On my production environment I have some apps in Docker that need to connect to backing services eg the database on the same host. I found I needed to make an exception in iptables to accept these connections.
However, the ip range of the docker network is varying between restarts. At first it was 172.18.0.0/24, later 172.17.0.0/24 and 172.20.0.0/24, now the ips are 192.168.172.2 and 192.168.192.3.
How can you accept Docker traffic from within a container to say mariadb reliably and safely?
EDIT: An answer seems to be specifying the IPAM configuration, but attaching to an interface seems more elegant
Two options:
First
Allow access from the
docker0interface rather than for a specific IP range.Second
Move the database into a container.
Create a docker named network
Make sure all containers are attached to the named network. You should then be able to access the database container by name from any other container (on the same network).
If you need to access the database externally you can map the port and setup what ever iptables rules you want to secure it.