I have docker installed (Docker for Mac). I start a new container with
docker run -it ubuntu
I can see that my newly created container has internet access by simply invoking
ping google.com
I see:
root@b06e1a46cc40:/# ping google.com
PING google.com (216.58.209.14) 56(84) bytes of data.
64 bytes from sof01s12-in-f14.1e100.net (216.58.209.14): icmp_seq=1 ttl=37 time=63.0 ms
64 bytes from sof01s12-in-f14.1e100.net (216.58.209.14): icmp_seq=2 ttl=37 time=63.7 ms
64 bytes from sof01s12-in-f14.1e100.net (216.58.209.14): icmp_seq=3 ttl=37 time=64.8 ms
Next, I checked the networks that my container is connected to:
root@b06e1a46cc40:/# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
3: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1
link/tunnel6 :: brd ::
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
root@b06e1a46cc40:/#
As I understand, eth0 is used to access internet - it is a network 172.17.0.0/16.
When I look at network list of my host, I'm not connected to this network.
How does my container access internet then?
As I understand it, my container should access internet through my host, because, after all, my host is connected to internet, so this is the only way to access.
Santiago Trujillo
Docker for Mac employs the macOS Hypervisor framework to run a custom Linux distribution (CLD) in a virtual machine (VM).
Now, the CLD inside the VM has no network connectivity with the host OS (i.e. macOS), but Docker for Mac fills in the gap (literally) through VPNkit.
VPNkit uses a shared memory queue to send network packets between the host and the guest, and then injects them into the other side's network stack.
Here are some relevant articles that describe how these things work in details:
https://docs.docker.com/docker-for-mac/networking/ https://github.com/moby/vpnkit/blob/master/docs/ethernet.md https://github.com/moby/vpnkit/blob/master/docs/ports.md
So to answer your question directly - the networks/interfaces you can see inside your container
have no counterparts on the host (macOS). Instead, when you run ping google.com,
the resulting network packets are intercepted by VPNkit inside the VM,
transferred to the host and injected to the host's network stack.
The same happens for inbound packets, but in the opposite direction.
From my understanding, Docker containers have an isolated network to which multiple containers can connect. Containers in the same network can immediately communicate with each other. This internal network can be made available to the internet. See this documentation: https://docs.docker.com/v17.09/engine/userguide/networking/#bridge-networks
Use host network at startup
docker run -it --network host ubuntu