What is the "Docker Subnet" used for?

Question

There is an option in docker-desktop that allow to change the "Docker subnet". And I don't see this default subnet 192.168.65.0/28 being used anywhere.

I tried to docker network inspect on every Docker internal network, checked the docker-desktop WSL2 distro and my Windows host for routes or IPs but I don't see that default subnet being used anywhere (even when setting up a custom one).

This does not change the subnet used in docker network inspect bridge or any other one.

I'm struggling to find any documentation on what it is and/or what it used for.

Answer 1

For the most part it is an internal implementation detail that you don't need to worry about.

The only time you actually need to change this value is if your host network has the same address. In that case you can change this to anything that doesn't conflict. If your host network happens to be, for example, 192.168.65.0/24 then you could change the Docker network to 192.168.66.0/24 (or /28) and it'd work fine.

Internally containers have individual IP addresses, and this is the default subnet they get assigned from. If you docker network create a network or you're using Docker Compose, a new subnet will be allocated. This is almost entirely an implementation detail and you never need to know these addresses: from outside Docker you can't reach these addresses (*), and inside Docker it provides a DNS system so you can use container names as host names.

More specifically, if you

docker run --rm busybox ifconfig

you will see an address from this subnet.

(*) ...except in the one very specific case of connecting from the console of the native-Linux host that's actually running the containers; but never from other hosts, or if you're using Docker Toolbox or Docker Desktop.

Answer 2

In Docker Desktop (for either Windows or macOS), containers do not run directly on the system kernel, they run inside a Linux VM (in the case of macOS) or inside a container within Hyper-V (in the case of WSL 2 on Windows).

This subnet is the network used for the Docker daemon environment running in the VM or Hyper-V container.

On macOS, you can enter the Docker VM and look around, using the below command.

docker run -it --rm --privileged --pid=host justincormack/nsenter1

(I'm not sure whether this command works on Windows, and I don't have a system to test it on, but you could try it and see.)

Inside the Docker VM, you can look at the network config and you will find this subnet there.

/ # ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 02:50:00:00:00:01 brd ff:ff:ff:ff:ff:ff
    inet 192.168.65.3/24 brd 192.168.65.255 scope global dynamic noprefixroute eth0
       valid_lft 7019sec preferred_lft 5579sec
    inet6 fe80::50:ff:fe00:1/64 scope link
       valid_lft forever preferred_lft forever

/ # ip route show | grep 192.168.65
default via 192.168.65.1 dev eth0 proto dhcp src 192.168.65.3 metric 202
192.168.65.0/24 dev eth0 proto dhcp scope link src 192.168.65.3 metric 202
192.168.65.5 dev services1 proto kernel scope link src 192.168.65.4

/ # cat /etc/resolv.conf
# DNS requests are forwarded to the host. DHCP DNS options are ignored.
nameserver 192.168.65.5

The containers that you lauch from this environment don't use this network, though. They are addressed from an RFC 1918 network, as seen below:

15: eth0@if16: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

/ # ip route
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 scope link  src 172.17.0.2

Here you can see that 172.17.0.0/16 is in use. That's part of the larger 172.16.0.0/12 allocation found in RFC 1918.

If the subnet you're asking about were used for containers, you would run out of addresses fairly quickly, because a /28 network only has 14 usable addresses (13, if you realize the Docker VM uses one for itself). Whereas the /16 network for containers has 65,534 usable addresses in it.