Jérôme Petazzoni

Docker containers can haz networking now!

Jérôme Petazzoni


The following command will allocate a random port on your machine, and map it to port 1234 inside a container:

docker run -p 1234 base — nc -l 1234

Use docker inspect (and look under NetworkSettings) to see which random port was allocated.

Good news, everyone! Networking support has been merged.

This means that your containers can now talk to the outside world (duh!), and the outside world can talk to them as well.

Some technical details:

  • you should have a bridge interface called lxcbr0 (you can change the name easily in the code, if you prefer e.g. br0 or anything else)

  • Docker will cleverly analyze this bridge interface, to determine the pool of IP addresses available for containers

  • Docker will also infer the netmask and gateway

  • before a container starts, Docker will allocate an IP address in the pool, and setup a virtual ethernet interface for the container, thanks to Docker’s sysinit code

  • when a container stops, the IP address is given back to the pool

  • the main address of the bridge will be used as default gateway (i.e. traffic will be routed by the host machine; that’s probably the most common use-case for now!)

  • when running a container, “-p <PORT>” will map a random port in the range [49153,65535] to the given port inside the container

  • you can specify “-p” multiple times if you need multiple ports, or zero times if you need zero port

  • no, you can’t have UDP ports; no, you can’t have IPv6; no you can’t have a pony; at least for now

  • (longer story: UDP implementation should be fairly straightforward if someone needs it; IPv6 will require little touch-ups in the IP allocation policy; ponies are still a no go but unicorns might work)

  • ports are released when the container stops running

  • port mapping is implemented with iptables rules; Docker will create a chain named DOCKER in the “nat” table, and will only touch this chain

  • Docker automatically appends a jump to DOCKER from the PREROUTING chain (but that’s the only thing it does outside of the DOCKER chain)

Implementation details can also be found be Reading The Code, Luke (https://github.com/dotcloud/docker/pull/23/files).


About Jérôme Petazzoni


Jérôme is a senior engineer at dotCloud, where he rotates between Ops, Support and Evangelist duties and has earned the nickname of “master Yoda”. In a previous life he built and operated large scale Xen hosting back when EC2 was just the name of a plane, supervized the deployment of fiber interconnects through the French subway, built a specialized GIS to visualize fiber infrastructure, specialized in commando deployments of large-scale computer systems in bandwidth-constrained environments such as conference centers, and various other feats of technical wizardry. He cares for the servers powering dotCloud, helps our users feel at home on the platform, and documents the many ways to use dotCloud in articles, tutorials and sample applications. He’s also an avid dotCloud power user who has deployed just about anything on dotCloud – look for one of his many custom services on our Github repository.

Connect with Jérôme on Twitter! @jpetazzo


One thought on “Docker containers can haz networking now!

  1. After 2 years is there finally the option to get a ‘public’ ip from my regular network, e.g. make the container visible to all other hosts in my network with full ip stack (+vlan, …) instead of just a bunch of ports?

Leave a Reply