kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

networking.md: Networking between containers works without ip_forward

Browse source 
Docker-DCO-1.1-Signed-off-by: Erik Inge Bolsø <knan@redpill-linpro.com> (github: knan-linpro)
This commit is contained in:
Erik Inge Bolsø 2014-07-31 16:11:51 +02:00
parent 503d124677
commit e6a084f4f8
1 changed files with 32 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

41
docs/sources/articles/networking.md
View file

@ -170,20 +170,13 @@ above, will make `/etc/resolv.conf` inside of each container look like
the `/etc/resolv.conf` of the host machine where the `docker` daemon is
running. The options then modify this default configuration.
## Communication between containers
## Communication between containers and the wider world
<a name="between-containers"></a>
<a name="the-world"></a>
Whether two containers can communicate is governed, at the operating
system level, by three factors.
Whether a container can talk to the world is governed by one main factor.
1. Does the network topology even connect the containers' network
interfaces? By default Docker will attach all containers to a
single `docker0` bridge, providing a path for packets to travel
between them. See the later sections of this document for other
possible topologies.
2. Is the host machine willing to forward IP packets? This is governed
Is the host machine willing to forward IP packets? This is governed
by the `ip_forward` system parameter. Packets can only pass between
containers if this parameter is `1`. Usually you will simply leave
the Docker server at its default setting `--ip-forward=true` and
@ -199,16 +192,34 @@ system level, by three factors.
$ cat /proc/sys/net/ipv4/ip_forward
1
3. Do your `iptables` allow this particular connection to be made?
Many using Docker will want `ip_forward` to be on, to at
least make communication *possible* between containers and
the wider world.
May also be needed for inter-container communication if you are
in a multiple bridge setup.
## Communication between containers
<a name="between-containers"></a>
Whether two containers can communicate is governed, at the operating
system level, by two factors.
1. Does the network topology even connect the containers' network
interfaces? By default Docker will attach all containers to a
single `docker0` bridge, providing a path for packets to travel
between them. See the later sections of this document for other
possible topologies.
2. Do your `iptables` allow this particular connection to be made?
Docker will never make changes to your system `iptables` rules if
you set `--iptables=false` when the daemon starts. Otherwise the
Docker server will add a default rule to the `FORWARD` chain with a
blanket `ACCEPT` policy if you retain the default `--icc=true`, or
else will set the policy to `DROP` if `--icc=false`.
Nearly everyone using Docker will want `ip_forward` to be on, to at
least make communication *possible* between containers. But it is a
strategic question whether to leave `--icc=true` or change it to
It is a strategic question whether to leave `--icc=true` or change it to
`--icc=false` (on Ubuntu, by editing the `DOCKER_OPTS` variable in
`/etc/default/docker` and restarting the Docker server) so that
`iptables` will protect other containers — and the main host — from