Customize the docker0 bridgeEstimated reading time: 3 minutes
The information in this section explains how to customize the Docker default bridge. This is a
bridge network named
bridge created automatically when you install Docker.
Note: The Docker networks feature allows you to create user-defined networks in addition to the default bridge network.
By default, the Docker server creates and configures the host system’s
docker0 interface as an Ethernet bridge inside the Linux kernel that can pass packets back and forth between other physical or virtual network interfaces so that they behave as a single Ethernet network.
docker0 with an IP address, netmask and IP allocation range. The host machine can both receive and send packets to containers connected to the bridge, and gives it an MTU – the maximum transmission unit or largest packet length that the interface will allow – of 1,500 bytes. These options are configurable at server startup:
--bip=CIDR: supply a specific IP address and netmask for the
docker0bridge, using standard CIDR notation. For example:
--fixed-cidr=CIDR: restrict the IP range from the
docker0subnet, using standard CIDR notation. For example:
172.16.1.0/28. This range must be an IPv4 range for fixed IPs, such as
10.20.0.0/16, and must be a subset of the bridge IP range (
docker0or set using
--bridge). For example, with
--fixed-cidr=192.168.1.0/25, IPs for your containers will be chosen from the first half of addresses included in the
--mtu=BYTES: override the maximum packet length on
--default-gateway=Container default Gateway IPV4 address: designates the default gateway for containers connected to the
docker0bridge, which controls where they route traffic by default. Applicable for addresses set with
--fixed-cidrflags. For instance, you can configure
--dns=: The DNS servers to use. For example:
--dns=172.17.2.10. You can also specify DNS servers when starting the Docker daemon, by adding the values to
/etc/docker/daemon.json(recommended) or using the
--dnsflag when starting
Once you have one or more containers up and running, you can confirm that Docker has properly connected
them to the
docker0 bridge by running the
brctl command on the host machine and looking at the
interfaces column of the output. This example shows a
docker0 bridge with two containers
$ sudo brctl show bridge name bridge id STP enabled interfaces docker0 8000.3a1d7362b4ee no veth65f9 vethdda6
brctl command is not installed on your Docker host, then on Ubuntu you should be able to run
sudo apt-get install bridge-utils to install it.
docker0 Ethernet bridge settings are used every time you create a new container. Docker selects a free IP address from the range available on the bridge each time you
docker run a new container, and configures the container’s
eth0 interface with that IP address and the bridge’s netmask. The Docker host’s own IP address on the bridge is used as the default gateway by which each container reaches the rest of the Internet.
# The network, as seen from a container $ docker run --rm -it alpine /bin/ash root@f38c87f2a42d:/# ip addr show eth0 24: eth0: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 32:6f:e0:35:57:91 brd ff:ff:ff:ff:ff:ff inet 172.17.0.3/16 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::306f:e0ff:fe35:5791/64 scope link valid_lft forever preferred_lft forever root@f38c87f2a42d:/# ip route default via 172.17.42.1 dev eth0 172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.3 root@f38c87f2a42d:/# exit
Remember that the Docker host will not be willing to forward container packets out on to the Internet unless its
ip_forward system setting is
1 – see the section on Communicating to the outside world for details.