Following Docker's documentation on linking containers, I am trying to make two containers: salt-master and salt-minion, with salt-minion having a link to salt-master.
Also, I am using the Dockerfile EXPOSE instruction to expose ports on the salt master.
As far as I understand, I should reach the exposed ports of salt-master from the salt-minion container.
My Dockerfile for salt-master is:
FROM fedora
EXPOSE 4505 4506
ADD master /etc/salt/master
CMD /usr/bin/salt-master -l debug
I run the salt-master container with:
docker run -it --name salt-master myuser/fedora-salt-master /bin/bash
I run the salt-minion container with:
docker run -it --name salt-minion --link salt-master:salt-master myuser/fedora-salt-minion /bin/bash
Then from inside the salt-minion container I run and I get:
telnet salt-master 4506
Trying 172.17.0.105...
telnet: connect to address 172.17.0.105: No route to host
If I look inside the salt-master, the port seem open. However, they are not accessible to salt-minion.
If I look with tcpdump I get:
11:26:12.188884 IP 172.17.42.1 > 172.17.0.112: ICMP host 172.17.0.111
unreachable - admin prohibited, length 68
where:
172.17.0.111 is salt-minion, the host where I am trying the ports from
172.17.0.112 is the salt-master, the host that expose the ports
172.17.42.1 is the docker0 virtual interface
Does anyone have a clue?
Best Answer
The host is a fedora 22 and it seems the firewall on host was preventing the containers to reach each other. I had Fedora's firewalld running, and that let containers ping each other but not reach their ports. I disabled firewalld, used only iptables instead, and with iptables containers could not even ping each other. If this is the fault of Docker added rules or the existing firewall rules, I haven't investigated yet. But stopping both firewalld and iptables on host made it work.