Exploring Docker Networking – Bridge

Posted on by
Exploring Docker Networking – Bridge

Let’s jump right in.  I’ve copied/pasted from my terminal but have highlighted text in blue where I’m trying to emphasize part of the content.  However, I really encourage you to try this on your own on a standard out of the box linux VM so you can see what I’m talking about in real time.

First let’s look at the network configuration.  Again we have no containers running yet.  First I’ll use a docker command to view networks on the box:

[root@dockernet ~]# docker network ls
NETWORK ID   NAME   DRIVER SCOPE
c7a2943b8335 bridge bridge local
7c91031b746f host   host   local
6b97ccb29f12 none   null   local

There are 3 built-in networks: bridge, host, and none.  We are looking at bridge as it is the default.

I can do a deeper inspection of any of these networks and get more information.

[root@dockernet ~]# docker network inspect bridge
[
 {
 "Name": "bridge",
 "Id": "c7a2943b83359f7c22d57e0e01f4295b702b17ca3bb93130e566ac3f2992d493",
 "Created": "2017-07-24T13:57:15.077246653-04:00",
 "Scope": "local",
 "Driver": "bridge",
 "EnableIPv6": false,
 "IPAM": {
     "Driver": "default",
     "Options": null,
     "Config": [
     {
         "Subnet": "172.17.0.0/16"
     }
     ]
 },
 "Internal": false,
 "Attachable": false,
 "Ingress": false,
 "ConfigFrom": {
 "Network": ""
 },
 "ConfigOnly": false,
 "Containers": {}
 },
 "Options": {
 "com.docker.network.bridge.default_bridge": "true",
 "com.docker.network.bridge.enable_icc": "true",
 "com.docker.network.bridge.enable_ip_masquerade": "true",
 "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
 "com.docker.network.bridge.name": "docker0",
 "com.docker.network.driver.mtu": "1500"
 },
 "Labels": {}
 }
]

OK poorly formatted with the copy/paste, but some good info here right?  You can see the container subnet it assigned to this box which is 172.17.0.0/16 under the IPAM (IP Address Management) section.  This is the subnet where container IPs will be assigned from.  It automatically chooses a private /16 subnet that is not currently in use on the box for this purpose.  There is other info as well which I hope to cover later.

Now I’ll use the standard linux ip addr show to view the NICs and their configurations.

[root@dockernet ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet 127.0.0.1/8 scope host lo
 valid_lft forever preferred_lft forever
 inet6 ::1/128 scope host
 valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
 link/ether 00:50:56:82:f0:87 brd ff:ff:ff:ff:ff:ff
 inet 10.0.0.205/24 brd 10.0.0.255 scope global ens192
 valid_lft forever preferred_lft forever
 inet6 fe80::250:56ff:fe82:f087/64 scope link
 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
 link/ether 02:42:a4:4f:37:85 brd ff:ff:ff:ff:ff:ff
 inet 172.17.0.1/16 scope global docker0
 valid_lft forever preferred_lft forevervalid_lft forever preferred_lft forever

Entries #1 and #2 should look pretty familiar to you.  Local loopback interface and a real (well, as real as virtual interfaces get) interface.  #3 will be new.  This is an interface that docker creates and you’ll notice at the moment it is DOWN.  Also notice that it has an IP address on our container network.  Further, this is actually a special interface called a bridge.  We can examine this with our bridge-utils download by using brctl:

[root@dockernet ~]# brctl show
bridge name bridge id         STP enabled    interfaces
docker0     8000.0242a44f3785 no

For those network folks, you’ll see STP is not enabled which probably leads you to correctly understand that this interface is actually, essentially, a virtual switch.  Bridges in linux are vswitches, and you can actually replace them with OpenvSwitches if you want.  But again we are looking at the standard configs, right?

Also notice that interfaces (the last column) is blank so we have nothing actually attached to this at the moment.  It exists but nothing is connected.

Finally let’s look at the host routing:

[root@dockernet ~]# ip route show
default via 10.0.0.1 dev ens192 proto static metric 100
10.0.0.0/24 dev ens192 proto kernel scope link src 10.0.0.205 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1

Nothing too crazy right?  Some locally attached networks and my default gateway.

Next we’ll turn up a container and see what happens.

Pages: 1 2 3 4 5 6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s