Skip to main content

Network Namespaces

The container runtime first runs a command like the one below. It creates the virtual network devices. Then it moves the source virtual port to the container's network namespace. To see what the kernel does here, read the network devices doc in detail.

# System call to kernel to create device veth0 of type veth and connect it to peer veth1
ip link add veth0 type veth peer name veth1

Network Namespace Isolation

This isolation gives each container its own memory structures. These cover network devices, routing tables, firewall rules, and other network config. See Linux network device to learn how this works.

no restriction on connection between namespaces

Namespaces only isolate the memory structures. Nothing limits how devices in different namespaces connect.

This is exactly why the veth pair works. One end of the pair sits in the host namespace. The other end sits in the container namespace. The bridge, acting as an L2 switch, is also in the host namespace.

Even with namespaces, the kernel acts as one single router. It handles all data movement. See this page for more.

kernel-the-single-router

Docker Networking Model

Docker implementation and not kernel restriction

The Docker networking model is Docker's own design. It shows how Docker chooses to use the kernel's network features. The kernel doesn't enforce any such rules or models.

The Docker network model puts the L2 bridge in the host namespace. The Docker daemon runs in the host namespace. It can set up the data plane and control plane from there with ease.

This small detail matters. Linux network namespaces allow traffic between namespaces. The only need is that veth pairs connect the devices.

Why docker subnet can't be reached from outside network?

When an external system sends an ARP request, no physical switch knows about this network. No request ever reaches the host. See the routing document for more.

What happens if the ARP reaches host

Suppose the ARP somehow reaches the host router. The host answers with a MAC address. Then it receives the data, checks the destination IP, and consults the routing table. Then it forwards the frame to the container gateway.

The container network's gateway then does ARP on the destination IP and forwards it to the container. This never happens. The internal network isn't exposed outside at all.

Last updated on by Swaroop Raghupathy