1

On my production environment I have some apps in Docker that need to connect to backing services eg the database on the same host. I found I needed to make an exception in iptables to accept these connections.

However, the ip range of the docker network is varying between restarts. At first it was 172.18.0.0/24, later 172.17.0.0/24 and 172.20.0.0/24, now the ips are 192.168.172.2 and 192.168.192.3.

How can you accept Docker traffic from within a container to say mariadb reliably and safely?

EDIT: An answer seems to be specifying the IPAM configuration, but attaching to an interface seems more elegant

TacoV
  • 83
  • 8

1 Answers1

2

Two options:

First

Allow access from the docker0 interface rather than for a specific IP range.

iptable -A INPUT -i docker0 -dport 3306

Second

Move the database into a container.

Create a docker named network

Make sure all containers are attached to the named network. You should then be able to access the database container by name from any other container (on the same network).

If you need to access the database externally you can map the port and setup what ever iptables rules you want to secure it.

hardillb
  • 1,275
  • 1
  • 9
  • 19
  • Thanks, it's indeed much better to select by interface - had not thought of that. I see my current interface isn't `docker0` but `br-55ecf2befb3b` but that's a new point to start searching. I'd rather not have my database (and other backing services) in a container in production, but that would work. – TacoV Jan 01 '21 at 22:13
  • Personality is run the whole stack from containers, makes migration/rebuild so much easiest – hardillb Jan 01 '21 at 22:24