0

I am using Docker version 1.9.1 and docker-compose 1.5.2 with --x-networking (experimental networking).

I start a trivial node application with docker-compose up; this application maps port 8000 to port 9999 on the host.

From the host I can curl http://localhost:9999; or http://[host-ip]:9999; or any of the 172.x.0.1 addresses that the host has and they all work.

I start another application with docker-compose up. If I attempt to curl http://[host-ip]:9999, or any of the http://172.x.0.1 addresses the packet is dropped due to iptables entries -- in particular the entry that specifies DROP from the subnet of this container to the first container.

I understand that container-to-container communication may not be allowed but how can my second container talk to the first via the port mapped on the host?

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  172.17.0.0/16        172.19.0.0/16
DROP       all  --  172.19.0.0/16        172.17.0.0/16
DROP       all  --  172.18.0.0/16        172.19.0.0/16
DROP       all  --  172.19.0.0/16        172.18.0.0/16
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  172.17.0.0/16        172.18.0.0/16
DROP       all  --  172.18.0.0/16        172.17.0.0/16
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (3 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:8000
Auzias
  • 3,638
  • 14
  • 36
Sean McDowell
  • 1
  • In a nutshell I am trying to run two docker-compose applications on the same host and communicate from one to the other via the mapped host port. But iptables rules are not permitting it. – Sean McDowell Mar 08 '16 at 21:25
  • That's weird, I don't have the same iptables rules, and I can't remember when two containers could not access each other. – Auzias Mar 09 '16 at 06:40
  • Could be related to the experimental networking state of affairs in the Docker version I am using -- or the fact that when it starts the network mode seems to be "none"? I have given up on firing up two applications with separate docker-compose commands and instead merge them into a single compose file via -f command line parameters. – Sean McDowell Mar 10 '16 at 15:14

2 Answers2

0

Container to container communication is allowed of course. You could forbid it with firewall rules etc... What you actually need is to have these two containers in the same subnet. So you need to create a subnet with

docker network create --subnet=172.18.0.0/16 mySubNet

then run the containers with

docker run --net mynet123

And that is it. Additionally when running you could assign a static ip to container with --ip, assign a hostname with --hostname or add another host entry with --add-host.

EDIT: I see now your docker version so I have to say that what I wrote here works with docker 1.10.x

cantSleepNow
  • 9,691
  • 5
  • 31
  • 42
0

Subnet solution

You can either create a subnet for your containers, but to keep things clean you will need a subnet for each distributed application in order to isolate them. Not the easiest nor the simplest way of doing so while it works.

--link solution

Another solution is to link your containers. I suggest you to read this comment, so just I don't copy/paste its content ;)

Community
  • 1
  • 1
Auzias
  • 3,638
  • 14
  • 36