Docker Deep Dive
by Sergey Okinchuk
IntroThe Container Network Model

Chapter Seven

Networking

How containers talk — to each other, to the host, and to the world. The kernel primitives under every Docker network, why the default bridge gives you no name resolution and a user-defined bridge does, how the embedded DNS lets one container reach another by name, what publishing a port actually installs, the alternate network modes, how separate networks isolate tiers, and where single-host networking ends and orchestration begins.

7 topics

Container networking looks like magic until you see it for what it is: the same Linux namespaces and cgroups from Chapter 1, applied to the network stack, with a virtual cable and a software switch wired up for you. Each container gets its own network namespace — its own interfaces, routing table, and loopback — and Docker joins that namespace to the outside world with a veth pair into a bridge and NAT for egress. Every behavior in this chapter follows from that one picture.

The chapter's spine is a single rule: always put a multi-container app on a user-defined bridge, never the default one. The default bridge gives containers no name resolution, so they can reach each other only by fragile IP addresses; a user-defined bridge adds an embedded DNS server, so proxy reaches web by name and web reaches db by name. From there it covers publishing ports to the host, the host/none/container: modes, isolating tiers across separate networks, and overlay networks — the deliberate edge where networking stops being single-host and hands off to Swarm and Kubernetes.

Topics in This Chapter

Topic 39
The Container Network Model
The kernel primitives under every Docker network. A network namespace per container, a veth pair into a Linux bridge, and iptables NAT for egress — and why localhost inside a container is not the host.
KernelNetworking
Topic 40
Default Bridge vs User-Defined Bridge
The chapter's central rule. The default bridge has no DNS — reach others by IP or the deprecated --link; a user-defined bridge adds name resolution and isolation. Always create a user-defined bridge.
NetworkingBridge
Topic 41
Embedded DNS and Service Discovery
The resolver at 127.0.0.11 that turns container names into current IPs. Why proxy_pass http://web:8000 works, what a network alias adds, and why resolving by name survives a restart.
DNSDiscovery
Topic 42
Publishing Ports
What -p 80:80 installs, why EXPOSE publishes nothing, the security gap between 0.0.0.0 and 127.0.0.1 binding, and why only proxy is published while web and db are not.
PortsExposure
Topic 43
host, none, and container Modes
Three modes that change the network namespace. host shares the host stack and ignores -p; none gives only loopback; container: shares another container's namespace — the Kubernetes pod model.
ModesNamespaces
Topic 44
Connecting Containers and Network Isolation
A container can join several networks at once. The frontend/backend split that keeps db unreachable from proxy, what docker network connect does at runtime, and isolation as deliberate topology.
IsolationTopology
Topic 45
Overlay Networks
The edge of single-host scope. An overlay spans hosts over VXLAN, but needs a control plane — Swarm or Kubernetes. Where Docker's one-machine networking ends and orchestration takes over.
Multi-hostOrchestration