Docker configuration:
root@ubuntu> ps -ef | grep docker
root xxxxx /usr/bin/dockerd -H fd:// -b=br0 --icc=false --iptables=true
Start with a web host:docker run -d --name web -p 8080:80 php-fpm:5.4
Another test host test connection:docker run -dit --name test --link web:web blackhole/ubuntu:0.1 bash
To view the table of iptables filter:
root@ubuntu> sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (0 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.100.2 tcp dpt:80
ACCEPT tcp -- 192.168.100.3 192.168.100.2 tcp dpt:80
ACCEPT tcp -- 192.168.100.2 192.168.100.3 tcp spt:80
ACCEPT tcp -- 192.168.100.3 192.168.100.2 tcp dpt:443
ACCEPT tcp -- 192.168.100.2 192.168.100.3 tcp spt:443
ACCEPT tcp -- 192.168.100.3 192.168.100.2 tcp dpt:22
ACCEPT tcp -- 192.168.100.2 192.168.100.3 tcp spt:22
Enter the test container:
sudo docker exec -it test bash
root@00585b9efea8:/# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.100.2 web 2cec3235f5fa
192.168.100.3 00585b9efea8
root@00585b9efea8:/# ping web
PING web (192.168.100.2): 56 data bytes
^C--- web ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss
root@00585b9efea8:/# ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2): 56 data bytes
^C--- 192.168.100.2 ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss
root@00585b9efea8:/# curl web
^C
root@00585b9efea8:/# curl http://192.168.100.2:80
^C
Specifies that the three conditions for container connection:-ICC = FASLE-IPTABLES = TRUE-LINK have been met. In order to prevent accidents, the first step was carried out before.iptables -F
Remove
What is the problem? Or where might it be
Resolved:
The nature of docker’s link parameter is to add rules to iptables and containers’ hosts. From the above, we can see that the rules have been added, but why not? Because I forgot to add the EXPOSE parameter when writing the Dockerfile (because I always thought this command was useless), in fact, EXPOSE will open the port, which is not simply convenient for the use of the -P command and for the developers to see. Iptables’ ACCEPT rule is port-based, but I didn’t write it in EXPOSE, which would make link useless. However, the open ports of the common web container or db container are 3306 and 80 and 443, but none of them are open, which leads to the inability to ping and curl after link is connected, and the ports that ping is not 80, 3306 and 443. So even if it succeeds, it will not ping.