none
Ping, NAT, Subnet and Firewall on TP5 RRS feed

  • Question

  • Hi all,

    I have three container running in the same default NAT (nat) network, running "docker network inspect nat" will show:

    "Containers": {
                "050ef7e48f753c28f90574c0660a060c69dc592acaf96c7d6961d03590931c4d": {
                    "Name": "jenkins",
                    "EndpointID": "c615835961ef02522247f013612081b6afdbf842b3d62203e2d80fac65f0c139",
                    "MacAddress": "00:15:5d:00:07:47",
                    "IPv4Address": "172.30.76.130/16",
                    "IPv6Address": ""
                },
                "72cfa1f45226715fe660183e66b12544d1b6d0f4f644fa4d2fdd3848bad31543": {
                    "Name": "build",
                    "EndpointID": "4dfe03afeeac59b3b5476e104c3ffedf08404b0fe896b1b20f5558f88795a2c6",
                    "MacAddress": "00:15:5d:00:07:70",
                    "IPv4Address": "172.17.55.183/16",
                    "IPv6Address": ""
                },
                "fac79cba145007617741d9866ec884240e907db34f0a554c8167703667fbe17d": {
                    "Name": "nginx",
                    "EndpointID": "f1f94473c56e121ee1dc5a988381e2443663b5163b88ee49ef8ab1d92c1127ae",
                    "MacAddress": "00:15:5d:00:0d:a1",
                    "IPv4Address": "172.17.48.1/16",
                    "IPv6Address": ""
                }
            }

    So on paper it looks like the first container is on different subnet as the rest two. One would assume you can ping each other in the last two containers. But that's not the case.

    Once you get into the last container, ipconfig will show this:

    IPv4 Address. . . . . . . . . . . : 172.17.48.1
    Subnet Mask . . . . . . . . . . . : 255.240.0.0
    Default Gateway . . . . . . . . . : 172.16.0.1

    Now this is interesting because it shows different subnet mask, and with this mask the network range is in fact:

    172.16.0.1 - 172.31.255.254

    Which explains all three containers are in the SAME network, which is correct, the default "nat". So "docker network inspect" is telling a lie?

    And you can't ping the container from host or ping container from each other.

    Looking at firewall inbound rules, although I only got 3 containers, there are 8 ICMPv4 rules with name like this "Container: ICMPv4 echo request allow inbound - a0b13767-c911-4222-be4c-1dd586391967", I tried to relate this GUID to something and found it's not the container ID or endpoint or anything I can recognize. So what is the GUID? Why the count is more than my containers? Is that partial clean up?

    The rule only specify "Type 8, Code 0" for ICMP, once I enabled "Echo Request", then ping starts to work; later even I disable "Echo Request", ping continues to work.

    Anyone can explain a bit all these magics? When can we set firewall rules for containers?

    Thanks a lot!

    Tuesday, June 21, 2016 11:05 AM