Join Log in
Score:1
Gabin Legrand avatar Server

Unable to make two docker containers communicate

us flag
Gabin Legrand

I am trying to make two containers communicates on a server like it is working on my machine.

The thing is that they are not able to communicate (trying to ping container B from container A)

I first created a Dockerfile which is using a python image. Note that I am using --network=host option to build this container (without I am not able to get packages on internet)

Next, I have a docker-compose file which is creating two containers using the previously created image.

NETWORK ID     NAME               DRIVER    SCOPE
939d3e6af24e   bridge             bridge    local
2d455afde6fc   dcoflask_default   bridge    local
97f17b13840c   host               host      local
0f40cabe1c02   none               null      local

By inspecting the network where my 2 containers are attached:

        "Containers": {
            "2fe15640751ac7f6dd7bfa20e2e646e44cc2c53fbfa25e8f4df25dfbc08adb9f": {
                "Name": "mssql",
                "EndpointID": "39d1a5429f676d990c52932eed8a66376f76b9cbbff9bcd53b256e1720798bfd",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            },
            "50fc9a1f4a4743f2a4e9f80cd2d73515bad4fed748360fc4a26f289c06f8b245": {
                "Name": "web-dco",
                "EndpointID": "7d389570b1c80fa7a1fbb4a633dabbb4f7afd0063acb6cd41f12fc56a290650c",
                "MacAddress": "02:42:ac:12:00:03",
                "IPv4Address": "172.18.0.3/16",
                "IPv6Address": ""
            }
        },

We can confirm that they are on the same network interface.

By issuing a ping (from container web-dco), I am not able to get a response from the other container (mssql)

PING mssql (172.18.0.2) 56(84) bytes of data.
^C
--- mssql ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 125ms

By doing a bit of sniffing on the network interface created for container network, I can see the requests but no responses:

legrand.g@my-server:~$ sudo tshark -i br-2d455afde6fc
Enter password for interactive MFA. Otherwise, enter password followed by 6 digit PingID code:
Running as user "root" and group "root". This could be dangerous.
Capturing on 'br-2d455afde6fc'
    1 0.000000000   172.18.0.2 → 143.26.128.29 DNS 85 Standard query 0x54a6 A vortex.data.microsoft.com
    2 4.001179175   172.18.0.2 → 192.44.120.10 DNS 85 Standard query 0x54a6 A vortex.data.microsoft.com
    3 4.088081213 02:42:ac:12:00:02 → 02:42:40:e2:2c:15 ARP 42 Who has 172.18.0.1? Tell 172.18.0.2
    4 4.088130713 02:42:40:e2:2c:15 → 02:42:ac:12:00:02 ARP 42 172.18.0.1 is at 02:42:40:e2:2c:15
    5 5.003686924   172.18.0.2 → 143.26.128.29 DNS 85 Standard query 0x54a6 A vortex.data.microsoft.com
    6 9.004492793   172.18.0.2 → 192.44.120.10 DNS 85 Standard query 0x54a6 A vortex.data.microsoft.com
^C6 packets captured

Finally, from previous posts about container communication, I do not see anything wrong in the iptables

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-2d455afde6fc -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-2d455afde6fc -j DOCKER
-A FORWARD -i br-2d455afde6fc ! -o br-2d455afde6fc -j ACCEPT
-A FORWARD -i br-2d455afde6fc -o br-2d455afde6fc -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-2d455afde6fc -o br-2d455afde6fc -p tcp -m tcp --dport 1433 -j ACCEPT
-A DOCKER -d 172.18.0.3/32 ! -i br-2d455afde6fc -o br-2d455afde6fc -p tcp -m tcp --dport 5000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-2d455afde6fc ! -o br-2d455afde6fc -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-2d455afde6fc -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

The only difference that I can see between running these containers on my machine and on the server is that on my machine, I do not need to build the Dockerfile with the --network=host option.

Internet is not accessible too, but this is the other part of the problem, I would like first to understand why two simple containers are not able to communicate even if they are using the same network.

N.B IP forwarding is enabled:

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
37
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.