how to connect an application in tomcat container to a postgres container created in the same network?

0
votes

I am running a tomcat based application inside a container, and a Postgres database container on my ubuntu host using docker compose. They are in same docker bridge network defined by me. I have my firewall enabled. My firewall doesn't have any deny rule for 5432 port. When my firewall is disabled, my tomcat application can connect to a database container by using either its IP or service name. But when the firewall is enabled, it does not connect to the database container. I have set DOCKER_OPTS="--iptables=false" in docker.conf and restarted docker. Why it is not connecting when firewall is enabled?

1)These are my active rules:-

To Action From
-- ------ ----
2377/tcp ALLOW Anywhere
7946/tcp ALLOW Anywhere
7946/udp ALLOW Anywhere
4789/udp ALLOW Anywhere
22 ALLOW Anywhere
8443 ALLOW 10.20.220.185
8443 ALLOW 10.20.220.78
8081 ALLOW 10.5.0.7
5432 ALLOW Anywhere
8081 ALLOW 10.5.0.5
2377/tcp (v6) ALLOW Anywhere (v6)
7946/tcp (v6) ALLOW Anywhere (v6)
7946/udp (v6) ALLOW Anywhere (v6)
4789/udp (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
5432 (v6) ALLOW Anywhere (v6)

=========================================================================

2)These is my application configuration to connect to database using service name:- driverClass=org.postgresql.Driver jdbcUrl=jdbc:postgresql://PostgresDatabase:5432/dockerdb user=dockeruser

1
postgresqldockernetworkingubuntu-14.04firewall
Have u tried to restart docker? And updating with docker-compose.yml might be helpful.Light.G
yes i tried restarting but same outputAmit Dighe

1 Answers

0
votes

Setting --iptables=false means that docker daemon could not configure iptables rule(s) on host. However it's kind of essential while you have ufw enabled.
I am sure this issue would disappear after you delete DOCKER_OPTS="--iptables=false" in configuration and restart docker daemon.

During start process, Docker daemon would configure some extra iptable rules to make communication going well among containers/between container and outside world, since firewall/ufw would DROP packets by DEFAULT_FORWARD_POLICY.

Below, it is a rough process how docker create iptable rules:

  1. Enable Enable NAT on docker0 with iptables tool.
    iptables -I POSTROUTING -t nat -s 172.17.0.1 ! -o docker0 -j MASQUERADE

  2. Enable communication within containers.
    iptables -I FORWARD -i docker0 -o docker0 -j ACCEPT

  3. Enable communication between container and out world.
    iptables -I FORWARD -i docker0 ! -o docker0 -j ACCEPT

  4. Accept any packets from outside connections which already established.
    iptables -I FORWARD -o docker0 -m conntrack -ctstate RELATED,ESTABLISHED -j ACCEPT.

Above all, you have iptables set false and firewall enabled without any extra moves. Just like you throw the key away with door locked, but you still want to go outside. So I strongly suggest you not to change any docker network settings before you totally understand the architecture of docker network and how those components work together.

This is another question asked in a different way. May the answers help you more.