🚀 DevOps & SRE Certification Program 📅 Starting: 1st of Every Month 🤝 +91 8409492687 🔍 Contact@DevOpsSchool.com

Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours scrolling social media and waste money on things we forget, but won’t spend 30 minutes a day earning certifications that can change our lives.
Master in DevOps, SRE, DevSecOps & MLOps by DevOpsSchool!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Docker Lab, Excercise & Assignment – 4 – Docker Networking

Here’s an in-depth, step-by-step tutorial and lab manual for Docker Networking—starting from basics, covering all core concepts, and providing a hands-on guide to every feature and command. This guide uses the Ubuntu image for all labs and examples.


Docker Networking Concepts & Lab Manual (Beginner to Advanced)


1. Docker Networking Concepts: Introduction

1.1 What is Docker Networking?

Docker networking is the system that allows Docker containers to communicate with each other, with the Docker host, and with external networks. Each container, by default, is attached to a network, typically the bridge network.


2. Core Concepts

2.1 Types of Docker Networks

Network TypeDriverDescription
bridgebridgeDefault network for containers. Each container gets a virtual Ethernet interface (veth) in its own network namespace.
hosthostShares the host’s networking stack. No isolation between host and container network.
nonenullNo networking for the container. Only loopback.
custombridgeUser-defined networks for more control.

2.2 Core Components

  • Bridge: A virtual switch for containers on the same host.
  • veth Pair: A pair of virtual ethernet devices. One end is in the container, the other in the host.
  • eth0: The default network interface inside the container.

3. Lab Manual: Hands-on with Docker Networking

All commands below are to be run on a Docker host with the Ubuntu image pulled (docker pull ubuntu).


3.1 Listing Docker Networks

docker network ls

Output:

NETWORK ID     NAME      DRIVER    SCOPE
0bb0cc0920f0   bridge    bridge    local
8acf821ccc8a   host      host      local
a8c348b5037b   none      null      local

3.2 Inspecting a Docker Network

docker network inspect bridge
  • Shows subnet, gateway, attached containers, etc.

3.3 Creating Custom Networks

docker network create dev
docker network create qa
docker network create --driver bridge devopsschool

3.4 Inspecting Custom Networks

docker network inspect dev
docker network inspect qa

3.5 Running Containers with Specific Networks

# Create and attach container to 'qa' network
docker run -itd --name qa1 --net=qa ubuntu

# Create and attach container to 'dev' network
docker run -itd --name dev1 --net=dev ubuntu

3.6 Viewing Network Interfaces in Containers

docker exec -it qa1 /bin/bash
ip a
# Check eth0 interface, assigned IP, etc.
exit

3.7 Network Connection Scenarios

A. Connecting a Container to Multiple Networks

docker network connect dev qa1
docker inspect qa1 | grep -A 20 "Networks"

B. Disconnecting a Container from a Network

docker network disconnect dev qa1
docker inspect qa1 | grep -A 20 "Networks"

3.8 Testing Connectivity Between Containers

  1. Create two containers on the same network:
    docker run -itd --name qa2 --net=qa ubuntu
  2. Install ping utility (inside both containers):
    docker exec -it qa1 apt update
    docker exec -it qa1 apt install iputils-ping -y
    docker exec -it qa2 apt update
    docker exec -it qa2 apt install iputils-ping -y
  3. Get the IP of qa2: docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' qa2
  4. Ping from qa1 to qa2: docker exec -it qa1 ping <qa2-IP>

3.9 Default Networks: host and none

A. Host Network

docker run -itd --name host1 --net=host ubuntu
docker exec -it host1 ip a
# Shares all network interfaces with host.

B. None Network

docker run -itd --name none1 --net=none ubuntu
docker exec -it none1 ip a
# Only loopback interface is present.

3.10 Understanding veth, Bridge, eth0

  • Each container connected to a bridge gets a pair of virtual ethernet interfaces (veth):
    • One end in container as eth0
    • Other end in the Docker bridge on the host.

Lab: See the veth pair

  1. Find container PID: docker inspect --format '{{.State.Pid}}' qa1
  2. On host, see interfaces: ip link # Look for veth... interfaces
  3. In container: docker exec -it qa1 ip a # eth0

3.11 Removing and Pruning Networks

docker network rm dev
docker network prune  # Removes all unused networks

3.12 Advanced Networking Commands

A. List Containers on a Network

docker network inspect qa | grep Name

B. Assign Static IP to Container

docker network create --subnet=192.168.100.0/24 staticnet
docker run -itd --name static1 --net=staticnet --ip=192.168.100.10 ubuntu
docker exec -it static1 ip a

3.13 Network Namespace Lab (Linux)

View container’s network namespace:

  1. Get container PID: docker inspect --format '{{.State.Pid}}' qa1
  2. On host: nsenter -t <PID> -n ip a

4. Docker Network CLI Cheat Sheet

CommandPurpose
docker network lsList all networks
docker network createCreate a new network
docker network inspectInspect network details
docker run –net= …Run container on a specific network
docker network connectAttach container to network
docker network disconnectDetach container from network
docker network rmRemove a network
docker network pruneRemove all unused networks

5. Advanced Scenarios

5.1 Container to Host Networking

  • Bridge: Containers can communicate with the host via the gateway IP of the bridge.
  • Host: Full access, same as host.

