Why would anyone use the same network namespace for two docker containers?

Question

Why would you connect two docker containers via network namespace, and not just through one network?

As far as I know the only difference is that you can call the other container using localhost. I don't see any use case where this would be necessary.

Does anyone have experience with this?

Answer 1

One reason I can think of is for using a tool or command that is not available in your container. This example below comes directly from the docker run docs:

NETWORK: CONTAINER

Example running a Redis container with Redis binding to localhost then running the redis-cli command and connecting to the Redis server over the localhost interface.

$ docker run -d --name redis example/redis --bind 127.0.0.1
$ # use the redis container's network stack to access localhost
$ docker run --rm -it --network container:redis example/redis-cli -h 127.0.0.1

In a similar way, one can use this technique to debug a container. For example, if your container doesn't have tcpdump, you can create an image which has it:

docker build -t tcpdump - <<EOF 
FROM ubuntu 
RUN apt-get update && apt-get install -y tcpdump 
CMD tcpdump -i eth0 
EOF

and run a container to debug your app:

docker run --rm --net=container:my-app tcpdump

---

If your question was more about Kubernetes, a few interesting links are:

• The Kubernetes Network Model
• What is the role of a pause container?
• Understanding kubernetes networking: pods