允许使用 docker-compose 在两个 docker 桥接网络之间进行通信 [英] Allow communication between two docker bridge networks using docker-compose

问题描述

我正在使用 docker compose 创建相当复杂的 docker 容器基础设施.这些容器在 4 个不同的网络中运行(类似于我正在模仿的生产环境).Docker Compose 为我创建了这四个网络，只要容器不尝试与不同网络内的其他容器通信，一切都可以正常工作.当他们这样做时，连接被丢弃.我能够找出它被删除的原因，这是因为 Docker 将 iptables 规则添加到 DOCKER-ISOLATION 链中.示例:

I'm creating rather complex infrastructure of docker containers using docker compose. Those containers run in 4 different networks (similar to production environment that I'm mimicking). Docker Compose creates those four networks for me, and everything works as long, as containers don't try to communicate with other containers inside different networks. When they do, connection is dropped. I was able to find out why it is dropped, and it is because Docker adds iptables rules into DOCKER-ISOLATION chain. Example:

-A DOCKER-ISOLATION -i br-be010eaddd0e -o br-f788f16ed0dd -j DROP
-A DOCKER-ISOLATION -i br-f788f16ed0dd -o br-be010eaddd0e -j DROP

我写了一个小脚本来删除我想要删除的规则(并允许所选网桥之间的通信)，一切都像魅力一样，但不知何故它们在某个时候被 Docker 重新创建，即使没有重新创建这些网络，所以它需要我再次运行该脚本，这很烦人.有什么办法可以专门告诉Docker允许两个网桥之间的通信吗?或者也许有一些技巧可以在使用 Docker-Compose 启动容器后运行特定的 shell 脚本?

I wrote a little script that removes rules I want to be removed (and allow communication between chosen bridges) and everything works like a charm, but somehow they are recreated by Docker at some point, even without recreating those networks, so it requires me to run that script again, which is very annoying. Is there any way to specifically tell Docker to allow communication between two bridges? Or maybe there's some trick to run specific shell script after starting containers with Docker-Compose?

推荐答案

如果有人感兴趣，我已经设法用 iptables 解决了这个问题.解决方案是明确允许桥接子网之间的通信(假设它们具有固定的 ip 地址).这样做的方法是发出以下命令(假设网桥子网是 172.24.131.0/24 和 172.24.132.0/24):

If anyone's interested, I've managed to handle this with iptables. Solution is to explicitly allow communication between bridge subnets (assuming that they have fixed ip addresses). The way to do this is to issue following commands (assuming that bridge subnets are 172.24.131.0/24 and 172.24.132.0/24):

iptables -I FORWARD -s 172.24.131.0/24 -d 172.24.132.0/24 -j ACCEPT
iptables -I FORWARD -d 172.24.131.0/24 -s 172.24.132.0/24 -j ACCEPT

这样我们就在 DOCKER-ISOLATION 之前在 FORWARD 链中添加新规则，它会强制 iptables 在这些子网之间进行任何通信时忽略整个 DOCKER-ISOLATION 链.

That way we add new rules in FORWARD chain just before DOCKER-ISOLATION, it forces iptables to ignore whole DOCKER-ISOLATION chain for any communication between these subnets.

这篇关于允许使用 docker-compose 在两个 docker 桥接网络之间进行通信的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！