Why does using DOCKER_OPTS=“–iptables=false” break the DNS discovery for docker-compose?

When I add this line to my /etc/default/docker

DOCKER_OPTS="--iptables=false"

then the DNS no longer works. A group of containers started by docker compose no longer able to find each other:

  • Docker-compose Daemon mode logs
  • How to deploy web service on Docker container
  • Is there any way to disable a service in docker-compose.yml
  • Docker error connecting to host mysql
  • Docker: exposed ports cannot be accessed in another container
  • Symfony Application on AWS ECS with a data-only container - Is this the right direction?
  • version: '2'
    services:
        elasticsearch:
           image: elasticsearch:latest
           volumes:
              - ./esdata:/usr/share/elasticsearch/data
        kibana:
           image: kibana:latest
           environment:
              - ELASTICSEARCH_URL=http://elasticsearch:9200
    

    The above stops working when iptables=false is set. The kibana container is not able to ‘find’ the elasticsearch container. But when removed (and docker engine restarted) then this works fine.

    Why is this?

    (and more to the point, why is iptables=false not the default setting when ufw is used??)

    thanks

  • process exit code 127 while running a bash script by java service in docker
  • Docker: Share the same .so library different containers without compiling into each
  • Does 'docker run' modify image state?
  • Is there a best practice for where to log when running multiple instances of an application with Docker?
  • Amazon EC2 boot time
  • How MongoDB works with Docker
  • One Solution collect form web for “Why does using DOCKER_OPTS=“–iptables=false” break the DNS discovery for docker-compose?”

    From https://docs.docker.com/v1.5/articles/networking/#between-containers

    Whether a container can talk to the world is governed by two factors.

    1. Is the host machine willing to forward IP packets? This is governed by the ip_forward system parameter. Packets can only pass between containers if this parameter is 1. Usually you will simply leave the Docker server at its default setting --ip-forward=true and Docker will go set ip_forward to 1 for you when the server starts up.

    2. Do your iptables allow this particular connection? Docker will never make changes to your system iptables rules if you set --iptables=false when the daemon starts. Otherwise the Docker server will append forwarding rules to the DOCKER filter chain.

    Docker will not delete or modify any pre-existing rules from the DOCKER filter chain. This allows the user to create in advance any rules required to further restrict access to the containers.

    From https://docs.docker.com/engine/installation/linux/ubuntulinux/#enable-ufw-forwarding

    If you use UFW (Uncomplicated Firewall) on the same host as you run Docker, you’ll need to do additional configuration. Docker uses a bridge to manage container networking. By default, UFW drops all forwarding traffic. As a result, for Docker to run when UFW is enabled, you must set UFW’s forwarding policy appropriately.

    I think the entire recipe for your case would be:

    1. DEFAULT_FORWARD_POLICY="ACCEPT"
    2. DOCKER_OPTS="--iptables=false"
    3. Configure NAT in iptables

    For more details you could see Running Docker behind the ufw firewall

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.