Docker Networking
Implementation Reference​
Source Files:
packages/core/src/docker/network.ts- Network managementpackages/core/src/docker/docker-client.ts- Docker clientpackages/core/src/adapters/docker-adapter.ts- Docker adapterapps/xec/src/commands/forward.ts- Port forwarding command
Key Functions:
NetworkManager.create()- Create networksNetworkManager.remove()- Remove networksNetworkManager.connect()- Connect containers to networksNetworkManager.disconnect()- Disconnect from networksNetworkManager.list()- List networksDockerClient.createNetwork()- Low-level network creation
Overview​
Xec provides comprehensive Docker networking capabilities, enabling container connectivity, port management, network isolation, and advanced networking configurations.
Network Types​
Bridge Networks​
Default network type for standalone containers:
import { $ } from '@xec-sh/core';
// Create bridge network
await $.docker.network.create('my-network');
// Create with options
await $.docker.network.create('app-network', {
driver: 'bridge',
ipam: {
driver: 'default',
config: [{
subnet: '172.20.0.0/16',
gateway: '172.20.0.1'
}]
},
options: {
'com.docker.network.bridge.name': 'br-app'
}
});
// Run container on network
await $.docker.run('nginx', {
network: 'app-network',
networkAlias: ['web', 'nginx']
});
Host Network​
Share host's network namespace:
// Use host network
await $.docker.run('nginx', {
network: 'host'
});
// Note: Port mapping ignored with host network
await $.docker.run('app', {
network: 'host',
ports: ['8080:8080'] // Ignored, uses host ports directly
});
Overlay Networks​
Multi-host networking for Swarm:
// Create overlay network
await $.docker.network.create('swarm-network', {
driver: 'overlay',
attachable: true, // Allow standalone containers
encrypted: true, // Encrypt traffic
options: {
'com.docker.network.driver.overlay.vxlanid_list': '4096'
}
});
None Network​
No network connectivity:
// Isolated container
await $.docker.run('alpine', {
network: 'none',
command: ['sh', '-c', 'echo "No network access"']
});
Port Management​
Port Mapping​
Map container ports to host:
// Simple port mapping
await $.docker.run('nginx', {
ports: ['80:80'] // host:container
});
// Multiple ports
await $.docker.run('app', {
ports: [
'3000:3000', // Web server
'9229:9229', // Debug port
'5432:5432' // Database
]
});
// Specific interface
await $.docker.run('api', {
ports: [
'127.0.0.1:8080:8080', // Localhost only
'0.0.0.0:3000:3000' // All interfaces
]
});
// Random host port
await $.docker.run('service', {
ports: ['8080'] // Random host port -> 8080
});
// Port ranges
await $.docker.run('cluster', {
ports: ['8000-8010:8000-8010']
});
Port Forwarding​
Forward ports dynamically:
// Forward port from container
await $.docker.forward('my-container', {
local: 8080,
remote: 80
});
// CLI usage
# Forward container port to local
xec forward my-container 8080:80
# Forward with specific interface
xec forward my-container 127.0.0.1:8080:80
# Multiple forwards
xec forward my-container 8080:80 8443:443 5432:5432
Published Ports​
Expose ports without mapping:
// Expose ports (documentation only)
await $.docker.run('api', {
expose: ['3000', '3001'],
// Ports are exposed to linked containers but not host
});
// Get exposed ports
const info = await $.docker.inspect('api');
const exposed = info.Config.ExposedPorts;
// { "3000/tcp": {}, "3001/tcp": {} }
Network Operations​
Creating Networks​
Create custom networks:
// Simple network
await $.docker.network.create('backend');
// Network with subnet
await $.docker.network.create('frontend', {
driver: 'bridge',
ipam: {
config: [{
subnet: '172.25.0.0/16',
ip_range: '172.25.1.0/24',
gateway: '172.25.0.1'
}]
}
});
// Internal network (no external access)
await $.docker.network.create('internal', {
internal: true
});
// IPv6 network
await $.docker.network.create('ipv6-net', {
enableIPv6: true,
ipam: {
config: [{
subnet: '2001:db8::/64'
}]
}
});
Connecting Containers​
Connect containers to networks:
// Connect to network
await $.docker.network.connect('my-network', 'my-container');
// Connect with alias
await $.docker.network.connect('my-network', 'my-container', {
