github.com/a4a881d4/docker@v1.9.0-rc2/docs/userguide/dockernetworks.md (about) 1 <!--[metadata]> 2 +++ 3 title = "Docker container networking" 4 description = "How do we connect docker containers within and across hosts ?" 5 keywords = ["Examples, Usage, network, docker, documentation, user guide, multihost, cluster"] 6 [menu.main] 7 parent = "smn_containers" 8 weight = 3 9 +++ 10 <![end-metadata]--> 11 12 # Docker container networking 13 14 So far we've been introduced to some [basic Docker 15 concepts](usingdocker.md), seen how to work with [Docker 16 images](dockerimages.md) as well as learned about basic [networking 17 and links between containers](dockerlinks.md). In this section 18 we're going to discuss how you can take control over more advanced 19 container networking. 20 21 This section makes use of `docker network` commands and outputs to explain the 22 advanced networking functionality supported by Docker. 23 24 # Default Networks 25 26 By default, docker creates 3 networks using 3 different network drivers : 27 28 ``` 29 $ sudo docker network ls 30 NETWORK ID NAME DRIVER 31 7fca4eb8c647 bridge bridge 32 9f904ee27bf5 none null 33 cf03ee007fb4 host host 34 ``` 35 36 `docker network inspect` gives more information about a network 37 38 ``` 39 $ sudo docker network inspect bridge 40 { 41 "name": "bridge", 42 "id": "7fca4eb8c647e57e9d46c32714271e0c3f8bf8d17d346629e2820547b2d90039", 43 "driver": "bridge", 44 "containers": {} 45 } 46 ``` 47 48 By default containers are launched on Bridge network 49 50 ``` 51 $ sudo docker run -itd --name=container1 busybox 52 f2870c98fd504370fb86e59f32cd0753b1ac9b69b7d80566ffc7192a82b3ed27 53 54 $ sudo docker run -itd --name=container2 busybox 55 bda12f8922785d1f160be70736f26c1e331ab8aaf8ed8d56728508f2e2fd4727 56 ``` 57 58 ``` 59 $ sudo docker network inspect bridge 60 { 61 "name": "bridge", 62 "id": "7fca4eb8c647e57e9d46c32714271e0c3f8bf8d17d346629e2820547b2d90039", 63 "driver": "bridge", 64 "containers": { 65 "bda12f8922785d1f160be70736f26c1e331ab8aaf8ed8d56728508f2e2fd4727": { 66 "endpoint": "e0ac95934f803d7e36384a2029b8d1eeb56cb88727aa2e8b7edfeebaa6dfd758", 67 "mac_address": "02:42:ac:11:00:03", 68 "ipv4_address": "172.17.0.3/16", 69 "ipv6_address": "" 70 }, 71 "f2870c98fd504370fb86e59f32cd0753b1ac9b69b7d80566ffc7192a82b3ed27": { 72 "endpoint": "31de280881d2a774345bbfb1594159ade4ae4024ebfb1320cb74a30225f6a8ae", 73 "mac_address": "02:42:ac:11:00:02", 74 "ipv4_address": "172.17.0.2/16", 75 "ipv6_address": "" 76 } 77 } 78 } 79 ``` 80 `docker network inspect` command above shows all the connected containers and its network resources on a given network 81 82 Containers in a network should be able to communicate with each other using container names 83 84 ``` 85 $ sudo docker attach container1 86 87 / # ifconfig 88 eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02 89 inet addr:172.17.0.2 Bcast:0.0.0.0 Mask:255.255.0.0 90 inet6 addr: fe80::42:acff:fe11:2/64 Scope:Link 91 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 92 RX packets:17 errors:0 dropped:0 overruns:0 frame:0 93 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0 94 collisions:0 txqueuelen:0 95 RX bytes:1382 (1.3 KiB) TX bytes:258 (258.0 B) 96 97 lo Link encap:Local Loopback 98 inet addr:127.0.0.1 Mask:255.0.0.0 99 inet6 addr: ::1/128 Scope:Host 100 UP LOOPBACK RUNNING MTU:65536 Metric:1 101 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 102 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 103 collisions:0 txqueuelen:0 104 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 105 106 / # ping container2 107 PING container2 (172.17.0.3): 56 data bytes 108 64 bytes from 