acc-docker-networking-knowledge
1
总安装量
1
周安装量
#48346
全站排名
安装命令
npx skills add https://github.com/dykyi-roman/awesome-claude-code --skill acc-docker-networking-knowledge
Agent 安装分布
opencode
1
claude-code
1
Skill 文档
Docker Networking Knowledge Base
Network configuration patterns and communication strategies for PHP Docker stacks.
Network Types
| Type | Driver | Use Case | Isolation | Performance |
|---|---|---|---|---|
| Bridge | bridge |
Default single-host | Container-level | Good |
| Host | host |
Maximum performance | None (shares host) | Best |
| Overlay | overlay |
Multi-host (Swarm/K8s) | Container-level | Moderate |
| None | none |
Complete isolation | Full | N/A |
| Macvlan | macvlan |
Direct LAN access | Network-level | Good |
PHP-FPM + Nginx Communication
TCP Socket (Default in Docker)
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â TCP SOCKET COMMUNICATION â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ¤
â â
â Client ââⶠ:80 ââⶠâââââââââââ TCP :9000 ââââââââââââ â
â â Nginx â ââââââââââⶠâ PHP-FPM â â
â âââââââââââ ââââââââââââ â
â â
â Nginx config: fastcgi_pass php:9000; â
â PHP-FPM config: listen = 0.0.0.0:9000 â
â â
â Pros: Works across containers, simple setup, scalable â
â Cons: Slight overhead vs Unix socket â
â â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Unix Socket (Shared Volume)
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â UNIX SOCKET COMMUNICATION â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ¤
â â
â Client ââⶠ:80 ââⶠâââââââââââ /sock/fpm ââââââââââââ â
â â Nginx â ââââââââââⶠâ PHP-FPM â â
â ââââââ¬âââââ ââââââ¬ââââââ â
â â shared volume â â
â ââââââââââ ââââââââââââââ â
â â¼ â¼ â
â ââââââââââââââââ â
â â /var/run/php/ â â
â â php-fpm.sock â â
â ââââââââââââââââ â
â â
â Nginx config: fastcgi_pass unix:/var/run/php/php-fpm.sock; â
â PHP-FPM config: listen = /var/run/php/php-fpm.sock â
â â
â Pros: ~5-10% faster, no TCP overhead â
â Cons: Requires shared volume, harder to scale â
â â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Compose configuration for Unix socket:
services:
php:
volumes:
- php-socket:/var/run/php
nginx:
volumes:
- php-socket:/var/run/php:ro
volumes:
php-socket:
DNS Resolution in Compose
Docker Compose provides automatic DNS resolution using service names.
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â DNS RESOLUTION â
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ¤
â â
â Service Name ââⶠContainer IP â
â ââââââââââââââââââââââââââââââââââââ â
â postgres ââⶠ172.20.0.2 â
â redis ââⶠ172.20.0.3 â
â rabbitmq ââⶠ172.20.0.4 â
â php ââⶠ172.20.0.5 â
â nginx ââⶠ172.20.0.6 â
â â
â Resolution scope: within same network only â
â Resolver: Docker embedded DNS (127.0.0.11) â
â â
ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
PHP connection strings using service names:
// PostgreSQL
'postgresql://app:secret@postgres:5432/app'
// Redis
'redis://redis:6379'
// RabbitMQ
'amqp://guest:guest@rabbitmq:5672/%2f'
// Elasticsearch
'http://elasticsearch:9200'
DNS Aliases
services:
postgres:
networks:
backend:
aliases:
- db
- database
- pg
Port Mapping Strategies
| Pattern | Syntax | Visibility | Use Case |
|---|---|---|---|
| Published | ports: ["8080:80"] |
Host + containers | Dev access, public services |
| Exposed | expose: ["9000"] |
Containers only | Internal services (FPM) |
| Host binding | ports: ["127.0.0.1:5432:5432"] |
Localhost only | Databases in dev |
| Random host | ports: ["5432"] |
Random host port | CI, parallel testing |
Recommended Port Mapping
services:
# Public-facing â bind to all interfaces
nginx:
ports:
- "80:80"
- "443:443"
# Internal service â expose only (no host port)
php:
expose:
- "9000"
# Database â localhost only (dev security)
postgres:
ports:
- "127.0.0.1:${POSTGRES_PORT:-5432}:5432"
# Management UI â localhost only
rabbitmq:
ports:
- "127.0.0.1:${RABBITMQ_MGMT_PORT:-15672}:15672"
Network Segmentation
networks:
frontend:
driver: bridge
# Public-facing services (Nginx, Mailhog UI)
backend:
driver: bridge
internal: true
# Database, cache, queue â no external access
monitoring:
driver: bridge
# Prometheus, Grafana, Jaeger
Segmentation Matrix
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â Service â frontend â backend â monitoring â internet â
â âââââââââââââââââ¼âââââââââââ¼ââââââââââ¼âââââââââââââ¼ââââââââââ â
â Nginx â â â â â â â
â PHP-FPM â â â â â â â
â Worker â â â â â â
â Cron â â â â â â
â PostgreSQL â â â â â â
â Redis â â â â â â
â RabbitMQ â â â â â â
â Elasticsearch â â â â â â
â Prometheus â â â â â â â
â Grafana â â â â â â â
â Jaeger â â â â â â â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
The internal: true flag on the backend network prevents containers from reaching the internet, ensuring databases and caches are not exposed.
Inter-Container Communication
Same Network (Direct)
// Containers on the same network communicate directly via service name
$redis = new \Redis();
$redis->connect('redis', 6379);
Cross-Network (Shared Service)
services:
php:
networks:
- frontend
- backend # PHP needs both to talk to Nginx AND database
postgres:
networks:
- backend # Only backend â no direct external access
Service Discovery Pattern
// Use environment variables for service endpoints
$dbHost = getenv('DATABASE_HOST') ?: 'postgres';
$redisHost = getenv('REDIS_HOST') ?: 'redis';
$amqpHost = getenv('AMQP_HOST') ?: 'rabbitmq';
host.docker.internal for Local Development
Access host machine services from within containers:
services:
php:
extra_hosts:
- "host.docker.internal:host-gateway"
environment:
# Connect to services running on host machine
XDEBUG_CONFIG: "client_host=host.docker.internal"
| Platform | host.docker.internal | Notes |
|---|---|---|
| Docker Desktop (Mac) | Built-in | Works automatically |
| Docker Desktop (Windows) | Built-in | Works automatically |
| Linux | Requires extra_hosts |
Use host-gateway mapping |
Troubleshooting
| Issue | Diagnosis | Solution |
|---|---|---|
| Container cannot resolve service name | Wrong network | Ensure both services share a network |
| Connection refused between containers | Port not exposed | Add expose or check service is listening |
| Intermittent DNS failures (Alpine) | musl resolver | Add options ndots:0 to resolv.conf |
| Cannot reach host machine | Missing extra_hosts | Add host.docker.internal:host-gateway |
| External access to internal service | Missing internal: true |
Mark backend network as internal |
| Port conflict on host | Port already in use | Use variable port mapping ${PORT:-5432}:5432 |
References
For service configuration examples, see acc-docker-compose-knowledge.
For base image networking considerations, see acc-docker-base-images-knowledge.