Why does using DOCKER_OPTS=“–iptables=false” break the DNS discovery for docker-compose?

When I add this line to my /etc/default/docker

DOCKER_OPTS="--iptables=false"

then the DNS no longer works. A group of containers started by docker compose no longer able to find each other:

  • dockerized HAProxy+Keepalived for HA
  • cant add cAdvisor application metric to Grafana
  • Why can't I extend docker postgres image to create extra database and user
  • Why I need a password to get access to the jupyter notebook when I use docker machine?
  • Docker + Weave dns not resolving on other host
  • .dockerignore mentioned files are not ignored
  • version: '2'
    services:
        elasticsearch:
           image: elasticsearch:latest
           volumes:
              - ./esdata:/usr/share/elasticsearch/data
        kibana:
           image: kibana:latest
           environment:
              - ELASTICSEARCH_URL=http://elasticsearch:9200
    

    The above stops working when iptables=false is set. The kibana container is not able to ‘find’ the elasticsearch container. But when removed (and docker engine restarted) then this works fine.

    Why is this?

    (and more to the point, why is iptables=false not the default setting when ufw is used??)

    thanks

  • Docker container DHCP like bridged VirtualBox
  • Problems when executing services within cron in a Docker container?
  • Varnish Error: Failed to open (any) accept sockets
  • Artifactory: “docker service create” does not work with images of 0 byte
  • Transition PostgreSQL persistent storage on docker to modern docker storage only
  • Why the image that built by myself dont run on the kubernetes,and the pod always restart?
  • One Solution collect form web for “Why does using DOCKER_OPTS=“–iptables=false” break the DNS discovery for docker-compose?”

    From https://docs.docker.com/v1.5/articles/networking/#between-containers

    Whether a container can talk to the world is governed by two factors.

    1. Is the host machine willing to forward IP packets? This is governed by the ip_forward system parameter. Packets can only pass between containers if this parameter is 1. Usually you will simply leave the Docker server at its default setting --ip-forward=true and Docker will go set ip_forward to 1 for you when the server starts up.

    2. Do your iptables allow this particular connection? Docker will never make changes to your system iptables rules if you set --iptables=false when the daemon starts. Otherwise the Docker server will append forwarding rules to the DOCKER filter chain.

    Docker will not delete or modify any pre-existing rules from the DOCKER filter chain. This allows the user to create in advance any rules required to further restrict access to the containers.

    From https://docs.docker.com/engine/installation/linux/ubuntulinux/#enable-ufw-forwarding

    If you use UFW (Uncomplicated Firewall) on the same host as you run Docker, you’ll need to do additional configuration. Docker uses a bridge to manage container networking. By default, UFW drops all forwarding traffic. As a result, for Docker to run when UFW is enabled, you must set UFW’s forwarding policy appropriately.

    I think the entire recipe for your case would be:

    1. DEFAULT_FORWARD_POLICY="ACCEPT"
    2. DOCKER_OPTS="--iptables=false"
    3. Configure NAT in iptables

    For more details you could see Running Docker behind the ufw firewall

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.