From e6a084f4f8af3f7a5bc7c2c5ed375eaed61e8b8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erik=20Inge=20Bols=C3=B8?= Date: Thu, 31 Jul 2014 16:11:51 +0200 Subject: [PATCH] networking.md: Networking between containers works without ip_forward MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Docker-DCO-1.1-Signed-off-by: Erik Inge Bolsø (github: knan-linpro) --- docs/sources/articles/networking.md | 53 +++++++++++++++++------------ 1 file changed, 32 insertions(+), 21 deletions(-) diff --git a/docs/sources/articles/networking.md b/docs/sources/articles/networking.md index ff1a8ae75d..e465429cdb 100644 --- a/docs/sources/articles/networking.md +++ b/docs/sources/articles/networking.md @@ -170,12 +170,41 @@ above, will make `/etc/resolv.conf` inside of each container look like the `/etc/resolv.conf` of the host machine where the `docker` daemon is running. The options then modify this default configuration. +## Communication between containers and the wider world + + + +Whether a container can talk to the world is governed by one main factor. + +Is the host machine willing to forward IP packets? This is governed +by the `ip_forward` system parameter. Packets can only pass between +containers if this parameter is `1`. Usually you will simply leave +the Docker server at its default setting `--ip-forward=true` and +Docker will go set `ip_forward` to `1` for you when the server +starts up. To check the setting or turn it on manually: + + # Usually not necessary: turning on forwarding, + # on the host where your Docker server is running + + $ cat /proc/sys/net/ipv4/ip_forward + 0 + $ sudo echo 1 > /proc/sys/net/ipv4/ip_forward + $ cat /proc/sys/net/ipv4/ip_forward + 1 + +Many using Docker will want `ip_forward` to be on, to at +least make communication *possible* between containers and +the wider world. + +May also be needed for inter-container communication if you are +in a multiple bridge setup. + ## Communication between containers Whether two containers can communicate is governed, at the operating -system level, by three factors. +system level, by two factors. 1. Does the network topology even connect the containers' network interfaces? By default Docker will attach all containers to a @@ -183,32 +212,14 @@ system level, by three factors. between them. See the later sections of this document for other possible topologies. -2. Is the host machine willing to forward IP packets? This is governed - by the `ip_forward` system parameter. Packets can only pass between - containers if this parameter is `1`. Usually you will simply leave - the Docker server at its default setting `--ip-forward=true` and - Docker will go set `ip_forward` to `1` for you when the server - starts up. To check the setting or turn it on manually: - - # Usually not necessary: turning on forwarding, - # on the host where your Docker server is running - - $ cat /proc/sys/net/ipv4/ip_forward - 0 - $ sudo echo 1 > /proc/sys/net/ipv4/ip_forward - $ cat /proc/sys/net/ipv4/ip_forward - 1 - -3. Do your `iptables` allow this particular connection to be made? +2. Do your `iptables` allow this particular connection to be made? Docker will never make changes to your system `iptables` rules if you set `--iptables=false` when the daemon starts. Otherwise the Docker server will add a default rule to the `FORWARD` chain with a blanket `ACCEPT` policy if you retain the default `--icc=true`, or else will set the policy to `DROP` if `--icc=false`. -Nearly everyone using Docker will want `ip_forward` to be on, to at -least make communication *possible* between containers. But it is a -strategic question whether to leave `--icc=true` or change it to +It is a strategic question whether to leave `--icc=true` or change it to `--icc=false` (on Ubuntu, by editing the `DOCKER_OPTS` variable in `/etc/default/docker` and restarting the Docker server) so that `iptables` will protect other containers — and the main host — from