Container networking

Container networking

A container has no information about what kind of network it’s attached to,
whether it’s a bridge, an overlay,
a macvlan network, or a custom network plugin.
A container only sees a network interface with an IP address,
a gateway, a routing table, DNS services, and other networking details.
That is, unless the container uses the none network driver.
This page describes networking from the point of view of the container.

Published ports

By default, when you create or run a container using docker create or docker run,
the container doesn’t expose any of it’s ports to the outside world.
To make a port available to services outside of Docker,
or to Docker containers running on a different network,
use the --publish or -p flag.
This creates a firewall rule in the container,
mapping a container port to a port on the Docker host to the outside world.
Here are some examples:

Flag value
Description

-p 8080:80
Map TCP port 80 in the container to port 8080 on the Docker host.

-p 192.168.1.100:8080:80
Map TCP port 80 in the container to port 8080 on the Docker host for connections to host IP 192.168.1.100.

-p 8080:80/udp
Map UDP port 80 in the container to port 8080 on the Docker host.

-p 8080:80/tcp -p 8080:80/udp
Map TCP port 80 in the container to TCP port 8080 on the Docker host, and map UDP port 80 in the container to UDP port 8080 on the Docker host.

IP address and hostname

By default, the container gets an IP address for every Docker network it attaches to.
A container receives an IP address out of the IP pool of the network it attaches to.
The Docker daemon effectively acts as a DHCP server for each container.
Each network also has a default subnet mask and gateway.

When a container starts, it can only attach to a single network, using the --network flag.
You can connect a running container to multiple networks using the docker network connect command.
When you start a container using the --network flag,
you can specify the IP address for the container on that network using the --ip or --ip6 flags.

When you connect an existing container to a different network using docker network connect,
you can use the --ip or --ip6 flags on that command
to specify the container’s IP address on the additional network.

In the same way, a container’s hostname defaults to be the container’s ID in Docker.
You can override the hostname using --hostname.
When connecting to an existing network using docker network connect,
you can use the --alias flag to specify an additional network alias for the container on that network.

DNS services

By default, containers inherit the DNS settings of the host, as defined in the /etc/resolv.conf configuration file.
Containers that attach to the default bridge network receive a copy of this file.
Containers that attach to a
custom network
use Docker’s embedded DNS server.
The embedded DNS server forwards external DNS lookups to the DNS servers configured on the host.

Custom hosts, defined in /etc/hosts on the host machine, aren’t inherited by containers.
To pass additional hosts into container, refer to
add entries to container hosts file
in the docker run reference documentation.
You can override these settings on a per-container basis.

Flag
Description

--dns
The IP address of a DNS server. To specify multiple DNS servers, use multiple --dns flags. If the container can’t reach any of the IP addresses you specify, it uses Google’s public DNS server at 8.8.8.8. This allows containers to resolve internet domains.

--dns-search
A DNS search domain to search non-fully-qualified hostnames. To specify multiple DNS search prefixes, use multiple --dns-search flags.

--dns-opt
A key-value pair representing a DNS option and its value. See your operating system’s documentation for resolv.conf for valid options.

--hostname
The hostname a container uses for itself. Defaults to the container’s ID if not specified.

Proxy server

If your container needs to use a proxy server, see
Use a proxy server.