Docker Networking 101: Host network

In Docker, a host network refers to a network mode where a Docker container shares the network namespace with the Docker host. This means that the container uses the same network stack as the host, rather than having its own virtual network stack and the container doesn't get its own IP-address allocated.

The host networking driver only works on Linux hosts, and is not supported on Docker Desktop for Mac, Docker Desktop for Windows, or Docker EE for Windows Server. More info here.

Here are some key points about the host network in Docker:

  1. No Network Isolation: When a container is run in the host network mode, it has full access to the host's network interfaces. This means the container can open any port on the host's network interfaces directly. However, in all other ways, such as storage, process namespace, and user namespace, the Docker container process is isolated from the host.

  2. Performance: Since there is no network virtualization overhead, containers running in the host network mode can have better network performance. This can be important for high-throughput or low-latency network applications.

  3. Simplified Port Mapping: In host network mode, you don't need to map container ports to host ports because the container shares the host's networking namespace. Any ports opened by the container are directly accessible on the host's IP address at the same port number and the -p, --publish, -P, and --publish-all option are ignored, producing a warning instead:

     WARNING: Published ports are discarded when using host network mode
    
  4. Limited Isolation and Security: Containers using the host network have greater potential to interfere with each other and with the host system, as they share the same network namespace. This can lead to security concerns, as a compromised container could have more access to the host system.

  5. DNS Resolution: Containers in the host network mode use the DNS settings of the host, unlike the default bridge network where Docker provides a DNS resolver.

  6. Usage: The host network is often used for running services that need to handle a lot of traffic or need very low network latency, and where the security and isolation from the host system are not primary concerns.

To use the host network, you specify --network host in the docker run command. For example:

docker run --network host <image_name>

This command will start a container where the network is not isolated from the host's network.

Workshop: Networking using the host network

Go through the workshop exercise provided by Docker Docs to understand the key features of using the host network within Docker.

💡
For the testing purposes you can boot up local Ubuntu 20.04 VM with already installed Docker daemon. To boot up the machine use Vagrant. Code files can be found here.

1. Create and start the container as a detached process. The --rm option means to remove the container once it exits/stops. The -d flag means to start the container detached (in the background).

docker run --rm -d --network host --name my_nginx nginx

  1. Access Nginx by curlhttp://localhost:80/

  2. Examine your network stack using the following commands:

    • Examine all network interfaces and verify that a new one was not created.

        ip addr show
      

      Verify which process is bound to port 80, using the netstat command. You need to use sudo because the process is owned by the Docker daemon user and you otherwise won't be able to see its name or PID.

        sudo netstat -tulpn | grep :80
      

      💡
      To install netstat tool use the sudo apt install net-tools command
  3. Stop the container. It will be removed automatically as it was started using the --rm option.

     docker container stop my_nginx
    

References:

  1. Host network driver

  2. Host networking tutorial

  3. YouTube video