Docker Network Cli Lab

By /

Lab 1: The “Two Worlds” (Isolation Test)

Goal: Prove that networks are truly isolated.

  1. Create Networks: docker network create blue-net docker network create red-net
  2. Start Containers: docker run -d --name blue-box --network blue-net alpine sleep 1000 docker run -d --name red-box --network red-net alpine sleep 1000
  3. Test Ping (Fail):docker exec -it blue-box ping red-box
    • Result: bad address 'red-box'. They cannot see each other. Security works!
  4. Connect (Bridge the gap): docker network connect blue-net red-box (Now Red Box has a leg in the Blue world).
  5. Test Ping (Success):docker exec -it blue-box ping red-box
    • Result: It works!

Lab 2: The “DNS Discovery” (Service Name)

Goal: Connect a Web App to Redis using names.

  1. Create Network: docker network create shop-net
  2. Start Redis: docker run -d --name my-cache --network shop-net redis
  3. Start App (Simulated): docker run -it --rm --network shop-net alpine sh
  4. Verify DNS: Inside the alpine shell, type: ping my-cache
    • Result: You see 64 bytes from 172.x.x.x. Docker automatically found the Redis container IP.

Lab 1: The “Forbidden Path” (Three-Tier Segmentation)

Goal: Build a secure architecture where the Frontend cannot reach the Database directly.

  1. Create Networks: docker network create frontend-net docker network create backend-net
  2. Start Database (Backend Only): docker run -d --name secret-db --network backend-net alpine sleep 1000
  3. Start API (The Middleman):
    • First, connect to backend: docker run -d --name api-server --network backend-net alpine sleep 1000
    • Second, connect to frontend: docker network connect frontend-net api-server
    • Note: The API server now has two network cards. It bridges the gap.
  4. Start Web Server (Frontend Only): docker run -d --name public-web --network frontend-net alpine sleep 1000
  5. The Hacker Test:
    • Valid Path: docker exec public-web ping api-server -> Success.
    • Invalid Path: docker exec public-web ping secret-db -> Fail (Bad Address).
    • Result: Even if a hacker compromises your Web Server, they cannot touch the Database.

Lab 2: The “Host Escape” (Connecting to Localhost)

Goal: Your container needs to access a database running on your laptop (not in Docker).

  1. Simulate a Host Service:
    • Open a terminal on your laptop (not Docker).
    • Run a simple python server: python3 -m http.server 9000
    • Now your laptop is listening on port 9000.
  2. The Failure (Standard Localhost):
    • docker run --rm alpine apk add curl && curl http://localhost:9000
    • Result: Connection Refused. (Because localhost inside the container means the container itself!).
  3. The Success (Magic Address):
    • docker run --rm alpine apk add curl && curl http://host.docker.internal:9000
    • (Note: On Linux, add --add-host=host.docker.internal:host-gateway if it fails).
    • Result: You see the directory listing of your laptop!

Lab 3: The “Network Detective” (Netshoot Troubleshooting)

Goal: Use professional tools to debug DNS and Port issues.

  1. Setup a Broken Scenario:
    • docker network create broken-net
    • docker run -d --name nginx-server --network broken-net nginx
  2. Launch the Troubleshooter:
    • We use nicolaka/netshoot. It’s the “Swiss Army Knife” of Docker networking.
    • docker run -it --rm --network broken-net nicolaka/netshoot
  3. Task 1: DNS Check (Dig):
    • Type: dig nginx-server
    • Output: Look for the “ANSWER SECTION”. It shows the IP (e.g., 172.19.0.2). This proves Docker DNS is working.
  4. Task 2: Port Scan (Nmap):
    • Type: nmap -p 80 nginx-server
    • Output: 80/tcp open http. This proves the application is actually listening.
  5. Task 3: Simulation:
    • Type: curl http://nginx-server:80
    • Output: The HTML code of Nginx.
    • Lesson: If dig works but curl fails, the network is fine, but the app crashed. If dig fails, the network is broken.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top