What are the differences between the four network modes of docker?

Differences: 1. The container in host mode and the host share a "Network Namespace"; 2. The container created in Container mode will share the IP and port range with the specified container; 3. None mode closes the container Network function; 4. Bridge default mode assigns IP to each container.

The operating environment of this tutorial: linux7.3 system, docker-1.13.1 version, Dell G3 computer.

What are the differences between the four docker network modes

1. Four network modes

2. Implementation Principle

Docker uses Linux bridging to virtualize a Docker container bridge (docker0) on the host. When Docker starts a container, it will The network segment of the Docker bridge is assigned to the container an IP address, called Container-IP, and the Docker bridge is the default gateway of each container. Because containers in the same host are all connected to the same network bridge, containers can communicate directly through the container's Container-IP

The Docker bridge is virtualized by the host and does not really exist The network device cannot be addressed by the external network, which also means that the external network cannot access the container through direct Container-IP. If the container wants to be accessible from the outside, you can map the container port to the host (port mapping), that is, enable it through the -p or -P parameter when docker run creates the container, and use [host IP] when accessing the container: [Container Port] Access the container

1.Host mode

If you use the host mode when starting the container, the container will not get an independent Network Namespace. Instead, it shares a Network Namespace with the host. The container will not virtualize its own network card, configure its own IP, etc., but use the host's IP and port.

Containers using host mode can directly use the host. The IP address of the host communicates with the outside world. The service port inside the container can also use the host's port without NAT. The biggest advantage of the host is that the network performance is better, but the ports already used on the docker host cannot be used again. The isolation of the network is not good

2.Container mode

The container created will not create its own network card and configure its own IP, but will communicate with a specified container Shared IP, port range

This mode specifies that the newly created container shares a Network Namespace with an existing container, rather than sharing it with the host. Similarly, apart from the network, the two containers are also isolated in other aspects such as file systems, process lists, etc. The processes of the two containers can communicate through the lo network card device

3.None mode

This mode turns off the network function of the container

Use none mode , Docker containers have their own Network Namespace, but no network configuration is performed for Docker containers. In other words, this Docker container does not have network card, IP, routing and other information. We need to add network cards, configure IP, etc. to the Docker container ourselves

In this network mode, the container only has the lo loopback network and no other network cards. The none mode can be specified via --network=none when the container is created. This type of network cannot be connected to the Internet. A closed network can ensure the security of the container.

Without a network, the security is very high. Data can be stored safely and will not be attacked

4.Bridge mode (default)

This mode will allocate and set IP for each container, and connect the container to a docker0 virtual bridge, through the docker0 bridge and Association between iptables nat table configuration and host

When the Docker process starts, a virtual bridge named docker0 will be created on the host, and the Docker container started on this host will connect to this virtual bridge superior. The virtual bridge works similarly to a physical switch, so that all containers on the host are connected to a layer 2 network through the switch.

Assign an IP from the docker0 subnet to the container, and set the docker0 The IP address is the default gateway of the container. Create a pair of virtual network card veth pair devices on the host. Docker places one end of the veth pair device in the newly created container and names it eth0 (the container's network card), and the other end in the host with a similar name like vethxxx. Name and add this network device to the docker0 bridge. You can view it through the brctl show command

bridge mode is docker’s default network mode. If you do not write the –net parameter, it is bridge mode. When using docker run -p, docker actually makes DNAT rules in iptables to implement the port forwarding function. You can use iptables -t nat -vnL to view

In summary

Host: shares the network namespace/network protocol stack with the host, IP sharing, and port range sharing.

Container: Multiple containers share a network namespaces, multiple containers share a common IP and port range

None: Self-contained space, no network card, no network connection required

Bridge: Bridge, default mode, create a container without specifying a network mode, this mode is used by default, the container is connected to the docker0 bridge through the Veth pair, the bridge assigns an IP to the container, and docker0 is used as the "LAN" content The gateway of the server finally communicates with the host network card. At the same time, the container IP/port is mapped out through IPtables rules for interaction with the host network card

Recommended learning: "docker video tutorial》

The above is the detailed content of What are the differences between the four network modes of docker?. For more information, please follow other related articles on the PHP Chinese website!