通过主机映射端口的容器到容器通信
[英]Container-to-container communication via a host mapped port
问题描述
I am using Docker version 1.9.1 and docker-compose 1.5.2 with --x-networking (experimental networking). 
我正在使用带有--x-networking(实验性网络)的Docker 1.9.1版和docker-compose 1.5.2。
I start a trivial node application with docker-compose up ; 我使用docker-compose up启动了一个琐碎的节点应用程序; this application maps port 8000 to port 9999 on the host. 此应用程序将端口8000映射到主机上的端口9999。
From the host I can curl http://localhost:9999 ; 我可以从主机卷曲http://localhost:9999 ; or http://[host-ip]:9999 ; 或http://[host-ip]:9999 ; or any of the 172.x.0.1 addresses that the host has and they all work. 或主机拥有的172.x.0.1地址中的任何一个,它们都可以工作。
I start another application with docker-compose up . 我使用docker-compose up启动另一个应用程序。 If I attempt to curl http://[host-ip]:9999 , or any of the http://172.x.0.1 addresses the packet is dropped due to iptables entries -- in particular the entry that specifies DROP from the subnet of this container to the first container. 如果我尝试卷曲http://[host-ip]:9999或任何http://172.x.0.1地址,则由于iptables条目(特别是从此容器的子网到第一个容器。
I understand that container-to-container communication may not be allowed but how can my second container talk to the first via the port mapped on the host? 我了解可能不允许容器到容器通信,但是我的第二个容器如何通过主机上映射的端口与第一个容器进行通信?
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- 172.17.0.0/16 172.19.0.0/16
DROP all -- 172.19.0.0/16 172.17.0.0/16
DROP all -- 172.18.0.0/16 172.19.0.0/16
DROP all -- 172.19.0.0/16 172.18.0.0/16
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- 172.17.0.0/16 172.18.0.0/16
DROP all -- 172.18.0.0/16 172.17.0.0/16
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:8000
2 个解决方案
解决方案1
0 2016-03-08 20:48:03
Container to container communication is allowed of course. 当然,允许容器到容器的通信。 You could forbid it with firewall rules etc... What you actually need is to have these two containers in the same subnet. 您可以使用防火墙规则等来禁止它。您真正需要的是将这两个容器放在同一子网中。 So you need to create a subnet with 因此,您需要使用以下命令创建一个子网
docker network create --subnet=172.18.0.0/16 mySubNet
then run the containers with 然后用
docker run --net mynet123
And that is it. 就是这样。 Additionally when running you could assign a static ip to container with --ip , assign a hostname with --hostname or add another host entry with --add-host . 此外运行,你可以一个静态IP分配到容器时--ip ,指定主机名与--hostname或添加另一个主机条目--add-host 。
EDIT : I see now your docker version so I have to say that what I wrote here works with docker 1.10.x 编辑 :我现在看到您的码头工人版本,所以我不得不说我在这里写的内容适用于码头工人1.10.x
解决方案2
0 2016-03-09 06:43:50
Subnet solution 子网解决方案
You can either create a subnet for your containers, but to keep things clean you will need a subnet for each distributed application in order to isolate them. 您可以为容器创建一个子网,但是为了保持环境整洁,您将需要为每个分布式应用程序创建一个子网以隔离它们。 Not the easiest nor the simplest way of doing so while it works. 在工作时,这不是最简单也不是最简单的方法。
--link solution --link解决方案
Another solution is to link your containers. 另一个解决方案是链接您的容器。 I suggest you to read this comment , so just I don't copy/paste its content ;) 我建议您阅读此评论 ,所以请不要复制/粘贴其内容;)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.