172.17.0.3: seq=0 ttl=64 time=0.125 ms 109 64 bytes from 172.17.0.3: seq=1 ttl=64 time=0.130 ms 110 64 bytes from 172.17.0.3: seq=2 ttl=64 time=0.172 ms 111 ^C 112 --- container2 ping statistics --- 113 3 packets transmitted, 3 packets received, 0% packet loss 114 round-trip min/avg/max = 0.125/0.142/0.172 ms 115 116 / # cat /etc/hosts 117 172.17.0.2 f2870c98fd50 118 127.0.0.1 localhost 119 ::1 localhost ip6-localhost ip6-loopback 120 fe00::0 ip6-localnet 121 ff00::0 ip6-mcastprefix 122 ff02::1 ip6-allnodes 123 ff02::2 ip6-allrouters 124 172.17.0.2 container1 125 172.17.0.2 container1.bridge 126 172.17.0.3 container2 127 172.17.0.3 container2.bridge 128 ``` 129 130 131 ``` 132 $ sudo docker attach container2 133 134 / # ifconfig 135 eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03 136 inet addr:172.17.0.3 Bcast:0.0.0.0 Mask:255.255.0.0 137 inet6 addr: fe80::42:acff:fe11:3/64 Scope:Link 138 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 139 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 140 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 141 collisions:0 txqueuelen:0 142 RX bytes:648 (648.0 B) TX bytes:648 (648.0 B) 143 144 lo Link encap:Local Loopback 145 inet addr:127.0.0.1 Mask:255.0.0.0 146 inet6 addr: ::1/128 Scope:Host 147 UP LOOPBACK RUNNING MTU:65536 Metric:1 148 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 149 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 150 collisions:0 txqueuelen:0 151 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 152 153 / # ping container1 154 PING container1 (172.17.0.2): 56 data bytes 155 64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.277 ms 156 64 bytes from 172.17.0.2: seq=1 ttl=64 time=0.179 ms 157 64 bytes from 172.17.0.2: seq=2 ttl=64 time=0.130 ms 158 64 bytes from 172.17.0.2: seq=3 ttl=64 time=0.113 ms 159 ^C 160 --- container1 ping statistics --- 161 4 packets transmitted, 4 packets received, 0% packet loss 162 round-trip min/avg/max = 0.113/0.174/0.277 ms 163 / # cat /etc/hosts 164 172.17.0.3 bda12f892278 165 127.0.0.1 localhost 166 ::1 localhost ip6-localhost ip6-loopback 167 fe00::0 ip6-localnet 168 ff00::0 ip6-mcastprefix 169 ff02::1 ip6-allnodes 170 ff02::2 ip6-allrouters 171 172.17.0.2 container1 172 172.17.0.2 container1.bridge 173 172.17.0.3 container2 174 172.17.0.3 container2.bridge 175 / # 176 177 ``` 178 179 # User defined Networks 180 181 In addition to the inbuilt networks, user can create networks using inbuilt drivers 182 (such as bridge or overlay driver) or external plugins supplied by the community. 183 Networks by definition should provides complete isolation for the containers. 184 185 ``` 186 $ docker network create -d bridge isolated_nw 187 8b05faa32aeb43215f67678084a9c51afbdffe64cd91e3f5bb8267475f8bf1a7 188 189 $ docker network inspect isolated_nw 190 { 191 "name": "isolated_nw", 192 "id": "8b05faa32aeb43215f67678084a9c51afbdffe64cd91e3f5bb8267475f8bf1a7", 193 "driver": "bridge", 194 "containers": {} 195 } 196 197 $ docker network ls 198 NETWORK ID NAME DRIVER 199 9f904ee27bf5 none null 200 cf03ee007fb4 host host 201 7fca4eb8c647 bridge bridge 202 8b05faa32aeb isolated_nw bridge 203 204 ``` 205 206 Container can be launched on a user-defined network using the --net=<NETWORK> option 207 in `docker run` command 208 209 ``` 210 $ docker run --net=isolated_nw -itd --name=container3 busybox 211 777344ef4943d34827a3504a802bf15db69327d7abe4af28a05084ca7406f843 212 213 $ docker network inspect isolated_nw 214 { 215 "name": "isolated_nw", 216 "id": "8b05faa32aeb43215f67678084a9c51afbdffe64cd91e3f5bb8267475f8bf1a7", 217 "driver": "bridge", 218 "containers": { 219 "777344ef4943d34827a3504a802bf15db69327d7abe4af28a05084ca7406f843": { 220 "endpoint": "c7f22f8da07fb8ecc687d08377cfcdb80b4dd8624c2a8208b1a4268985e38683", 221 "mac_address": "02:42:ac:14:00:01", 222 "ipv4_address": "172.20.0.1/16", 223 "ipv6_address": "" 224 } 225 } 226 } 227 ``` 228 229 230 # Connecting to Multiple networks 231 232 Docker containers can dynamically connect to 1 or more networks with each network backed 233 by same or different network driver / plugin. 