Host & None Networking
While Bridge mode is the standard for isolation, sometimes you need raw performance or total silence. This chapter covers the two extremes of the Docker networking spectrum: Host (All Access) and None (No Access).
1. Host Mode (--net=host)
In Host mode, the container does not get its own Network Namespace. It shares the host’s networking stack directly.
First Principles: Removing the VETH
Remember the VETH pair from the previous chapter? In Host mode, there is no VETH pair. The container sees exactly what the host sees.
- IP Address: The container shares the host’s IP.
- Ports: If an app listens on port 80 inside the container, it binds to port 80 on the host’s interface.
- Performance: Zero NAT overhead. This is the fastest possible networking mode.
[!WARNING] Port Conflicts: You cannot run two containers listening on port 80 in Host mode on the same machine. They will conflict just like two normal processes.
2. None Mode (--net=none)
In None mode, the container gets a Network Namespace, but no external interfaces are created.
- Interfaces: Only the loopback (
lo) interface exists. - Connectivity: No internet, no communication with other containers.
- Use Case: Batch processing jobs that handle sensitive data and require a guarantee of zero network exfiltration.
3. Visualizing Network Modes
Compare how the container’s view of the network changes across modes.
4. Implementation
# Run Nginx in Host Mode
# WARNING: This will fail if port 80 is already in use on your laptop!
docker run -d --net=host --name nginx-host nginx
# Verify it listens on host
netstat -tulpn | grep 80
# Run Alpine in None Mode
docker run -it --net=none alpine sh
# Inside the container, check interfaces
/ # ip addr
# You will only see 'lo'