Why does using DOCKER_OPTS=“–iptables=false” break the DNS discovery for docker-compose?

When I add this line to my /etc/default/docker

DOCKER_OPTS="--iptables=false"

then the DNS no longer works. A group of containers started by docker compose no longer able to find each other:

  • Docker can't pull image from repository
  • Can't reach a local website through apache in a docker container (windows & docker toolbox)
  • Map data container volume to volume
  • How to move postgres into docker container?
  • How to enable SSL in docker with nginx hosted in Ubuntu
  • Docker - nginx with custom conf
  • version: '2'
    services:
        elasticsearch:
           image: elasticsearch:latest
           volumes:
              - ./esdata:/usr/share/elasticsearch/data
        kibana:
           image: kibana:latest
           environment:
              - ELASTICSEARCH_URL=http://elasticsearch:9200
    

    The above stops working when iptables=false is set. The kibana container is not able to ‘find’ the elasticsearch container. But when removed (and docker engine restarted) then this works fine.

    Why is this?

    (and more to the point, why is iptables=false not the default setting when ufw is used??)

    thanks

  • How to understand docker container disk space usage?
  • How to clean Docker container logs?
  • configuration management in Docker Containers
  • Benchmarking contianers in clouds
  • nginx docker instance multiple application
  • Docker save only non public layers
  • One Solution collect form web for “Why does using DOCKER_OPTS=“–iptables=false” break the DNS discovery for docker-compose?”

    From https://docs.docker.com/v1.5/articles/networking/#between-containers

    Whether a container can talk to the world is governed by two factors.

    1. Is the host machine willing to forward IP packets? This is governed by the ip_forward system parameter. Packets can only pass between containers if this parameter is 1. Usually you will simply leave the Docker server at its default setting --ip-forward=true and Docker will go set ip_forward to 1 for you when the server starts up.

    2. Do your iptables allow this particular connection? Docker will never make changes to your system iptables rules if you set --iptables=false when the daemon starts. Otherwise the Docker server will append forwarding rules to the DOCKER filter chain.

    Docker will not delete or modify any pre-existing rules from the DOCKER filter chain. This allows the user to create in advance any rules required to further restrict access to the containers.

    From https://docs.docker.com/engine/installation/linux/ubuntulinux/#enable-ufw-forwarding

    If you use UFW (Uncomplicated Firewall) on the same host as you run Docker, you’ll need to do additional configuration. Docker uses a bridge to manage container networking. By default, UFW drops all forwarding traffic. As a result, for Docker to run when UFW is enabled, you must set UFW’s forwarding policy appropriately.

    I think the entire recipe for your case would be:

    1. DEFAULT_FORWARD_POLICY="ACCEPT"
    2. DOCKER_OPTS="--iptables=false"
    3. Configure NAT in iptables

    For more details you could see Running Docker behind the ufw firewall

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.