Menu
I'm creating rather complex infrastructure of docker containers using docker compose. Those containers run in 4 different networks (similar to production environment that I'm mimicking). Docker Compose creates those four networks for me, and everything works as long, as containers don't try to communicate with other containers inside different networks. When they do, connection is dropped. I was able to find out why it is dropped, and it is because Docker adds iptables rules into DOCKER-ISOLATION chain. Example:
-A DOCKER-ISOLATION -i br-be010eaddd0e -o br-f788f16ed0dd -j DROP
-A DOCKER-ISOLATION -i br-f788f16ed0dd -o br-be010eaddd0e -j DROP
I wrote a little script that removes rules I want to be removed (and allow communication between chosen bridges) and everything works like a charm, but somehow they are recreated by Docker at some point, even without recreating those networks, so it requires me to run that script again, which is very annoying. Is there any way to specifically tell Docker to allow communication between two bridges? Or maybe there's some trick to run specific shell script after starting containers with Docker-Compose?
598
Docker Compose understands the idea behind running services for one application on one network. When you deploy an app using Docker Compose file, even when there's no mention of specific networking parameters, Docker Compose will create a new bridge network and deploy the container over that network.
You can create multiple networks with Docker and add containers to one or more networks. Containers can communicate within networks but not across networks. A container with attachments to multiple networks can connect with all of the containers on all of those networks.
By default Compose sets up a single network for your app. Each container for a service joins the default network and is both reachable by other containers on that network, and discoverable by them at a hostname identical to the container name.
To allow two Docker containers on the same host to communicate with each other by name: Create a user-defined bridge network: Create your own custom bridge network first using docker network create. Under the hood, Docker sets up the relevant networking tables on your operating system.
Docker Compose Bridge Networking. Docker Compose is an easy way for deploying multi-container applications. It automates a lot of the booking keeping, networking and resource management of applications in a single neat docker-compose.yml file. You can get the app up by running docker-compose up and turn it back down using docker-compose down.
Docker Compose understands the idea behind running services for one application on one network. When you deploy an app using Docker Compose file, even when there’s no mention of specific networking parameters, Docker Compose will create a new bridge network and deploy the container over that network.
To connect a running container to an existing user-defined bridge, use the docker network connect command. The following command connects an already-running my-nginx container to an already-existing my-net network: To disconnect a running container from a user-defined bridge, use the docker network disconnect command.
If anyone's interested, I've managed to handle this with iptables. Solution is to explicitly allow communication between bridge subnets (assuming that they have fixed ip addresses). The way to do this is to issue following commands (assuming that bridge subnets are 172.24.131.0/24 and 172.24.132.0/24):
iptables -I FORWARD -s 172.24.131.0/24 -d 172.24.132.0/24 -j ACCEPT
iptables -I FORWARD -d 172.24.131.0/24 -s 172.24.132.0/24 -j ACCEPT
That way we add new rules in FORWARD chain just before DOCKER-ISOLATION, it forces iptables to ignore whole DOCKER-ISOLATION chain for any communication between these subnets.
56
Isolation is the core reason to use multiple bridge networks. In Docker world you should put the containers you would like to communicate with each other in the same network.
I assume you would like to replicate the production network with 4 separate subnets/layer 2 domains that use a router to communicate with each other for testing and other purposes? Try using the experimental ipvlan driver to form the ipvlan L3 network with 4 different subnets and ipvlan driver serving as a router between them. Here is how you set it up (scroll down to ipvlan L3.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