5.2 Container to External World

  • By default, containers can reach the outside world unless firewalled.

6. Sample Lab Scenarios

Scenario 1: Multi-network Container

  1. Create two networks: docker network create netA docker network create netB
  2. Run container in netA: docker run -itd --name multi1 --net=netA ubuntu
  3. Connect it to netB: docker network connect netB multi1
  4. Inspect: docker inspect multi1 | grep -A 20 "Networks"

Scenario 2: Communication Restriction

  1. Run two containers, one on dev, one on qa.
  2. They cannot ping each other (different networks).
  3. Connect one container to both networks; now it can access both.

Scenario 3: Isolated Network

  1. Create a network with --internal flag (blocks external access): docker network create --internal isolated docker run -itd --net=isolated --name isoc1 ubuntu
  2. Try to ping external site—it will fail.

7. Cleaning Up

docker network prune
docker network rm <network_name>
docker rm -f $(docker ps -aq)

Summary: Docker Networking Deep Dive

  • Bridge: Default, most common network. Use for most container-to-container communication.
  • veth: Connects container’s network stack to host bridge.
  • eth0: Network interface in container.
  • host/none: Special cases for sharing host stack or isolating.

Further Learning

  • Overlay networks (for Docker Swarm/multi-host).
  • Macvlan networks.
  • DNS resolution within Docker networks.
  • Exposing and publishing ports (-p, --expose).

Full Docker Networking Lab Script (Ready to Use)

# Step 1: Pull Ubuntu image
docker pull ubuntu

# Step 2: List Docker networks
docker network ls

# Step 3: Inspect bridge network
docker network inspect bridge

# Step 4: Create custom networks
docker network create dev
docker network create qa

# Step 5: List and inspect
docker network ls
docker network inspect dev

# Step 6: Run containers on custom networks
docker run -itd --name dev1 --net=dev ubuntu
docker run -itd --name qa1 --net=qa ubuntu

# Step 7: Inspect container network interfaces
docker exec -it dev1 ip a
docker exec -it qa1 ip a

# Step 8: Connect dev1 to qa
docker network connect qa dev1

# Step 9: Disconnect dev1 from qa
docker network disconnect qa dev1

# Step 10: Host and none networks
docker run -itd --name host1 --net=host ubuntu
docker run -itd --name none1 --net=none ubuntu

# Step 11: Assign static IP
docker network create --subnet=192.168.55.0/24 staticnet
docker run -itd --name static1 --net=staticnet --ip=192.168.55.10 ubuntu

# Step 12: Network cleanup
docker network prune
docker network rm dev qa staticnet
docker rm -f $(docker ps -aq)

Here’s a comprehensive manual listing all essential Linux networking commands to explore, inspect, and troubleshoot Docker container networking on Ubuntu. This guide covers how to analyze networking at the host level and inside the container—from simple checks to advanced network namespace tricks.


Manual: Linux Networking Commands for Exploring Docker Container Networking


1. Checking Network Interfaces

On the Host:

ip a             # Shows all network interfaces (look for docker0, veth*, etc.)
ifconfig -a      # Alternative view (may need 'net-tools' package)
ip link          # Lists all interfaces (states, MACs)

Inside a Container:

docker exec -it <container-name> ip a
docker exec -it <container-name> ifconfig -a

Tip: The container’s main interface is usually eth0.


2. Checking Routing Tables

On the Host:

ip route
route -n

Inside a Container:

docker exec -it <container-name> ip route
docker exec -it <container-name> route -n

3. Viewing Network Namespaces

Each Docker container runs in its own network namespace.

