为什么使用 DOCKER_OPTS="--iptables=false" 会破坏 docker-compose 的 DNS 发现?
Why does using DOCKER_OPTS="--iptables=false" break the DNS discovery for docker-compose?
当我将此行添加到我的 /etc/default/docker
DOCKER_OPTS="--iptables=false"
然后 DNS 不再有效。由 docker 启动的一组容器不再能够找到彼此:
version: '2'
services:
elasticsearch:
image: elasticsearch:latest
volumes:
- ./esdata:/usr/share/elasticsearch/data
kibana:
image: kibana:latest
environment:
- ELASTICSEARCH_URL=http://elasticsearch:9200
当设置 iptables=false 时以上停止工作。 kibana 容器无法 'find' elasticsearch 容器。但是当移除后(并且 docker 引擎重新启动)然后这工作正常。
这是为什么?
(更重要的是,为什么在使用 ufw 时 iptables=false 不是默认设置??)
谢谢
来自https://docs.docker.com/v1.5/articles/networking/#between-containers
Whether a container can talk to the world is governed by two factors.
Is the host machine willing to forward IP packets? This is governed by the ip_forward system parameter. Packets can only pass between containers if this parameter is 1. Usually you will simply leave the Docker server at its default setting --ip-forward=true and Docker will go set ip_forward to 1 for you when the server starts up.
Do your iptables allow this particular connection? Docker will never make changes to your system iptables rules if you set --iptables=false when the daemon starts. Otherwise the Docker server will append forwarding rules to the DOCKER filter chain.
Docker will not delete or modify any pre-existing rules from the DOCKER filter chain. This allows the user to create in advance any rules required to further restrict access to the containers.
来自https://docs.docker.com/engine/installation/linux/ubuntulinux/#enable-ufw-forwarding
If you use UFW (Uncomplicated Firewall) on the same host as you run Docker, you’ll need to do additional configuration. Docker uses a bridge to manage container networking. By default, UFW drops all forwarding traffic. As a result, for Docker to run when UFW is enabled, you must set UFW’s forwarding policy appropriately.
我认为你的案例的整个配方是:
DEFAULT_FORWARD_POLICY="ACCEPT"DOCKER_OPTS="--iptables=false"- 在 iptables 中配置 NAT
当我将此行添加到我的 /etc/default/docker
DOCKER_OPTS="--iptables=false"
然后 DNS 不再有效。由 docker 启动的一组容器不再能够找到彼此:
version: '2'
services:
elasticsearch:
image: elasticsearch:latest
volumes:
- ./esdata:/usr/share/elasticsearch/data
kibana:
image: kibana:latest
environment:
- ELASTICSEARCH_URL=http://elasticsearch:9200
当设置 iptables=false 时以上停止工作。 kibana 容器无法 'find' elasticsearch 容器。但是当移除后(并且 docker 引擎重新启动)然后这工作正常。
这是为什么?
(更重要的是,为什么在使用 ufw 时 iptables=false 不是默认设置??)
谢谢
来自https://docs.docker.com/v1.5/articles/networking/#between-containers
Whether a container can talk to the world is governed by two factors.
Is the host machine willing to forward IP packets? This is governed by the
ip_forwardsystem parameter. Packets can only pass between containers if this parameter is1. Usually you will simply leave the Docker server at its default setting--ip-forward=trueand Docker will go set ip_forward to 1 for you when the server starts up.Do your
iptablesallow this particular connection? Docker will never make changes to your systemiptablesrules if you set--iptables=falsewhen the daemon starts. Otherwise the Docker server will append forwarding rules to the DOCKER filter chain.Docker will not delete or modify any pre-existing rules from the DOCKER filter chain. This allows the user to create in advance any rules required to further restrict access to the containers.
来自https://docs.docker.com/engine/installation/linux/ubuntulinux/#enable-ufw-forwarding
If you use UFW (Uncomplicated Firewall) on the same host as you run Docker, you’ll need to do additional configuration. Docker uses a bridge to manage container networking. By default, UFW drops all forwarding traffic. As a result, for Docker to run when UFW is enabled, you must set UFW’s forwarding policy appropriately.
我认为你的案例的整个配方是:
DEFAULT_FORWARD_POLICY="ACCEPT"DOCKER_OPTS="--iptables=false"- 在 iptables 中配置 NAT