iptables - docker无法指定容器相连

Question

docker配置：

root@ubuntu> ps -ef | grep docker
root xxxxx /usr/bin/dockerd -H fd:// -b=br0 --icc=false --iptables=true

先起一个web主机：
docker run -d --name web -p 8080:80 php-fpm:5.4

再起一个test主机测试连接：
docker run -dit --name test --link web:web blackhole/ubuntu:0.1 bash

查看iptables filter的表：

root@ubuntu> sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (0 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            192.168.100.2        tcp dpt:80
ACCEPT     tcp  --  192.168.100.3        192.168.100.2        tcp dpt:80
ACCEPT     tcp  --  192.168.100.2        192.168.100.3        tcp spt:80
ACCEPT     tcp  --  192.168.100.3        192.168.100.2        tcp dpt:443
ACCEPT     tcp  --  192.168.100.2        192.168.100.3        tcp spt:443
ACCEPT     tcp  --  192.168.100.3        192.168.100.2        tcp dpt:22
ACCEPT     tcp  --  192.168.100.2        192.168.100.3        tcp spt:22

进入test容器内部：

sudo docker exec -it test bash
root@00585b9efea8:/# cat /etc/hosts
127.0.0.1    localhost
::1    localhost ip6-localhost ip6-loopback
fe00::0    ip6-localnet
ff00::0    ip6-mcastprefix
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
192.168.100.2    web 2cec3235f5fa
192.168.100.3    00585b9efea8
root@00585b9efea8:/# ping web
PING web (192.168.100.2): 56 data bytes
^C--- web ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss
root@00585b9efea8:/# ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2): 56 data bytes
^C--- 192.168.100.2 ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss
root@00585b9efea8:/# curl web
^C
root@00585b9efea8:/# curl http://192.168.100.2:80
^C

指定容器相连的三个条件：--icc=fasle --iptables=true --link上面都已经满足了。为了防止意外，再第一步之前还执行了iptables -F清除

问题出在哪里呢？或者说可能出现在哪里呢

Answer 1

Solved:
The essence of docker’s link parameter is to add rules to iptables and the hosts of the container. From the above, you can see that the rules have been added, but why not? Because before, I forgot to add the EXPOSE parameter when writing the Dockerfile (because I always thought this command was useless). In fact, EXPOSE will open the port. It is not simply convenient for using the -P command and showing it to developers. of. The ACCEPT rules of iptables are based on ports, but I did not write them in EXPOSE, which will make the link useless. The ports opened by general web containers or db containers are 3306, 80, and 443, but none of them are open. As a result, ping and curl cannot be passed after the link is connected, and the ping is not through ports 80, 3306, and 443. So even if it succeeds, it won't ping.

Answer 2

Let these containers be under the same bridge network

Answer 3

When docker starts a container, it creates an independent network for it by default. If you can pass docker network ls 查看当前的网络。当使用link, you need to put the two on the same network.
Suppose container A is started first

docker run A;

Restart container B

docker run --link A:a --net A_default B