7.1.1.1 Container Net Namespace
A focused guide to Container Net Namespace, connecting core concepts with practical Docker and container operations.
A container's network namespace is the specific Linux kernel feature underlying its network isolation, providing a private set of network interfaces, IP addresses, routing tables, and firewall rules, distinct from the host's own and from every other container's network namespace.
What a Network Namespace Contains
Each network namespace has its own loopback interface, its own set of network devices, and its own routing table, completely independent of any other namespace on the same host.
docker run -d --name myapp alpine sleep 1000
docker exec myapp ip addr
docker exec myapp ip route
These commands reveal interfaces and routes that exist solely within this container's own namespace, invisible to and independent of the host's or any other container's namespace.
How Docker Creates and Manages These Namespaces
When a container starts, Docker (through the underlying container runtime) creates a new network namespace for it, then connects that namespace to whatever network the container was configured to join.
docker inspect myapp --format '{{.NetworkSettings.SandboxKey}}'
This reveals the underlying network namespace's identifying path, used internally to manage the container's networking.
Sharing a Network Namespace Between Containers
Multiple containers can be configured to share the same network namespace, useful for certain patterns (such as a sidecar pattern) where tight network coupling between specific containers is genuinely desired.
docker run -d --name main-container myapp:1.0
docker run -d --network container:main-container --name sidecar sidecar-image:1.0
The sidecar container here shares main-container's network namespace entirely, seeing the exact same network interfaces and IP address.
Why Understanding Network Namespaces Matters
A grasp of network namespaces as the actual underlying mechanism providing container network isolation clarifies both the default isolated behavior most containers exhibit and the less common, deliberate namespace-sharing patterns available for specific use cases requiring tighter network coupling.