In Docker, a host network refers to a network mode where a Docker container shares the network namespace with the Docker host. This means that the container uses the same network stack as the host, rather than having its own virtual network stack and the container doesn't get its own IP-address allocated.
Here are some key points about the host network in Docker:
No Network Isolation: When a container is run in the host network mode, it has full access to the host's network interfaces. This means the container can open any port on the host's network interfaces directly. However, in all other ways, such as storage, process namespace, and user namespace, the Docker container process is isolated from the host.
Performance: Since there is no network virtualization overhead, containers running in the host network mode can have better network performance. This can be important for high-throughput or low-latency network applications.
Simplified Port Mapping: In host network mode, you don't need to map container ports to host ports because the container shares the host's networking namespace. Any ports opened by the container are directly accessible on the host's IP address at the same port number and the
-p
,--publish
,-P
, and--publish-all
option are ignored, producing a warning instead:WARNING: Published ports are discarded when using host network mode
Limited Isolation and Security: Containers using the host network have greater potential to interfere with each other and with the host system, as they share the same network namespace. This can lead to security concerns, as a compromised container could have more access to the host system.
DNS Resolution: Containers in the host network mode use the DNS settings of the host, unlike the default bridge network where Docker provides a DNS resolver.
Usage: The host network is often used for running services that need to handle a lot of traffic or need very low network latency, and where the security and isolation from the host system are not primary concerns.
To use the host network, you specify --network host
in the docker run
command. For example:
docker run --network host <image_name>
This command will start a container where the network is not isolated from the host's network.
Workshop: Networking using the host network
Go through the workshop exercise provided by Docker Docs to understand the key features of using the host network within Docker.
1. Create and start the container as a detached process. The --rm
option means to remove the container once it exits/stops. The -d
flag means to start the container detached (in the background).
docker run --rm -d --network host --name my_nginx nginx
Access Nginx by
curl
http://localhost:80/
Examine your network stack using the following commands:
Examine all network interfaces and verify that a new one was not created.
ip addr show
Verify which process is bound to port 80, using the
netstat
command. You need to usesudo
because the process is owned by the Docker daemon user and you otherwise won't be able to see its name or PID.sudo netstat -tulpn | grep :80
💡To install netstat tool use thesudo apt install net-tools
command
Stop the container. It will be removed automatically as it was started using the
--rm
option.docker container stop my_nginx