You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This page explains how Docker Desktop routes network traffic and file I/O between containers, the VM, and the host, and how this behavior is visible to firewalls and endpoint protection tools.
10
10
@@ -17,25 +17,24 @@ Docker Desktop runs the Docker Engine inside a lightweight Linux virtual machine
17
17
The backend acts as:
18
18
19
19
- Network proxy: Translates traffic between the host and Linux VM.
20
-
- On Windows and Mac, this is handled by the `com.docker.backend` process.
21
-
- On Linux, the `qemu` process performs this function.
20
+
- On Windows and Mac, this is handled by the `com.docker.backend` process.
21
+
- On Linux, the `qemu` process performs this function.
22
22
- File server: Handles file access from containers to the host filesystem.
23
-
- When using gRPC FUSE, the backend performs the file sharing.
24
-
- When using `virtiofs`, `osxfs`, or `krun`, file access is handled by those respective daemons rather than the backend process.
23
+
- When using gRPC FUSE, the backend performs the file sharing.
24
+
- When using `virtiofs`, `osxfs`, or `krun`, file access is handled by those respective daemons rather than the backend process.
25
25
- Control plane: Manages Docker API calls, port forwarding, and proxy configuration.
26
26
27
27
The following table summarizes typical setups in more detail:
28
28
29
-
| Platform | Setup | Networking handled by | File sharing handled by | Notes |
| Windows | Hyper-V |`com.docker.backend.exe`|`com.docker.backend.exe`| Simplest setup with full visibility to EDR/firewall tools |
32
+
| Windows (WSL 2) | WSL 2 |`com.docker.backend.exe`| WSL 2 kernel (no visibility from host) | Recommended only when WSL 2 integration is needed |
33
+
| Mac | Virtualization framework + gRPC FUSE |`com.docker.backend`|`com.docker.backend`| Recommended for performance and visibility |
34
+
| Mac | Virtualization framework + `virtiofs`|`com.docker.backend`| Apple's Virtualization framework | Higher performance but no file access visibility from host |
35
+
| Mac | Virtualization framework + `osxfs`|`com.docker.backend`|`osxfs`| Legacy setup, not recommended |
36
+
| Mac | DockerVMM + `virtiofs`|`com.docker.backend`|`krun`| Currently in Beta |
37
+
| Linux | Native Linux VM |`qemu`|`virtiofsd`| No `com.docker.backend` process on Linux |
39
38
40
39
## How containers connect to the internet
41
40
@@ -48,7 +47,7 @@ When a container initiates a network request, for example with `apt-get update`
48
47
- The traffic is transferred to the host system over a shared-memory channel rather than through a traditional virtual network interface. This approach ensures reliable communication and avoids conflicts with host-level network adapters or firewall configurations.
49
48
- On the host, Docker Desktop’s backend process receives the traffic and creates standard TCP/IP connections using the same networking APIs as other applications.
50
49
51
-
All outbound container network traffic originates from the `com.docker.backend` process. Firewalls, VPNs, and security tools, like Crowdstrike, see traffic coming from this process — not from a VM or unknown source so firewall and endpoint security software can apply rules directly to `com.docker.backend`.
50
+
All outbound container network traffic originates from the `com.docker.backend` process. Firewalls, VPNs, and security tools, like CrowdStrike, see traffic coming from this process — not from a VM or unknown source so firewall and endpoint security software can apply rules directly to `com.docker.backend`.
52
51
53
52
## How exposed ports work
54
53
@@ -71,26 +70,27 @@ Docker Desktop can use your system’s default proxy settings or custom settings
71
70
72
71
When a proxy is enabled:
73
72
74
-
- The backend process forwards the network requests, for example `docker pull`, through an internal proxy at `http.docker.internal:3128`.
75
-
- The internal proxy then connects either directly to the internet or through your upstream proxy, depending on your configuration and adding authentication if necessary.
73
+
- The backend process forwards the network requests, for example `docker pull`, through an internal proxy at `http.docker.internal:3128`.
74
+
- The internal proxy then connects either directly to the internet or through your upstream proxy, depending on your configuration and adding authentication if necessary.
76
75
- Docker Desktop then downloads the requested images or data through the proxy as usual.
77
76
78
-
Note that:
77
+
Note that:
78
+
79
79
- The proxy honors system or manual proxy configuration.
80
80
- On Windows, Basic, NTLM, and Kerberos authentication is supported.
81
81
- For Mac, NTLM/Kerberos is not supported natively. Run a local proxy on `localhost` as a workaround.
82
82
- CLI plugins and other tools that use the Docker API directly must be configured separately with the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables.
83
-
84
-
## Firewalls and endpoint visibility
85
83
86
-
To restrict VM or container networking apply rules to `com.docker.backend.exe` (Windows) `com.docker.backend` (Mac) or `qemu` (Linux) as all VM networking is funneled through these processes.
84
+
## Firewalls and endpoint visibility
85
+
86
+
To restrict VM or container networking apply rules to `com.docker.backend.exe` (Windows) `com.docker.backend` (Mac) or `qemu` (Linux) as all VM networking is funneled through these processes.
87
87
88
-
Use Windows Defender Firewall or enterprise endpoint firewalls for control. This enables traffic inspection and restriction at the host level without modifying the Docker Engine.
88
+
Use Windows Defender Firewall or enterprise endpoint firewalls for control. This enables traffic inspection and restriction at the host level without modifying the Docker Engine.
89
89
90
-
Crowdstrike and similar tools can observe all traffic and file access that passes through the backend process.
90
+
CrowdStrike and similar tools can observe all traffic and file access that passes through the backend process.
0 commit comments