Overview
I need a Docker Compose zabbix host to ping a host on a containerlab
docker network.
These two Docker networks run under a linux Docker host machine as below... This information comes from docker network inspect <statics|zabbix6_statics>
...
Name | Driver | Subnet | GW | Internal |
---|---|---|---|---|
statics | bridge | 192.0.2.0/24 | None | false |
zabbix6_statics | bridge | 172.25.0.0/16 | 172.25.0.1 | false |
My Docker host can ping a statics
Docker container at 192.0.2.2; however, one of my Docker compose containers on zabbix6_statics
cannot ping that same statics
container at 192.0.2.2.
My problem is I am not sure how to control the GW setup for the statics
Docker network, it is automatically built by containerlab
.
Docker host external interface, routing table and routing configuration:
$ ip addr show ens160
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:a7:82:54 brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 10.100.50.5/28 brd 10.100.50.15 scope global ens160
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fea7:8254/64 scope link
valid_lft forever preferred_lft forever
$
$ ip route show
default via 10.100.50.1 dev ens160 proto static
10.100.50.0/28 dev ens160 proto kernel scope link src 10.100.50.5
172.25.0.0/16 dev br-2f0c8e39d468 proto kernel scope link src 172.25.0.1
192.0.2.0/24 dev br-3b7a04204493 proto kernel scope link src 192.0.2.1
$
$ sudo sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
$
Docker host iptables -L
...
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (6 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.25.0.3 tcp dpt:zabbix-trapper
ACCEPT tcp -- anywhere 172.25.0.4 tcp dpt:http-alt
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (6 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* set by containerlab */
RETURN all -- anywhere anywhere
$
iptables
drops... the line with 573K drops (below) sure looks like it could be a problem, but I don't know how to remove this line.
br-2f0c8e39d468
is the Docker Compose Zabbix bridge network.
$ sudo iptables -L -v -n | grep DROP
Chain FORWARD (policy DROP 1 packets, 48 bytes)
5887 573K DROP all -- * br-2f0c8e39d468 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-3b7a04204493 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-9c380974ca10 0.0.0.0/0 0.0.0.0/0
128 19232 DROP all -- * br-8852215d128f 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-9eb46ec5c23e 0.0.0.0/0 0.0.0.0/0
$
I think the iptables
rule applied automatically by the Docker Compose yaml is part of the problem (see below).
Problem
From a Docker Compose Zabbix container on 172.25.0.0/16, I can ping 192.0.2.1 (the linux bridge ip address for Docker network 192.0.2.0/24), but I cannot ping the containerlab
Docker container at 192.0.2.2.
The zabbix web gui can accessed from the Docker host via http://10.100.50.5:9000. The Docker host ip address is 10.100.50.5.
Question
The most important task is just getting the Docker Compose zabbix6_statics
network to successfully ping into the Docker statics
network (i.e. Docker containers on 172.25.0.0/16 ping 192.0.2.2).
I really don't care what kind of linux kludge fixes or iptables
work needs to be done to make pings between the container bridges work right.