234 235 ``` 236 $ docker network connect isolated_nw container2 237 $ docker network inspect isolated_nw 238 { 239 "name": "isolated_nw", 240 "id": "8b05faa32aeb43215f67678084a9c51afbdffe64cd91e3f5bb8267475f8bf1a7", 241 "driver": "bridge", 242 "containers": { 243 "777344ef4943d34827a3504a802bf15db69327d7abe4af28a05084ca7406f843": { 244 "endpoint": "c7f22f8da07fb8ecc687d08377cfcdb80b4dd8624c2a8208b1a4268985e38683", 245 "mac_address": "02:42:ac:14:00:01", 246 "ipv4_address": "172.20.0.1/16", 247 "ipv6_address": "" 248 }, 249 "bda12f8922785d1f160be70736f26c1e331ab8aaf8ed8d56728508f2e2fd4727": { 250 "endpoint": "2ac11345af68b0750341beeda47cc4cce93bb818d8eb25e61638df7a4997cb1b", 251 "mac_address": "02:42:ac:14:00:02", 252 "ipv4_address": "172.20.0.2/16", 253 "ipv6_address": "" 254 } 255 } 256 } 257 ``` 258 259 Lets check the network resources used by container2. 260 261 ``` 262 $ docker inspect --format='{{.NetworkSettings.Networks}}' container2 263 [bridge isolated_nw] 264 265 $ sudo docker attach container2 266 267 / # ifconfig 268 eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03 269 inet addr:172.17.0.3 Bcast:0.0.0.0 Mask:255.255.0.0 270 inet6 addr: fe80::42:acff:fe11:3/64 Scope:Link 271 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 272 RX packets:21 errors:0 dropped:0 overruns:0 frame:0 273 TX packets:18 errors:0 dropped:0 overruns:0 carrier:0 274 collisions:0 txqueuelen:0 275 RX bytes:1586 (1.5 KiB) TX bytes:1460 (1.4 KiB) 276 277 eth1 Link encap:Ethernet HWaddr 02:42:AC:14:00:02 278 inet addr:172.20.0.2 Bcast:0.0.0.0 Mask:255.255.0.0 279 inet6 addr: fe80::42:acff:fe14:2/64 Scope:Link 280 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 281 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 282 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 283 collisions:0 txqueuelen:0 284 RX bytes:648 (648.0 B) TX bytes:648 (648.0 B) 285 286 lo Link encap:Local Loopback 287 inet addr:127.0.0.1 Mask:255.0.0.0 288 inet6 addr: ::1/128 Scope:Host 289 UP LOOPBACK RUNNING MTU:65536 Metric:1 290 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 291 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 292 collisions:0 txqueuelen:0 293 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 294 ``` 295 296 297 In the example discussed in this section thus far, container3 and container2 are 298 connected to isolated_nw and can talk to each other. 299 But container3 and container1 are not in the same network and hence they cannot communicate. 300 301 ``` 302 $ docker attach container3 303 304 / # ifconfig 305 eth0 Link encap:Ethernet HWaddr 02:42:AC:14:00:01 306 inet addr:172.20.0.1 Bcast:0.0.0.0 Mask:255.255.0.0 307 inet6 addr: fe80::42:acff:fe14:1/64 Scope:Link 308 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 309 RX packets:24 errors:0 dropped:0 overruns:0 frame:0 310 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 311 collisions:0 txqueuelen:0 312 RX bytes:1944 (1.8 KiB) TX bytes:648 (648.0 B) 313 314 lo Link encap:Local Loopback 315 inet addr:127.0.0.1 Mask:255.0.0.0 316 inet6 addr: ::1/128 Scope:Host 317 UP LOOPBACK RUNNING MTU:65536 Metric:1 318 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 319 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 