4

I have two servers in AWS, both in a security group that allows all traffic on all ports between members of the security group. On one server I have a MySQL server (without docker, let's call this server the "MySQL server") and on the other server I have docker (let's call it the "Docker server"). I want to access MySQL from within a container on the docker server without having to route the traffic over the internet (I'd like to use the internal IP address of the MySQL server instead).

Is this possible? What are my options?

What I've tried so far

I've configured the MySQL server to listen on all interfaces, just for testing. This allows me to connect to the MySQL server successfully from the Docker server (using mysql client to connect to the private IP address of the MySQL server). However when I start a container a new network namespace is created so I can't access the private IP address of the MySQL server anymore.

I've tried using an ambassador container as described here but I run into the same problem, the private IP address of the MySQL server is not available from inside the ambassador container.

Example

Here's an example to illustrate the problem and what I'm trying to do.

From the Docker server (not in any container yet):

$ ping -c 1 10.0.0.155
PING 10.0.0.155 (10.0.0.155) 56(84) bytes of data.
64 bytes from 10.0.0.155: icmp_seq=1 ttl=64 time=0.777 ms

--- 10.0.0.155 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.777/0.777/0.777/0.000 ms

However trying from within a container:

$ sudo docker run --rm -it apcera/nats-ping-client ping -c 1 10.0.0.115
PING 10.0.0.115 (10.0.0.115) 56(84) bytes of data.
From 10.0.0.200 icmp_seq=1 Destination Host Unreachable

--- 10.0.0.115 ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

I expect this because I know that docker creates a new private network just for the containers but I don't know enough to be able to get around what I'm trying to do.

How can I wire things to be able to access the mysql server from within a container?

Improve this question
2
  • Looks like you aren't exposing any ports from your container? Did you resolve this? BTW, ping uses port 7 so even if that worked for you, I doubt it would address your actual problem as mysql is going to use different ports. Commented Aug 23, 2016 at 12:19
  • No, the original question is still not resolved. In the end I decided to use the public IP address of the mysql server from within the docker containers. I updated the AWS security group to restrict access to the mysql port only from the docker server, this is working. It's not what I originally wanted though, I wanted to route the mysql traffic over the private network instead of having to go over the internet. Commented Aug 29, 2016 at 8:55

1 Answer 1

Reset to default
4

Yes that's possible.

Whether a container can talk to the world is governed by two factors. The first factor is whether the host machine is forwarding its IP packets. The second is whether the host’s iptables allow this particular connection.

  1. To check the setting on your kernel or to turn it on manually: (be sure to set to 1)

    $ sysctl net.ipv4.conf.all.forwarding

net.ipv4.conf.all.forwarding = 0

$ sysctl net.ipv4.conf.all.forwarding=1

$ sysctl net.ipv4.conf.all.forwarding

net.ipv4.conf.all.forwarding = 1

  2. Docker will never make changes to your system iptables rules if you set --iptables=false when the daemon starts. Otherwise the Docker server will append forwarding rules to the DOCKER filter chain. So, be sure to not use --iptables=false

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

The sysctl net.ipv4.conf.all.forwarding is already set to 1 and I am not using --iptables=false in the docker options. Could you explain how I should configure my containers to get this working? Also note that I don't necessarily need the containers to talk to the world, just to another server on the Docker servers private network.
@Camilo Silva, is there any way to achieve the same in Docker for Windows?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.