aliases: ['db', 'postgres']
});
// Connect with IP
await $.docker.network.connect('my-network', 'my-container', {
ipv4Address: '172.20.0.5',
ipv6Address: '2001:db8::5'
});
// Multiple networks
const networks = ['frontend', 'backend'];
await Promise.all(
networks.map(net =>
$.docker.network.connect(net, 'my-container')
)
);
Disconnecting Containers​
Remove containers from networks:
// Disconnect from network
await $.docker.network.disconnect('my-network', 'my-container');
// Force disconnect
await $.docker.network.disconnect('my-network', 'my-container', {
force: true
});
Listing Networks​
List and filter networks:
// List all networks
const networks = await $.docker.network.list();
// Filter networks
const customNetworks = await $.docker.network.list({
filters: {
driver: ['bridge'],
type: ['custom']
}
});
// Get network details
networks.forEach(net => {
console.log({
name: net.Name,
id: net.Id,
driver: net.Driver,
scope: net.Scope,
containers: Object.keys(net.Containers || {})
});
});
Service Discovery​
DNS Resolution​
Containers can resolve each other by name:
// Create network with custom DNS
await $.docker.network.create('app-net', {
options: {
'com.docker.network.bridge.host_binding_ipv4': '172.20.0.1'
}
});
// Run containers with names
await $.docker.run('mysql', {
name: 'database',
network: 'app-net'
});
await $.docker.run('app', {
name: 'application',
network: 'app-net',
env: {
DB_HOST: 'database' // Resolves to database container
}
});
// Test connectivity
await $.docker.exec('application')`ping -c 1 database`;
Network Aliases​
Multiple DNS names for containers:
// Create container with aliases
await $.docker.run('nginx', {
name: 'web-server',
network: 'app-net',
networkAlias: ['web', 'nginx', 'frontend']
});
// Connect to any alias
await $.docker.exec('app')`curl http://web`;
await $.docker.exec('app')`curl http://nginx`;
await $.docker.exec('app')`curl http://frontend`;
Advanced Networking​
Multi-Network Containers​
Connect containers to multiple networks:
// Create container
const container = await $.docker.run('app', {
name: 'multi-net-app',
network: 'frontend' // Initial network
});
// Add to additional networks
await $.docker.network.connect('backend', 'multi-net-app');
await $.docker.network.connect('monitoring', 'multi-net-app');
// Verify connections
const info = await $.docker.inspect('multi-net-app');
const networks = Object.keys(info.NetworkSettings.Networks);
// ['frontend', 'backend', 'monitoring']
Network Isolation​
Isolate container groups:
// Create isolated networks
await $.docker.network.create('team-a', { internal: true });
await $.docker.network.create('team-b', { internal: true });
await $.docker.network.create('shared');
// Team A containers
await $.docker.run('app-a', {
network: 'team-a'
});
// Team B containers
await $.docker.run('app-b', {
network: 'team-b'
});
// Gateway container with access to both
await $.docker.run('gateway', {
networks: ['team-a', 'team-b', 'shared']
});
Custom Network Drivers​
Use third-party network drivers:
// Weave network
await $.docker.network.create('weave-net', {
driver: 'weave',
options: {
'weave.works/network': 'default'
}
});
// Calico network
await $.docker.network.create('calico-net', {
driver: 'calico',
ipam: {
driver: 'calico-ipam'
}
});
Load Balancing​
Round-Robin DNS​
Built-in load balancing with network aliases:
// Create network
await $.docker.network.create('lb-net');
// Run multiple instances with same alias
for (let i = 1; i <= 3; i++) {
await $.docker.run(`app:v${i}`, {
name: `app-${i}`,
network: 'lb-net',
networkAlias: ['app'] // Same alias for all
});
}
// DNS resolves to all containers
await $.docker.run('client', {
network: 'lb-net',
command: ['nslookup', 'app']
});
// Returns all three container IPs
Network Security​
Firewall Rules​
Configure network policies:
// Create secure network
await $.docker.network.create('secure-net', {
options: {
'com.docker.network.bridge.enable_icc': 'false', // Disable inter-container communication
'com.docker.network.bridge.enable_ip_masquerade': 'true'
}
});
// Explicit communication allowed via links
await $.docker.run('db', {
