018282f392
This was discussed and agreed in #246. It will probably break a few outstanding PRs as well as a few external links but it's for the better good long term.
1.9 KiB
Container network drivers
The Docker Engine supports many different network drivers.
The built-in drivers include:
-
bridge(default) -
none -
host -
container
The driver is selected with docker run --net ....
The different drivers are explained with more details on the following slides.
The default bridge
-
By default, the container gets a virtual
eth0interface.
(In addition to its own privateloloopback interface.) -
That interface is provided by a
vethpair. -
It is connected to the Docker bridge.
(Nameddocker0by default; configurable with--bridge.) -
Addresses are allocated on a private, internal subnet.
(Docker uses 172.17.0.0/16 by default; configurable with--bip.) -
Outbound traffic goes through an iptables MASQUERADE rule.
-
Inbound traffic goes through an iptables DNAT rule.
-
The container can have its own routes, iptables rules, etc.
The null driver
-
Container is started with
docker run --net none ... -
It only gets the
loloopback interface. Noeth0. -
It can't send or receive network traffic.
-
Useful for isolated/untrusted workloads.
The host driver
-
Container is started with
docker run --net host ... -
It sees (and can access) the network interfaces of the host.
-
It can bind any address, any port (for ill and for good).
-
Network traffic doesn't have to go through NAT, bridge, or veth.
-
Performance = native!
Use cases:
-
Performance sensitive applications (VOIP, gaming, streaming...)
-
Peer discovery (e.g. Erlang port mapper, Raft, Serf...)
The container driver
-
Container is started with
docker run --net container:id ... -
It re-uses the network stack of another container.
-
It shares with this other container the same interfaces, IP address(es), routes, iptables rules, etc.
-
Those containers can communicate over their
lointerface.
(i.e. one can bind to 127.0.0.1 and the others can connect to it.)