Docker's three network modes
Docker supports three network modes: Host mode, Bridge mode and None mode. Each of them is suitable for different scenarios and needs:
Host mode: Add the container to the network stack of the host, so that the container directly uses the network interface and IP address of the host. Host mode is suitable for scenarios where the container needs to share network resources with the host or the container needs to quickly access the host network service.
Bridge mode: use a Docker built-in bridge Docker0 as the network interface of the container, the containers are isolated from each other, but can communicate with each other through the network. The Bridge mode is suitable for building complex multi-container applications, where the containers need to communicate with each other while maintaining network isolation.
None mode: The container does not have any network interface and cannot communicate with the external network or other containers. Suitable for scenarios where complete isolation is required.
Use of Host mode
If your application needs to run on different hosts and needs to communicate across hosts, you can use the Host mode to implement communication between containers. In Host mode, the container directly uses the network stack and IP address of the host, so it can directly access any service and port on the host network. The container directly uses the network interface and IP address of the host, and does not need port mapping. It needs to map the port inside the container to the port on the host to access. Containers are isolated from each other and need to be accessed through port mapping.
It should be noted that in the Host mode, the container will share the network resources of the host, which may affect the host network, and may also have some security risks. Therefore, when using the Host mode, you need to carefully consider security issues and take necessary measures to limit the network access rights of containers to avoid security issues.
Use of Bridge mode
Bridge mode is the default network mode of Docker. It uses a built-in bridge Docker0 of Docker as the network interface of the container. The containers are isolated from each other, but they can communicate with each other through the network. The Bridge mode is suitable for building complex multi-container applications, where the containers need to communicate with each other while maintaining network isolation. Ports inside the container need to be mapped to ports on the host for access. Containers are isolated from each other and need to be accessed through port mapping.
In docker-compose, we can use the ports keyword to configure port mapping. For example, to map port 8080 on the host to port 80 inside the container, you can use the following configuration:
services:
web:
image: nginx
ports:
- "8080:80"
It should be noted that when performing port mapping, it is necessary to ensure that the port on the host is not occupied, or select another unoccupied port. In addition, when using the Host mode, you need to carefully consider security issues, and take necessary measures to limit the network access rights of the container to avoid security issues.
However, in Bridge mode, containers can only communicate on the same host and cannot communicate across hosts. Therefore, in scenarios where cross-host communication is required, other network modes, such as Overlay network and Macvlan network, need to be considered.
Use of None mode
In None mode, the container does not have any network interface and cannot communicate with the external network or other containers. Suitable for scenarios where complete isolation is required. It should be noted that when using the None mode, the container will not be able to access the external network or other containers, so the usage scenario needs to be carefully considered.