name: 'database',
network: 'secure-net'
});
await $.docker.run('app', {
network: 'secure-net',
links: ['database:db'] // Explicit link allows communication
});
Configuration in Xec​
Network Configuration​
Define networks in .xec/config.yaml:
networks:
frontend:
driver: bridge
ipam:
subnet: 172.30.0.0/16
backend:
driver: bridge
internal: true
monitoring:
driver: bridge
attachable: true
targets:
containers:
web:
type: docker
container: nginx
networks:
- frontend
ports:
- "80:80"
api:
type: docker
container: api-server
networks:
- frontend
- backend
networkAliases:
frontend: [api, rest-api]
backend: [api-backend]
Network Tasks​
Define networking tasks:
tasks:
setup-network:
description: Setup application networks
steps:
- command: docker network create frontend || true
- command: docker network create backend --internal || true
connect-all:
description: Connect all containers to network
params:
- name: network
steps:
- command: |
for container in $(docker ps -q); do
docker network connect ${params.network} $container || true
done
network-debug:
description: Debug network connectivity
params:
- name: container
steps:
- command: docker exec ${params.container} ip addr
- command: docker exec ${params.container} netstat -tuln
- command: docker exec ${params.container} nslookup database
Performance Characteristics​
Based on Implementation:
Network Operations​
- Network Create: 20-50ms
- Network Connect: 50-100ms
- Network Disconnect: 30-50ms
- DNS Resolution: 1-5ms (cached)
- Port Forward Setup: 100-200ms
Throughput​
- Bridge Network: Near native performance
- Host Network: Native performance
- Overlay Network: 10-20% overhead
- None Network: N/A
Troubleshooting​
Common Issues​
| Issue | Cause | Solution |
|---|---|---|
| Cannot connect to container | Wrong network | Ensure containers on same network |
| Port already in use | Host port conflict | Use different port mapping |
| DNS not resolving | Network isolation | Check network configuration |
| No route to host | Firewall rules | Check iptables/network policies |
| Connection refused | Service not listening | Verify service is running |
Debugging Tools​
// Network inspection
async function debugNetwork(network: string) {
const info = await $.docker.network.inspect(network);
console.log('Network:', info);
// List connected containers
const containers = info.Containers || {};
for (const [id, container] of Object.entries(containers)) {
console.log(`Container: ${container.Name} - IP: ${container.IPv4Address}`);
}
}
// Connectivity test
async function testConnectivity(from: string, to: string) {
try {
await $.docker.exec(from)`ping -c 1 ${to}`;
console.log(`✓ ${from} can reach ${to}`);
} catch {
console.log(`✗ ${from} cannot reach ${to}`);
}
}
// Port check
async function checkPort(container: string, port: number) {
const result = await $.docker.exec(container)`netstat -tuln | grep :${port}`;
return result.stdout.includes(`:${port}`);
}
Best Practices​
Network Design​
- Use custom networks instead of default bridge
- Isolate sensitive services with internal networks
- Use network aliases for service discovery
- Limit exposed ports to minimize attack surface
- Document network topology in configuration
Security​
// Good: Isolated networks
const publicNet = await $.docker.network.create('public');
const privateNet = await $.docker.network.create('private', {
internal: true
});
// API gateway with access to both
await $.docker.run('gateway', {
networks: ['public', 'private']
});
// Database only on private network
await $.docker.run('database', {
network: 'private'
});
Performance​
// Good: Minimize network hops
await $.docker.run('app', {
network: 'app-net',
// Use host network for performance-critical apps
// network: 'host'
});
// Good: Use network aliases for load balancing
for (let i = 0; i < 3; i++) {
await $.docker.run('worker', {
network: 'app-net',
networkAlias: ['workers']
});
}
Related Topics​
- Docker Overview - Docker basics
- Container Lifecycle - Container management
- Compose Integration - Multi-container networking
- Volume Management - Data persistence
- forward Command - Port forwarding