320 collisions:0 txqueuelen:0 321 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 322 323 / # ping container2.isolated_nw 324 PING container2.isolated_nw (172.20.0.2): 56 data bytes 325 64 bytes from 172.20.0.2: seq=0 ttl=64 time=0.217 ms 326 64 bytes from 172.20.0.2: seq=1 ttl=64 time=0.150 ms 327 64 bytes from 172.20.0.2: seq=2 ttl=64 time=0.188 ms 328 64 bytes from 172.20.0.2: seq=3 ttl=64 time=0.176 ms 329 ^C 330 --- container2.isolated_nw ping statistics --- 331 4 packets transmitted, 4 packets received, 0% packet loss 332 round-trip min/avg/max = 0.150/0.182/0.217 ms 333 / # ping container2 334 PING container2 (172.20.0.2): 56 data bytes 335 64 bytes from 172.20.0.2: seq=0 ttl=64 time=0.120 ms 336 64 bytes from 172.20.0.2: seq=1 ttl=64 time=0.109 ms 337 ^C 338 --- container2 ping statistics --- 339 2 packets transmitted, 2 packets received, 0% packet loss 340 round-trip min/avg/max = 0.109/0.114/0.120 ms 341 342 / # ping container1 343 ping: bad address 'container1' 344 345 / # ping 172.17.0.2 346 PING 172.17.0.2 (172.17.0.2): 56 data bytes 347 ^C 348 --- 172.17.0.2 ping statistics --- 349 4 packets transmitted, 0 packets received, 100% packet loss 350 351 / # ping 172.17.0.3 352 PING 172.17.0.3 (172.17.0.3): 56 data bytes 353 ^C 354 --- 172.17.0.3 ping statistics --- 355 4 packets transmitted, 0 packets received, 100% packet loss 356 357 ``` 358 359 While container2 is attached to both the networks (bridge and isolated_nw) and hence it 360 can talk to both container1 and container3 361 362 ``` 363 $ docker attach container2 364 365 / # cat /etc/hosts 366 172.17.0.3 bda12f892278 367 127.0.0.1 localhost 368 ::1 localhost ip6-localhost ip6-loopback 369 fe00::0 ip6-localnet 370 ff00::0 ip6-mcastprefix 371 ff02::1 ip6-allnodes 372 ff02::2 ip6-allrouters 373 172.17.0.2 container1 374 172.17.0.2 container1.bridge 375 172.17.0.3 container2 376 172.17.0.3 container2.bridge 377 172.20.0.1 container3 378 172.20.0.1 container3.isolated_nw 379 172.20.0.2 container2 380 172.20.0.2 container2.isolated_nw 381 382 / # ping container3 383 PING container3 (172.20.0.1): 56 data bytes 384 64 bytes from 172.20.0.1: seq=0 ttl=64 time=0.138 ms 385 64 bytes from 172.20.0.1: seq=1 ttl=64 time=0.133 ms 386 64 bytes from 172.20.0.1: seq=2 ttl=64 time=0.133 ms 387 ^C 388 --- container3 ping statistics --- 389 3 packets transmitted, 3 packets received, 0% packet loss 390 round-trip min/avg/max = 0.133/0.134/0.138 ms 391 392 / # ping container1 393 PING container1 (172.17.0.2): 56 data bytes 394 64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.121 ms 395 64 bytes from 172.17.0.2: seq=1 ttl=64 time=0.250 ms 396 64 bytes from 172.17.0.2: seq=2 ttl=64 time=0.133 ms 397 ^C 398 --- container1 ping statistics --- 399 3 packets transmitted, 3 packets received, 0% packet loss 400 round-trip min/avg/max = 0.121/0.168/0.250 ms 401 / # 402 ``` 403 404 405 Just like it is easy to connect a container to multiple networks, one can 406 disconnect a container from a network using the `docker network disconnect` command. 407 408 ``` 409 root@Ubuntu-vm ~$ docker network disconnect isolated_nw container2 410 411 $ docker inspect --format='{{.NetworkSettings.Networks}}' container2 412 [bridge] 413 414 root@Ubuntu-vm ~$ docker network inspect isolated_nw 415 { 416 "name": "isolated_nw", 417 "id": "8b05faa32aeb43215f67678084a9c51afbdffe64cd91e3f5bb8267475f8bf1a7", 418 "driver": "bridge", 419 "containers": { 420 "777344ef4943d34827a3504a802bf15db69327d7abe4af28a05084ca7406f843": { 421 "endpoint": "c7f22f8da07fb8ecc687d08377cfcdb80b4dd8624c2a8208b1a4268985e38683", 422 "mac_address": "02:42:ac:14:00:01", 423 "ipv4_address": "172.20.0.1/16", 424 "ipv6_address": "" 425 } 426 } 427 } 428 ``` 429 430 Once a container is disconnected from a network, it cannot communicate with other containers 431 connected to that network. In this example, container2 cannot talk to container3 any more 432 in isolated_nw 433 434 ``` 435 $ sudo docker attach container2 436 437 / # ifconfig 438 eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:03 439 inet addr:172.17.0.3 Bcast:0.0.0.0 Mask:255.255.0.0 440 inet6 addr: fe80::42:acff:fe11:3/64 Scope:Link 441 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 442 RX packets:26 errors:0 dropped:0 overruns:0 frame:0 443 TX packets:23 errors:0 dropped:0 overruns:0 carrier:0 444 collisions:0 txqueuelen:0 445 RX bytes:1964 (1.9 KiB) TX bytes:1838 (1.7 KiB) 446 447 lo Link encap:Local Loopback 448 inet addr:127.0.0.1 Mask:255.0.0.0 449 inet6 addr: ::1/128 Scope:Host 450 UP LOOPBACK RUNNING MTU:65536 Metric:1 451 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 452 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 453 collisions:0 txqueuelen:0 454 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 455 456 / # ping container3 457 PING container3 (172.20.0.1): 56 data bytes 458 ^C 459 --- container3 ping statistics --- 460 2 packets transmitted, 0 packets received, 100% packet loss 461 462 463 But container2 still has full connectivity to the bridge network 464 465 / # ping container1 466 PING container1 (172.17.0.2): 56 data bytes 467 64 bytes from 172.17.0.2: seq=0 ttl=64 time=0.119 ms 468 64 bytes from 172.17.0.2: seq=1 ttl=64 time=0.174 ms 469 ^C 470 --- container1 ping statistics --- 471 2 packets transmitted, 2 packets received, 0% packet loss 472 round-trip min/avg/max = 0.119/0.146/0.174 ms 473 / # 474 475 ``` 476 477 When all the containers in a network stops or disconnected the network can be removed 478 479 ``` 480 $ docker network inspect isolated_nw 481 { 482 "name": "isolated_nw", 483 "id": "8b05faa32aeb43215f67678084a9c51afbdffe64cd91e3f5bb8267475f8bf1a7", 484 "driver": "bridge", 485 "containers": {} 486 } 487 488 $ docker network rm isolated_nw 489 490 $ docker network ls 491 NETWORK ID NAME DRIVER 492 9f904ee27bf5 none null 493 cf03ee007fb4 host host 494 7fca4eb8c647 bridge bridge 495 ``` 496 497 # Native Multi-host networking 498 499 With the help of libnetwork and the inbuilt `VXLAN based overlay network driver` docker supports multi-host networking natively out of the box. Technical details are documented under https://github.com/docker/libnetwork/blob/master/docs/overlay.md. 500 Using the exact same above `docker network` UI, the user can exercise the power of multi-host networking. 501 502 In order to create a network using the inbuilt overlay driver, 503 504 ``` 505 $ docker network create -d overlay multi-host-network 506 ``` 507 508 Since `network` object is globally significant, this feature requires distributed states provided by `libkv`. Using `libkv`, the user can plug any of the supported Key-Value store (such as consul, etcd or zookeeper). 509 User can specify the Key-Value store of choice using the `--cluster-store` daemon flag, which takes configuration value of format `PROVIDER://URL`, where 510 `PROVIDER` is the name of the Key-Value store (such as consul, etcd or zookeeper) and 511 `URL` is the url to reach the Key-Value store. 512 Example : `docker daemon --cluster-store=consul://localhost:8500` 513 514 # Next step 515 516 Now that you know how to link Docker containers together, the next step is 517 learning how to manage data, volumes and mounts inside your containers. 518 519 Go to [Managing Data in Containers](dockervolumes.md).