I am trying to make two containers communicates on a server like it is working on my machine.
The thing is that they are not able to communicate (trying to ping container B from container A)
I first created a Dockerfile which is using a python image. Note that I am using --network=host option to build this container (without I am not able to get packages on internet)
Next, I have a docker-compose file which is creating two containers using the previously created image.
NETWORK ID NAME DRIVER SCOPE
939d3e6af24e bridge bridge local
2d455afde6fc dcoflask_default bridge local
97f17b13840c host host local
0f40cabe1c02 none null local
By inspecting the network where my 2 containers are attached:
"Containers": {
"2fe15640751ac7f6dd7bfa20e2e646e44cc2c53fbfa25e8f4df25dfbc08adb9f": {
"Name": "mssql",
"EndpointID": "39d1a5429f676d990c52932eed8a66376f76b9cbbff9bcd53b256e1720798bfd",
"MacAddress": "02:42:ac:12:00:02",
"IPv4Address": "172.18.0.2/16",
"IPv6Address": ""
},
"50fc9a1f4a4743f2a4e9f80cd2d73515bad4fed748360fc4a26f289c06f8b245": {
"Name": "web-dco",
"EndpointID": "7d389570b1c80fa7a1fbb4a633dabbb4f7afd0063acb6cd41f12fc56a290650c",
"MacAddress": "02:42:ac:12:00:03",
"IPv4Address": "172.18.0.3/16",
"IPv6Address": ""
}
},
We can confirm that they are on the same network interface.
By issuing a ping (from container web-dco), I am not able to get a response from the other container (mssql)
PING mssql (172.18.0.2) 56(84) bytes of data.
^C
--- mssql ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 125ms
By doing a bit of sniffing on the network interface created for container network, I can see the requests but no responses:
legrand.g@my-server:~$ sudo tshark -i br-2d455afde6fc
Enter password for interactive MFA. Otherwise, enter password followed by 6 digit PingID code:
Running as user "root" and group "root". This could be dangerous.
Capturing on 'br-2d455afde6fc'
1 0.000000000 172.18.0.2 → 143.26.128.29 DNS 85 Standard query 0x54a6 A vortex.data.microsoft.com
2 4.001179175 172.18.0.2 → 192.44.120.10 DNS 85 Standard query 0x54a6 A vortex.data.microsoft.com
3 4.088081213 02:42:ac:12:00:02 → 02:42:40:e2:2c:15 ARP 42 Who has 172.18.0.1? Tell 172.18.0.2
4 4.088130713 02:42:40:e2:2c:15 → 02:42:ac:12:00:02 ARP 42 172.18.0.1 is at 02:42:40:e2:2c:15
5 5.003686924 172.18.0.2 → 143.26.128.29 DNS 85 Standard query 0x54a6 A vortex.data.microsoft.com
6 9.004492793 172.18.0.2 → 192.44.120.10 DNS 85 Standard query 0x54a6 A vortex.data.microsoft.com
^C6 packets captured
Finally, from previous posts about container communication, I do not see anything wrong in the iptables
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-2d455afde6fc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-2d455afde6fc -j DOCKER
-A FORWARD -i br-2d455afde6fc ! -o br-2d455afde6fc -j ACCEPT
-A FORWARD -i br-2d455afde6fc -o br-2d455afde6fc -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-2d455afde6fc -o br-2d455afde6fc -p tcp -m tcp --dport 1433 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-2d455afde6fc -o br-2d455afde6fc -p tcp -m tcp --dport 5000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-2d455afde6fc ! -o br-2d455afde6fc -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-2d455afde6fc -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
The only difference that I can see between running these containers on my machine and on the server is that on my machine, I do not need to build the Dockerfile with the --network=host option.
Internet is not accessible too, but this is the other part of the problem, I would like first to understand why two simple containers are not able to communicate even if they are using the same network.
N.B IP forwarding is enabled:
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
