Why does using DOCKER_OPTS=“–iptables=false” break the DNS discovery for docker-compose?

When I add this line to my /etc/default/docker

DOCKER_OPTS="--iptables=false"

then the DNS no longer works. A group of containers started by docker compose no longer able to find each other:

  • Docker cross compile for ARM without hard-float
  • Installation of OpenFOAM throws read-only file system error while using Docker
  • Identity Server 4 running within docker container Exception: Unable to load DLL 'System.Security.Cryptography.Native.OpenSsl'
  • single host multi container v.s. multi host single container
  • How I can running GUI application on Docker for Mac?
  • How can I use a local image as the base image with a dockerfile?
  • version: '2'
    services:
        elasticsearch:
           image: elasticsearch:latest
           volumes:
              - ./esdata:/usr/share/elasticsearch/data
        kibana:
           image: kibana:latest
           environment:
              - ELASTICSEARCH_URL=http://elasticsearch:9200
    

    The above stops working when iptables=false is set. The kibana container is not able to ‘find’ the elasticsearch container. But when removed (and docker engine restarted) then this works fine.

    Why is this?

    (and more to the point, why is iptables=false not the default setting when ufw is used??)

    thanks

  • ElasticBeanstalk with Docker: how to use create-environment from aws cli
  • Sensu-Client inside Docker container
  • docker-compose get ID of a docker
  • Docker 1.12 Swarm: TLS changes
  • Docker user authentication against LDAP over SSL
  • Multiple docker services to listen on same host and port
  • One Solution collect form web for “Why does using DOCKER_OPTS=“–iptables=false” break the DNS discovery for docker-compose?”

    From https://docs.docker.com/v1.5/articles/networking/#between-containers

    Whether a container can talk to the world is governed by two factors.

    1. Is the host machine willing to forward IP packets? This is governed by the ip_forward system parameter. Packets can only pass between containers if this parameter is 1. Usually you will simply leave the Docker server at its default setting --ip-forward=true and Docker will go set ip_forward to 1 for you when the server starts up.

    2. Do your iptables allow this particular connection? Docker will never make changes to your system iptables rules if you set --iptables=false when the daemon starts. Otherwise the Docker server will append forwarding rules to the DOCKER filter chain.

    Docker will not delete or modify any pre-existing rules from the DOCKER filter chain. This allows the user to create in advance any rules required to further restrict access to the containers.

    From https://docs.docker.com/engine/installation/linux/ubuntulinux/#enable-ufw-forwarding

    If you use UFW (Uncomplicated Firewall) on the same host as you run Docker, you’ll need to do additional configuration. Docker uses a bridge to manage container networking. By default, UFW drops all forwarding traffic. As a result, for Docker to run when UFW is enabled, you must set UFW’s forwarding policy appropriately.

    I think the entire recipe for your case would be:

    1. DEFAULT_FORWARD_POLICY="ACCEPT"
    2. DOCKER_OPTS="--iptables=false"
    3. Configure NAT in iptables

    For more details you could see Running Docker behind the ufw firewall

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.