Reputation: 12680
When Should I use the host network with docker
I understand that if I use the host network driver for a container, that container’s network stack is not isolated from the Docker host. I also believe understand conceptually that a good reasons to still do it might be when "Security is not an Issue or concern" and network throughput performance is important but I am struggling to think of a real world example of when I can or should do this. A naive example I can think of is a public facing load-balancer or static file web server.
I realize it may be possible to mitigate the security concerns outside of using host services like AWS or Google Cloud if hosted there but what if that wasn't an option!
When would or should an you use it in a production environment? How can you mitigate the security concerns regardless of hosting environment? How should you interact with other services in other docker networks?
Upvotes: 1
Views: 167
Answers (2)
Reputation: 263509
I am struggling to think of a real world example of when I can or should do this. ... When would or should an you use it in a production environment?
Your application does not run on TCP or UDP, but another protocol
Your application requires a large range of incoming ports to be published (by default a docker-proxy process is spawned per published port, this can be excessive for a large range)
Your application works with multi-cast or broadcast network traffic
Your application needs to modify the networking layer of the host itself, e.g. a VPN
How can you mitigate the security concerns regardless of hosting environment?
You need to trust this application. You've removed a layer of docker namespacing and at that point, the container is a packaging format and likely fits in with the rest of your tooling, but doesn't require the same security approach you may have for other containers.
How should you interact with other services in other docker networks?
You would interact via published ports of the other containers, same as you would an application running outside of a container that needs to connect to an application inside of a container.
Upvotes: 2
Reputation: 6643
but I am struggling to think of a real world example of when I can or should do this.
Here is real world example: We use host network to speed up build stage of our gitlab ci/cd pipeline.
Container in question is up and running only during build phase, doesn't have any port exposed, needs faster network to download all the necessary pieces to build and push docker image and we experienced (in some intermittent occasions) issues with throughput and inconsistent behavior during build stage that we resolved with host network. Although with host network we "expose" ip of such a container, we still don't expose any ports and after build phase is finished container is discarded.
I know this doesn't answers all of your questions, but is requested real world example.
Upvotes: 1
Related Questions
- How do I get host networking to work with docker swarm mode
- How to run docker containers in host network mode using docker-compose?
- What is the use of Docker 'host' and 'none' Networks?
- Controlling the hosts where my containers run with docker swarm
- Docker custom networks or network_mode = host which one should I select?
- Why don't use host network in docker since docker and kubernetes network is so complex
- Is swarm required for using multi-host networking feature using overlay in docker
- Communication between two networks - Docker Swarm
- Do I need to create a network explicitly for docker swarm mode
- Docker swarm with a custom network