overlay.md)
- [Macvlan networking tutorial](network-tutorial-macvlan.md)
If your container needs to use a proxy server, see
[Use a proxy server](proxy.md).

6
network/links.md
View File

@ -17,7 +17,7 @@ with `--link` is sharing environment variables between containers. However,
you can use other mechanisms such as volumes to share environment variables
between containers in a more controlled way.
>
> See [Differences between user-defined bridges and the default bridge](bridge.md#differences-between-user-defined-bridges-and-the-default-bridge)
> See [Differences between user-defined bridges and the default bridge](drivers/bridge.md#differences-between-user-defined-bridges-and-the-default-bridge)
> for some alternatives to using `--link`.
{:.warning}
@ -30,7 +30,7 @@ Docker link feature to allow containers to discover each other and securely
transfer information about one container to another container. With the
introduction of the Docker networks feature, you can still create links but they
behave differently between default `bridge` network and
[user defined networks](bridge.md#differences-between-user-defined-bridges-and-the-default-bridge).
[user defined networks](drivers/bridge.md#differences-between-user-defined-bridges-and-the-default-bridge).
This section briefly discusses connecting via a network port and then goes into
detail on container linking in default `bridge` network.
@ -124,7 +124,7 @@ $ docker port nostalgic_morse 5000
> **Note**:
> This section covers the legacy link feature in the default `bridge` network.
> Refer to [differences between user-defined bridges and the default bridge](bridge.md#differences-between-user-defined-bridges-and-the-default-bridge)
> Refer to [differences between user-defined bridges and the default bridge](drivers/bridge.md#differences-between-user-defined-bridges-and-the-default-bridge)
> for more information on links in user-defined networks.
Network port mappings are not the only way Docker containers can connect to one

2
network/network-tutorial-standalone.md
View File

@ -22,7 +22,7 @@ host running elsewhere.
running on the same Docker host. This is recommended for standalone containers
running in production.
Although [overlay networks](overlay.md) are generally used for swarm services,
Although [overlay networks](drivers/overlay.md) are generally used for swarm services,
you can also use an overlay network for standalone containers. That's covered as
part of the [tutorial on using overlay networks](network-tutorial-overlay.md#use-an-overlay-network-for-standalone-containers).