container to container connectivity

[chrisjonez]

Hi @jpetazzo....I know you're not active on this project at the moment, but I may have stumbled across a pipework/Docker interaction problem where container to container connectivity fails; some users may need to be made aware of this....or perhaps you can point out where I'm going wrong :-).

The basic usecase is to bring up two containers with no network configured (--net='none') and then to use pipework to plumb them together with a linux bridge - letting pipework create the bridge. It appears that after doing this the containers cannot ping each other. This seems quite a basic pipework usecase. Perhaps it worked back in the day...but perhaps not now since Docker got it's networking act together?

My fork contains the test (run test.sh) https://github.com/chrisjonez/pipework, and documents the reasons why I still need to use pipework.

[jpetazzo]

Hi! Sorry for the delay. But I found the solution! Yay!

TL,DR:

iptables -I FORWARD -i brcj_novlan -s 1.2.3.0/24 -j ACCEPT

Longer explanation: for security reasons, Docker changed the default policy of the FORWARD chain in iptables to DROP at some point. So the packets going from one bridge port to another (i.e. from a container to another) have to be explicitly allowed. The iptables rule that I suggested above is the simplest one to make your test case work correctly. I don't know if pipework should try to mess with that. At the very least, the documentation should be updated I guess!