Menu
When I add this line to my /etc/default/docker
DOCKER_OPTS="--iptables=false"
then the DNS no longer works. A group of containers started by docker compose no longer able to find each other:
version: '2'
services:
elasticsearch:
image: elasticsearch:latest
volumes:
- ./esdata:/usr/share/elasticsearch/data
kibana:
image: kibana:latest
environment:
- ELASTICSEARCH_URL=http://elasticsearch:9200
The above stops working when iptables=false is set. The kibana container is not able to 'find' the elasticsearch container. But when removed (and docker engine restarted) then this works fine.
Why is this?
(and more to the point, why is iptables=false not the default setting when ufw is used??)
thanks
730
Setting iptables to false will more than likely break container networking for the Docker engine. For system integrators who wish to build the Docker runtime into other applications, explore the moby project. By default, the Docker daemon will expose ports on the 0.0.0.0 address, i.e. any address on the host.
You need docker to do the DNS resolution to give you container to container networking with DNS for discovery. You should still see the docker engine call out to your DNS server even with the 127.0.0.11 entry inside the container, so it's not a bug, or lack of configurability, you just don't see this configuration from inside the container.
This means that if you expose a port through Docker, this port gets exposed no matter what rules your firewall has configured. If you want those rules to apply even when a port gets exposed through Docker, you must add these rules to the DOCKER-USER chain. By default, all external source IPs are allowed to connect to the Docker host.
By default, all external source IPs are allowed to connect to the Docker daemon. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER filter chain.
From https://docs.docker.com/v1.5/articles/networking/#between-containers
Whether a container can talk to the world is governed by two factors.
Is the host machine willing to forward IP packets? This is governed by the
ip_forwardsystem parameter. Packets can only pass between containers if this parameter is1. Usually you will simply leave the Docker server at its default setting--ip-forward=trueand Docker will go set ip_forward to 1 for you when the server starts up.Do your
iptablesallow this particular connection? Docker will never make changes to your systemiptablesrules if you set--iptables=falsewhen the daemon starts. Otherwise the Docker server will append forwarding rules to the DOCKER filter chain.Docker will not delete or modify any pre-existing rules from the DOCKER filter chain. This allows the user to create in advance any rules required to further restrict access to the containers.
From https://docs.docker.com/engine/installation/linux/ubuntulinux/#enable-ufw-forwarding
If you use UFW (Uncomplicated Firewall) on the same host as you run Docker, you’ll need to do additional configuration. Docker uses a bridge to manage container networking. By default, UFW drops all forwarding traffic. As a result, for Docker to run when UFW is enabled, you must set UFW’s forwarding policy appropriately.
I think the entire recipe for your case would be:
DEFAULT_FORWARD_POLICY="ACCEPT"DOCKER_OPTS="--iptables=false"For more details you could see Running Docker behind the ufw firewall
116
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
