Docker Networking¶
35 cards — 🟢 5 easy | 🟡 10 medium | 🔴 5 hard
🟢 Easy (5)¶
1. What are some features of libnetwork?
Show answer
* Native service discovery* ingress-based load balancer
* network control plane and management plane
Name origin: libnetwork is Docker's implementation of the CNM (Container Network Model) specification, written in Go.
Under the hood: libnetwork provides DNS-based service discovery (containers resolve each other by name), built-in IPAM (IP address management), and pluggable network drivers.
2. You would like to run a web server inside a container but, be able to access it from the localhost. Demonstrate how to do that
Show answer
`podman run -d --name apache1 -p 8080:8080 registry.redhat.io/rhel8/httpd-24` maps host port 8080 to container port 8080. Then `curl 127.0.0.1:8080` verifies access. Format is `-p HOST_PORT:CONTAINER_PORT`. Use `-p 127.0.0.1:8080:8080` to bind only to localhost for security.3. True or False? If you would like to connect a container to multiple networks, you need multiple endpoints
Show answer
True. An endpoint can connect only to a single network.Under the hood: each endpoint is a veth pair — one end in the container's network namespace, the other attached to the Docker bridge. Multiple networks = multiple veth pairs.
Example: docker network connect second_network my_container adds a second endpoint (and a second IP) to an already-running container.
4. How do you expose a port from a Docker container to the host?
Show answer
By using the -p or -P flag with docker run. For example, -p 8080:80 maps port 8080 on the host to port 80 in the container. The container's service listening on 80 will then be accessible via host:8080.Gotcha: -p 8080:80 binds to 0.0.0.0 (all interfaces) by default. Use -p 127.0.0.1:8080:80 to restrict to localhost only — important for security.
Remember: -p = publish specific ports. -P = publish all EXPOSE'd ports to random host ports. Lowercase -p is almost always what you want.
5. What network specification Docker is using and how its implementation is called?
Show answer
Docker is using the CNM (Container Network Model) design specification.The implementation of CNM specification by Docker is called "libnetwork". It's written in Go.
X vs Y: CNM (Docker) vs CNI (Container Network Interface, Kubernetes). CNM uses a key-value store; CNI uses JSON config files. Kubernetes chose CNI — that's why Docker and Kubernetes networking work differently.
Name origin: CNM = Container Network Model. CNI = Container Network Interface. Both are specifications, not implementations.
🟡 Medium (10)¶
1. How do you create a custom bridge network in Docker?
Show answer
To create a custom bridge network in Docker, you can use the docker network create command. Here's an example:```docker network create my_bridge_network```
This command creates a new bridge network named my_bridge_network. You can then connect containers to this network using the --network option in the docker run command.
```docker run --network my_bridge_network my_image```
Custom bridge networks provide isolation between containers and can be useful for organizing and managing container communication.
2. Explain the following blocks in regards to CNM:
Show answer
* Networks: software implementation of an switch. They used for grouping and isolating a collection of endpoints.* Endpoints: Virtual network interfaces. Used for making connections.
* Sandboxes: Isolated network stack (interfaces, routing tables, ports, ...)
3. Explain the concept of Docker network aliases.
Show answer
Docker network aliases allow a container to have multiple network identities (IP addresses) within the same network. This can be useful in scenarios where a container provides multiple services or when network segregation is needed.When creating a container, you can specify network aliases using the --network-alias option:
```docker run --network my_network --network-alias service_alias container_image```
This allows the container to be reachable under both its container name and the specified network alias.
4. When running a container, usually a virtual ethernet device is created. To do so, root privileges are required. How is it then managed in rootless containers?
Show answer
Networking is usually managed by Slirp in rootless containers. Slirp creates a tap device which is also the default route and it creates it in the network namespace of the container. This device's file descriptor passed to the parent who runs it in the default namespace and the default namespace connected to the internet. This enables communication externally and internally.5. What is the purpose of the "--network" option in the "docker run" command?
Show answer
The --network option in the docker run command is used to specify the network to which the container should be connected. Docker provides various networking options for containers, and using --network allows you to connect containers to the same network, enabling communication between them.```docker run --network my_network image_name```
This is especially useful in multi-container applications where different services need to communicate. Docker supports default bridge networks, user-defined bridge networks, host networking, and overlay networks for more complex scenarios.
