I just tried out Docker. It is awesome but seems not work nicely with ufw. By default, docker will manipulate the iptables a little bit. The outcome is not a bug but not what I expected.For more details you can read The dangers of UFW + Docker
My goal is to set up a system like
Host (running ufw) -> docker container 1 - nginx (as a reverse proxy) -> docker container 2 - node web 1 -> docker container 3 - node web 2 -> .......I want to manage the incoming traffic (e.g. restrict access) through ufw therefore I don't want docker to touch my iptables. Here is my test
Environment:
- a newly installed Ubuntu 14.04 (kernel: 3.13.0-53 )
- Docker 1.6.2
- ufw forwarding is enabled.( [Enable UFW forwarding] 2 )
--iptables=falsewas added to the Docker daemon.
First Attempt
docker run --name ghost -v /home/xxxx/ghost_content:/var/lib/ghost -d ghostdocker run --name nginx -p 80:80 -v /home/xxxx/nginx_site_enable:/etc/nginx/conf.d:ro --link ghost:ghost -d nginxNo luck. The first command is fine but the second command will throw an error
Error response from daemon: Cannot start containerSecond Attempt
Then I found this: unable to link containers with --iptables=false #12701
After running the following command, everything looks OK.
sudo iptables -N DOCKERHowever, I noticed that I can not establish any outbound connections inside containers. For example:
xxxxg@ubuntu:~$ sudo docker exec -t -i nginx /bin/bashroot@b0d33f22d3f4:/# ping 74.125.21.147PING 74.125.21.147 (74.125.21.147): 56 data bytes^C--- 74.125.21.147 ping statistics ---35 packets transmitted, 0 packets received, 100% packet lossroot@b0d33f22d3f4:/# If I remove --iptables=false from the Docker daemon, then the internet connection of containers will be back to normal but the ufw will not work 'properly' (well...by my definition).
So, what is the best practice of docker + ufw? Can anyone provide some help?