✦ For everyone, free.

Practical knowledge for real and everyday life

Home

2.3.1.2 Kernel Network Namespace

A focused guide to Kernel Network Namespace, connecting core concepts with practical Docker and container operations.

The kernel network namespace gives a container its own isolated set of network interfaces, IP addresses, routing tables, and firewall rules, separate from the host and from other containers, which is what allows multiple containers to each have their own private network stack on the same host.

A Separate Network Stack Per Namespace

Each network namespace has its own loopback interface, its own set of network devices, and its own routing table, independent of what exists in any other namespace, including the host's own default namespace.

docker run --rm alpine ip addr

This shows network interfaces visible only within this container's network namespace, typically just a loopback interface and a virtual ethernet interface connecting it to its assigned Docker network.

Connecting Namespaces With Virtual Interfaces

Docker connects a container's isolated network namespace to the outside world using a virtual ethernet pair: one end inside the container's namespace, the other attached to a bridge in the host's namespace, allowing traffic to flow between them despite the namespace boundary.

ip link show

Run on the host, this reveals the host-side ends of virtual ethernet pairs corresponding to running containers' isolated network namespaces.

Port Mapping Across the Namespace Boundary

Because a container's network namespace is isolated, reaching a service inside it from outside requires an explicit mapping — Docker configures network address translation rules that forward a port on the host into the container's namespace.

docker run -d -p 8080:80 nginx

Requests to port 8080 on the host are forwarded across the namespace boundary into the container's namespace, where the actual web server is listening on port 80.

Sharing a Network Namespace Between Containers

Two containers can be configured to share the same network namespace, making them appear to have identical network interfaces and IP addresses — the basis for how a "pod" in Kubernetes groups containers that need to communicate as if they were on the same host.

docker run -d --name app1 myapp:1.0
docker run -d --name app2 --network container:app1 myapp:2.0
Why Network Namespace Isolation Matters

Network namespace isolation is what allows many containers on a single host to each bind to the same port internally (such as port 80) without conflicting, since each one's view of available ports is entirely separate, only connected to the outside world through explicit, deliberate port mappings.

Related content