You spent three days on a Firecracker CI runner. Containers are starting, Docker is running, but nothing can reach the network. You've restarted dockerd four times. You've googled the error messages. You've found Stack Overflow posts that describe your exact situation and then go silent. The problem is that every networking tutorial treats the stack as a single flat thing. In a microVM running containers, there are actually four discrete networking layers stacked on top of each other, each with its own configuration surface and its own failure modes. The moment you confuse one for another, debugging turns into guessing. This post maps those layers. It uses a real failure sequence (Firecracker CI runner with Docker service containers) as an anchor throughout. By the end, you should be able to audit your own setup layer by layer and know exactly where something went wrong and why.…