6. What container network standards or architectures are you familiar with?
Show answer
CNM (Container Network Model):* Requires distrubited key value store (like etcd for example) for storing the network configuration
* Used by Docker
CNI (Container Network Interface):
* Network configuration should be in JSON format
7. What is Docker Compose networking, and how is it configured?
Show answer
Docker Compose networking is a feature that enables the definition and management of networks for multi-container applications. It allows you to specify custom networks for containers, control communication between services, and define network-related configurations.Networks in Docker Compose are defined in the docker-compose.yml file under the networks section. Here's an example:
```yaml\nversion: '3'\nservices:\n app1:\n image: image1\n networks:\n - custom_network\n app2:\n image: image2\n networks:\n - custom_network\nnetworks:\n custom_network:\n```
This configuration creates a custom network named custom_network, and both app1 and app2 services are connected to this network.
8. How do you inspect the network settings of a running container?
Show answer
To inspect the network settings of a running container, you can use the docker inspect command with the container ID or name:```docker inspect container_id```
This command provides detailed information about the container, including its network settings, IP address, gateway, and more. You can also filter the output to display specific information, such as:
```docker inspect --format '{{ .NetworkSettings.IPAddress }}' container_id```
9. What is the purpose of the "-p" option in the "docker run" command?
Show answer
The -p (or --publish) option in the docker run command is used to map ports between the host machine and the container. It facilitates the exposure and access of services running inside the container to the external network.```docker run -p host_port:container_port image_name```
`host_port` is the port on the host machine.
`container_port` is the port inside the container.
This option allows external applications to connect to the containerized service using the specified host port.
10. How does a container's network namespace provide isolation?
Show answer
The container gets its own network stack: interfaces, routing table, firewall rules, and listening sockets. The process thinks it owns eth0 without accessing the host's network stack. Communication with the host uses virtual bridges or veth pairs.🔴 Hard (5)¶
1. Explain the difference between bridge, host, and overlay network drivers.
Show answer
**Bridge Network Driver:* •• Default network driver in Docker.
• Creates an internal private network that allows containers to communicate with each other.
• Containers on a bridge network can expose and publish ports to the host machine.
**Host Network Driver:* •
• Containers share the host machine's network namespace.
• Provides better performance but may lead to port conflicts if multiple containers use the same ports.
**Overlay Network Driver:* •
• Used in swarm mode for multi-host communication.
• Creates an overlay network that spans multiple Docker hosts.
• Allows
2. How do you create a custom Docker network driver?
Show answer
Creating a custom Docker network driver involves developing a plugin that adheres to the Docker Network Driver API. This allows the driver to interface with Docker and provide customized networking capabilities.**Steps for creating a custom Docker network driver:**
**Develop the Driver:**
* Implement the required API methods in the language of your choice (e.g., Go).
* Adhere to the specifications outlined in the Docker Network Driver API.
**Build the Driver:**
3. How does Docker Swarm handle service discovery?
Show answer
Docker Swarm handles service discovery through its built-in DNS-based service discovery mechanism. Each service in a Docker Swarm has a DNS entry that allows other services to discover and communicate with it.**Key aspects of Docker Swarm service discovery:**
* Service Names: Each service is given a unique name within the swarm.
* DNS Resolution: Services can be accessed by other services using their DNS name (e.g., my_service) or by the full DNS name (e.g., my_service.my_network).
* Load Balancing: Swarm provides built-in load balancing for services, distributing incoming requests among available replicas.
This DNS-based service discovery simplifies communication between services within the swarm.
4. What is Docker networking, and how does it facilitate communication between containers?
Show answer
Docker networking enables communication between containers running on the same host or across multiple hosts. Docker provides various networking options to facilitate this communication:**Bridge Networks:** The default network type in Docker. Containers on the same bridge network can communicate with each other. This is suitable for most applications.
**Host Networking:** Containers share the host network namespace, meaning they have the same network stack as the host machine.
5. How can you expose ports from a Docker container?
Show answer
To expose ports from a Docker container, you use the -p or --publish option with the docker run command:```docker run -p host_port:container_port image_name```
`host_port` is the port on the host machine.
`container_port` is the port inside the container.
This command maps the specified container port to the specified host port, allowing external access to the containerized application. You can also specify the host IP address if needed:
```docker run -p host_ip:host_port:container_port image_name```
Exposed ports are crucial for allowing external services or other containers to communicate with the running container.