Why does using DOCKER_OPTS=“–iptables=false” break the DNS discovery for docker-compose?
When I add this line to my /etc/default/docker
then the DNS no longer works. A group of containers started by docker compose no longer able to find each other:
version: '2' services: elasticsearch: image: elasticsearch:latest volumes: - ./esdata:/usr/share/elasticsearch/data kibana: image: kibana:latest environment: - ELASTICSEARCH_URL=http://elasticsearch:9200
The above stops working when iptables=false is set. The kibana container is not able to ‘find’ the elasticsearch container. But when removed (and docker engine restarted) then this works fine.
Why is this?
(and more to the point, why is iptables=false not the default setting when ufw is used??)
One Solution collect form web for “Why does using DOCKER_OPTS=“–iptables=false” break the DNS discovery for docker-compose?”
Whether a container can talk to the world is governed by two factors.
Is the host machine willing to forward IP packets? This is governed by the
ip_forwardsystem parameter. Packets can only pass between containers if this parameter is
1. Usually you will simply leave the Docker server at its default setting
--ip-forward=trueand Docker will go set ip_forward to 1 for you when the server starts up.
iptablesallow this particular connection? Docker will never make changes to your system
iptablesrules if you set
--iptables=falsewhen the daemon starts. Otherwise the Docker server will append forwarding rules to the DOCKER filter chain.
Docker will not delete or modify any pre-existing rules from the DOCKER filter chain. This allows the user to create in advance any rules required to further restrict access to the containers.
If you use UFW (Uncomplicated Firewall) on the same host as you run Docker, you’ll need to do additional configuration. Docker uses a bridge to manage container networking. By default, UFW drops all forwarding traffic. As a result, for Docker to run when UFW is enabled, you must set UFW’s forwarding policy appropriately.
I think the entire recipe for your case would be:
- Configure NAT in iptables
For more details you could see Running Docker behind the ufw firewall