In Docker, do I need to publish ports if I set network to host?

I was running into an issue today where I have a Dockerfile that EXPOSEs several ports and I wanted to run it with the --net=host flag.

However, all connections to the ports that the container was supposed to be listening on were refused.

  • Kubernetes restarting pods
  • Is it safe to extract the root filesystem of a image and use it in a chroot?
  • Why env variables are not created automatically?
  • Images are being cached even if there are changes
  • Websocket (ws4py in Python 3.5) not working in Docker container
  • Kamon, Statsd, Grafana Disk Space
  • Running docker inspect on the container I noticed this:

            "Ports": {
                "8000/tcp": {},

    Growing exasperated I deleted the --net flag all together and went to the default bridge network. Surprise it works!

        "Ports": {
            "8000/tcp": null,

    Except now it has this strange null setting. What is the difference here? Also, plot I’m running inside of a VM trying to communicate with another VM. Probably a million reasons this won’t work.

  • Docker + Nginx: Getting proxy_pass to work
  • Not able to access docker daemon api from docker container
  • Is it wrong to run a single process in docker without providing basic system services?
  • Using bower inside a docker container with a private repo dependency
  • How to create a docker base image?
  • Docker CD workflow - making docker hosts pull new images and deploy them
  • One Solution collect form web for “In Docker, do I need to publish ports if I set network to host?”


    Is the publish option needed when the network mode is host?


    No, the host network stack is directly used by the container:

    'host': use the Docker host network stack. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.


    Start a container with netcat:

    user@host:~$ docker run -it --rm --net host nc:1.10-41
    root@container:/# nc -l -p 9999

    Back into the host:

    user@host:~$ nc 9999
    Sending a message for test <enter>

    The message will be displayed from the netcat command executed within the container.


    A  netstat from the host will show the established connection:

    user@host:~$ netstat latuep |grep 9999
    tcp        0      0 localhost:38600         localhost:9999          ESTABLISHED
    tcp        0      0 localhost:9999          localhost:38600         ESTABLISHED

    As for your issue

    The error may stem from another configuration/network environment. Can VMs ping each other? Do they share the same LAN? Is a firewall set?

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.