dockerdocker-network

What does --network=host option in Docker command really do?


I'm a little bit beginner to Docker. I couldn't find any clear description of what this option does in docker run command in deep and bit confused about it.

Can we use it to access the applications running on docker containers without specifying a port? As an example if I run a webapp deployed via a docker image in port 8080 by using option -p 8080:8080 in docker run command, I know I will have to access it on 8080 port on Docker containers ip /theWebAppName. But I cannot really think of a way how --network=host option works.


Solution

  • After the docker installation you have 3 networks by default:

    docker network ls
    NETWORK ID          NAME                DRIVER              SCOPE
    f3be8b1ef7ce        bridge              bridge              local
    fbff927877c1        host                host                local
    023bb5940080        none                null                local
    

    I'm trying to keep this simple. So if you start a container by default it will be created inside the bridge (docker0) network.

    $ docker run -d jenkins
    1498e581cdba        jenkins             "/bin/tini -- /usr..."   3 minutes ago       Up 3 minutes        8080/tcp, 50000/tcp   friendly_bell
    

    In the dockerfile of jenkins the ports 8080 and 50000 are exposed. Those ports are opened for the container on its bridge network. So everything inside that bridge network can access the container on port 8080 and 50000. Everything in the bridge network is in the private range of "Subnet": "172.17.0.0/16", If you want to access them from the outside you have to map the ports with -p 8080:8080. This will map the port of your container to the port of your real server (the host network). So accessing your server on 8080 will route to your bridgenetwork on port 8080.

    Now you also have your host network. Which does not containerize the containers networking. So if you start a container in the host network it will look like this (it's the first one):

    CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                 NAMES
    1efd834949b2        jenkins             "/bin/tini -- /usr..."   6 minutes ago       Up 6 minutes                              eloquent_panini
    1498e581cdba        jenkins             "/bin/tini -- /usr..."   10 minutes ago      Up 10 minutes       8080/tcp, 50000/tcp   friendly_bell
    

    The difference is with the ports. Your container is now inside your host network. So if you open port 8080 on your host you will acces the container immediately.

    $ sudo iptables -I INPUT 5 -p tcp -m tcp --dport 8080 -j ACCEPT
    

    I've opened port 8080 in my firewall and when I'm now accesing my server on port 8080 I'm accessing my jenkins. I think this blog is also useful to understand it better.