Docker Networking: How Packets Actually Move

Docker Networking: How Packets Actually Move

Containers don’t have networking in the abstract; they leverage Linux networking through isolation, indirection, and policy. When a container sends a packet, it travels through a network namespace, a virtual Ethernet pair, a bridge or routing boundary, and is transformed by netfilter rules before reaching a physical network interface.

Understanding this path clarifies nearly all Docker networking behaviors.

Why This Matters

Idealized models often portray Docker networking as a simple abstraction, but the reality is a complex interplay of Linux kernel features. Misunderstanding this can lead to performance bottlenecks, security vulnerabilities, and difficulty debugging network-related issues – costing engineering time and potentially impacting application availability.

Key Insights

• veth pairs connect namespaces, 2016: Virtual Ethernet pairs provide the link between a container’s network namespace and the host network.
• Linux bridges provide Layer 2 adjacency: Docker’s default network utilizes a Linux bridge (docker0) to connect containers on the same network.
• Port publishing uses DNAT: Publishing ports doesn’t expose the container directly, but rather installs DNAT (Destination Network Address Translation) rules on the host.

Working Example

# Show veth pairs on the host
ip link show type veth

# Show bridge configuration
brctl show

Practical Applications

• Microservices Architecture: Docker networking enables seamless communication between microservices deployed in containers, using container names for service discovery.
• Pitfall: Relying on host networking (network_mode: host) eliminates network isolation, potentially creating security risks and port conflicts.

References:

• https://dev.to/sreekanth_kuruba_91721e5d/docker-networking-how-packets-actually-move-2k6h