|
|
@@ -170,12 +170,41 @@ above, will make `/etc/resolv.conf` inside of each container look like
|
|
|
the `/etc/resolv.conf` of the host machine where the `docker` daemon is
|
|
|
running. The options then modify this default configuration.
|
|
|
|
|
|
+## Communication between containers and the wider world
|
|
|
+
|
|
|
+<a name="the-world"></a>
|
|
|
+
|
|
|
+Whether a container can talk to the world is governed by one main factor.
|
|
|
+
|
|
|
+Is the host machine willing to forward IP packets? This is governed
|
|
|
+by the `ip_forward` system parameter. Packets can only pass between
|
|
|
+containers if this parameter is `1`. Usually you will simply leave
|
|
|
+the Docker server at its default setting `--ip-forward=true` and
|
|
|
+Docker will go set `ip_forward` to `1` for you when the server
|
|
|
+starts up. To check the setting or turn it on manually:
|
|
|
+
|
|
|
+ # Usually not necessary: turning on forwarding,
|
|
|
+ # on the host where your Docker server is running
|
|
|
+
|
|
|
+ $ cat /proc/sys/net/ipv4/ip_forward
|
|
|
+ 0
|
|
|
+ $ sudo echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
+ $ cat /proc/sys/net/ipv4/ip_forward
|
|
|
+ 1
|
|
|
+
|
|
|
+Many using Docker will want `ip_forward` to be on, to at
|
|
|
+least make communication *possible* between containers and
|
|
|
+the wider world.
|
|
|
+
|
|
|
+May also be needed for inter-container communication if you are
|
|
|
+in a multiple bridge setup.
|
|
|
+
|
|
|
## Communication between containers
|
|
|
|
|
|
<a name="between-containers"></a>
|
|
|
|
|
|
Whether two containers can communicate is governed, at the operating
|
|
|
-system level, by three factors.
|
|
|
+system level, by two factors.
|
|
|
|
|
|
1. Does the network topology even connect the containers' network
|
|
|
interfaces? By default Docker will attach all containers to a
|
|
|
@@ -183,32 +212,14 @@ system level, by three factors.
|
|
|
between them. See the later sections of this document for other
|
|
|
possible topologies.
|
|
|
|
|
|
-2. Is the host machine willing to forward IP packets? This is governed
|
|
|
- by the `ip_forward` system parameter. Packets can only pass between
|
|
|
- containers if this parameter is `1`. Usually you will simply leave
|
|
|
- the Docker server at its default setting `--ip-forward=true` and
|
|
|
- Docker will go set `ip_forward` to `1` for you when the server
|
|
|
- starts up. To check the setting or turn it on manually:
|
|
|
-
|
|
|
- # Usually not necessary: turning on forwarding,
|
|
|
- # on the host where your Docker server is running
|
|
|
-
|
|
|
- $ cat /proc/sys/net/ipv4/ip_forward
|
|
|
- 0
|
|
|
- $ sudo echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
- $ cat /proc/sys/net/ipv4/ip_forward
|
|
|
- 1
|
|
|
-
|
|
|
-3. Do your `iptables` allow this particular connection to be made?
|
|
|
+2. Do your `iptables` allow this particular connection to be made?
|
|
|
Docker will never make changes to your system `iptables` rules if
|
|
|
you set `--iptables=false` when the daemon starts. Otherwise the
|
|
|
Docker server will add a default rule to the `FORWARD` chain with a
|
|
|
blanket `ACCEPT` policy if you retain the default `--icc=true`, or
|
|
|
else will set the policy to `DROP` if `--icc=false`.
|
|
|
|
|
|
-Nearly everyone using Docker will want `ip_forward` to be on, to at
|
|
|
-least make communication *possible* between containers. But it is a
|
|
|
-strategic question whether to leave `--icc=true` or change it to
|
|
|
+It is a strategic question whether to leave `--icc=true` or change it to
|
|
|
`--icc=false` (on Ubuntu, by editing the `DOCKER_OPTS` variable in
|
|
|
`/etc/default/docker` and restarting the Docker server) so that
|
|
|
`iptables` will protect other containers — and the main host — from
|
Erik Inge Bolsø