List network namespaces (on host):

ls /var/run/netns    # Sometimes empty unless explicitly created

Find container’s PID:

docker inspect --format '{{.State.Pid}}' <container-name>

Explore container’s network namespace (as root):

nsenter -t <PID> -n ip a      # View interfaces in the container's namespace
nsenter -t <PID> -n bash      # Get a shell in the namespace

4. Exploring veth Pairs and Docker Bridges

On the Host:

brctl show                   # Shows bridges and connected interfaces (needs 'bridge-utils')
ip link                      # Shows veth* interfaces
ip -d link                   # Details (peer relationships for veth)

Find docker0 bridge:

ip a | grep docker0
brctl show docker0

Show bridge IP and attached interfaces:

ip addr show docker0
bridge link show dev docker0

5. Checking Network Connections

On the Host or in Container:

ss -tulnp                   # Lists open ports and listening sockets
netstat -tulnp              # Same, legacy (needs 'net-tools')
lsof -i                     # Shows open files and network sockets

Test connectivity:

ping <IP>
traceroute <IP>             # May need to install
curl <URL>                  # Test HTTP/S
nc -vz <IP> <port>          # Test TCP port (nc = netcat)

Inside a container:

docker exec -it <container-name> ping 8.8.8.8
docker exec -it <container-name> curl ifconfig.me

6. Docker Networking on the Host

Show Docker networks:

docker network ls
docker network inspect <network>

Show firewall/NAT rules (how Docker handles IP forwarding):

sudo iptables -t nat -L -n -v | grep DOCKER
sudo iptables -L -n -v | grep DOCKER

7. Observing Container MAC/IP Addresses

Get container’s IP/MAC from Docker:

docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <container>
docker inspect -f '{{range .NetworkSettings.Networks}}{{.MacAddress}}{{end}}' <container>

8. DNS Inside Docker

Check /etc/resolv.conf in a container:

docker exec -it <container> cat /etc/resolv.conf

Docker usually provides its own embedded DNS server to containers.


9. Examining Network Traffic (Advanced)

Packet capture on docker0 bridge:

sudo tcpdump -i docker0
sudo tcpdump -i any port 80

In a container:

docker exec -it <container> apt update
docker exec -it <container> apt install tcpdump -y
docker exec -it <container> tcpdump -i eth0

10. Example: Full Lab to Explore Docker Networking Internals

Step 1: Start a container and note its details

docker run -itd --name nettest ubuntu
docker inspect nettest | grep -A 5 "Networks"

Step 2: Find container’s PID and veth pair

CONTAINER_ID=$(docker ps -qf "name=nettest")
PID=$(docker inspect --format '{{.State.Pid}}' $CONTAINER_ID)
ls -l /proc/$PID/ns/net    # Shows network namespace link

Step 3: Map veth pair

  1. On the host: ip link | grep veth
  2. Use ethtool to find which veth peer connects to which container (install with apt install ethtool): ethtool -S vethXXXXX # Find statistics, may show peer info

Step 4: Check bridge

brctl show

Step 5: Explore namespace with nsenter

sudo nsenter -t $PID -n ip a

11. Useful Tools to Install on Ubuntu for Networking Labs

sudo apt update
sudo apt install iproute2 net-tools bridge-utils tcpdump ethtool lsof traceroute iputils-ping dnsutils curl netcat

Summary Table of Commands

PurposeHost CommandContainer Command (with docker exec)
List interfacesip a / ifconfig -aip a / ifconfig -a
Routing tableip route / route -nip route / route -n
Network namespacesnsenter -t -n ip a(direct, already inside namespace)
List bridgesbrctl show(usually N/A)
Docker bridge statusip addr show docker0(N/A)
veth infoip link / ip -d link / ethtool(N/A)
Open portsss -tulnp / netstat -tulnpss -tulnp / netstat -tulnp
Test connectivityping, curl, nc, tracerouteping, curl, nc, traceroute
DNS checkcat /etc/resolv.confdocker exec cat /etc/resolv.conf
Packet capturetcpdump -i docker0 / tcpdump -i any porttcpdump -i eth0
Docker inspectdocker inspect, docker network inspect(N/A)
IP/MAC from inspectdocker inspect -f …(N/A)
Firewall/NAT rulesiptables -t nat -Lgrep DOCKER

End-to-End Lab Workflow Example

  1. Create a bridge network docker network create mynet
  2. Start two Ubuntu containers docker run -itd --name box1 --net=mynet ubuntu docker run -itd --name box2 --net=mynet ubuntu
  3. Check networking from host docker network inspect mynet ip a # look for new veth interfaces brctl show
  4. Check networking from inside containers docker exec -it box1 ip a docker exec -it box2 ip a
  5. Test connectivity docker exec -it box1 apt update docker exec -it box1 apt install iputils-ping -y docker exec -it box1 ping <IP-of-box2>
  6. Trace the connection (from host) sudo tcpdump -i docker0

Extra: How Docker Networking Actually Works (Flow Summary)

  1. Docker creates a docker0 bridge on the host.
  2. When you run a container, Docker:
    • Creates a network namespace for the container.
    • Creates a veth pair: one end in host namespace, other in container as eth0.
    • Connects host end of veth to docker0 bridge.
    • Assigns container an IP from the bridge subnet.
    • Sets up NAT/iptables rules for outbound access.

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.