✦ For everyone, free.

Practical knowledge for real and everyday life

Home

7.2.2.1 Host Namespace Sharing

A focused guide to Host Namespace Sharing, connecting core concepts with practical Docker and container operations.

Host namespace sharing, in the context of --network host, means a container uses the host's actual network namespace directly rather than receiving its own isolated one, seeing exactly the same network interfaces, IP addresses, and listening ports as the host itself.

What Sharing the Host's Namespace Actually Means

A container using host networking has no separate eth0 of its own — instead, it sees the host's actual network interfaces directly, exactly as the host's own processes would.

docker run -d --network host alpine sleep 1000
docker exec $(docker ps -lq) ip addr
ip addr

These two ip addr outputs are identical, since the container is observing the host's actual network configuration directly rather than its own isolated copy.

Why a Bound Port Is Visible to Both the Container and the Host

Because there's no separate network namespace, a port the container's application binds to is the same port as far as the host itself is concerned — no translation or mapping layer separates the two.

docker run -d --network host nginx:alpine
curl http://localhost:80

This succeeds directly, without needing any explicit port publishing, since the container's bound port is simply the host's own port 80.

Why This Sharing Eliminates Certain Networking Conveniences

Features that rely on a container having its own separate network namespace — multiple containers using the same internal port without conflict, for instance — don't apply when that namespace is shared directly with the host.

docker run -d --network host -p 8080:80 app-a:1.0
docker run -d --network host -p 8080:80 app-b:1.0

The second command fails, since both containers are now directly competing for the same host-level port, with no isolated namespace separating them.

Why Host Namespace Sharing Matters

Understanding precisely what it means for a container to share the host's network namespace — rather than receiving its own — clarifies both the reduced overhead this driver offers and the corresponding loss of the isolation benefits a typical, separately namespaced container would otherwise provide.

Related content