Disable networking for a container

If you want to completely disable the networking stack on a container, you can use the --network none flag when starting the container. Within the container, only the loopback device is created. The following example illustrates this.

1. Create the container.

   $ docker run --rm -dit \
     --network none \
     --name no-net-alpine \
     alpine:latest \
     ash
   

2. Check the container’s network stack, by executing some common networking commands within the container. Notice that no eth0 was created.

   $ docker exec no-net-alpine ip link show
   
   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
       link/ipip 0.0.0.0 brd 0.0.0.0
   3: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN qlen 1
       link/tunnel6 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
   

   $ docker exec no-net-alpine ip route
   

   The second command returns empty because there is no routing table.

3. Stop the container. It is removed automatically because it was created with the --rm flag.

   $ docker container rm no-net-alpine
   

Next steps

• Go through the host networking tutorial
• Learn about networking from the container’s point of view
• Learn about bridge networks
• Learn about overlay networks
• Learn about Macvlan networks