Why is inter container communication in Docker the default?

Question

I’m reading up a little on communication between Docker containers. The -—icc flag let all containers communicate to each other. The flag is set to true by default.

As far as I understand this ignores any EXPOSE / -—expose declarations. They are only enforced when —-icc is set to false.

• So why are we exposing ports in the first place?
• Or why isn’t the ICC set to false as as default?

Answer 1

You're right. The EXPOSE command is really just metadata. It documents an intent by the developer that the container can be contacted on the given ports. By itself, all the build instruction is doing is adding this metadata to the image.

As yourself and larsks have noted, this information is used by Docker when the -P flag and links are invoked.

I assume Docker largely took the stance that as containers run on their own private network, in most cases they will trust each other and it's simplest to just allow all communication.

If you disable ICC, you have to set the --iptables flag (which allows docker to edit iptables) and use links to allow containers to communicate. I suspect dynamic editing of iptables was something the Docker engineers wanted to stay away from as long as possible. Also, certain set-ups become impossible due to the limitations of links, for example you can't have bidirectional links.