Why is Docker container able to access the internet?

Question

I have a basic question about Docker that is probably due to lack of knowledge on my part about networking. The Docker container networking documentation states:

By default, when you create a container, it does not publish any of its ports to the outside world. To make a port available to services outside of Docker, or to Docker containers which are not connected to the container’s network, use the --publish or -p flag. This creates a firewall rule which maps a container port to a port on the Docker host.

It sounds like, when you install a container on your computer without mapping any ports from the container to the host machine, the container should not be able to access the internet. However, for example, I install the Ubuntu container with:

docker pull ubuntu

Then I enter the container's command line with:

docker run -ti ubuntu bash

At that point, I can run apt-get update and the container starts pulling information from the internet without mapping any ports (e.g. -p 80:80). How is this possible?

Answer 1

Publishing a port allows machines external to the docker host to access the container, inbound connectivity. By default, containers can access the network with outbound connectivity.

To restrict a container from accessing the network, you can either run the container with no network (note: this still creates a loopback interface, and you can later connect it to another network):

docker run --net none ...

Or you can create a network with the --internal option and run containers on that network:

docker network create --internal internal
docker run --net internal ...

The internal network is created without a gateway interface on the bridge network.

Answer 2

When they talk about publishing ports, they mean inbound ports.

Outbound ports work - depending on your network type - see here for more:

https://docs.docker.com/network/