Add flag for inter-container communication

krivenok · Oct 25, 2013 · ce965b8 · ce965b8
1 parent f7a2f0b
commit ce965b8
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 21 deletions.
diff --git a/config.go b/config.go
@@ -5,13 +5,14 @@ import (
 )
 
 type DaemonConfig struct {
-	Pidfile        string
-	GraphPath      string
-	ProtoAddresses []string
-	AutoRestart    bool
-	EnableCors     bool
-	Dns            []string
-	EnableIptables bool
-	BridgeIface    string
-	DefaultIp      net.IP
+	Pidfile                     string
+	GraphPath                   string
+	ProtoAddresses              []string
+	AutoRestart                 bool
+	EnableCors                  bool
+	Dns                         []string
+	EnableIptables              bool
+	BridgeIface                 string
+	DefaultIp                   net.IP
+	InterContainerCommunication bool
 }
diff --git a/docker/docker.go b/docker/docker.go
@@ -40,6 +40,7 @@ func main() {
 	flag.Var(&flHosts, "H", "tcp://host:port to bind/connect to or unix://path/to/socket to use")
 	flEnableIptables := flag.Bool("iptables", true, "Disable iptables within docker")
 	flDefaultIp := flag.String("ip", "0.0.0.0", "Default ip address to use when binding a containers ports")
+	flInterContainerComm := flag.Bool("enable-container-comm", false, "Enable inter-container communication")
 
 	flag.Parse()
 
@@ -81,15 +82,16 @@ func main() {
 		ip := net.ParseIP(*flDefaultIp)
 
 		config := &docker.DaemonConfig{
-			Pidfile:        *pidfile,
-			GraphPath:      *flGraphPath,
-			AutoRestart:    *flAutoRestart,
-			EnableCors:     *flEnableCors,
-			Dns:            dns,
-			EnableIptables: *flEnableIptables,
-			BridgeIface:    bridge,
-			ProtoAddresses: flHosts,
-			DefaultIp:      ip,
+			Pidfile:                     *pidfile,
+			GraphPath:                   *flGraphPath,
+			AutoRestart:                 *flAutoRestart,
+			EnableCors:                  *flEnableCors,
+			Dns:                         dns,
+			EnableIptables:              *flEnableIptables,
+			BridgeIface:                 bridge,
+			ProtoAddresses:              flHosts,
+			DefaultIp:                   ip,
+			InterContainerCommunication: *flInterContainerComm,
 		}
 		if err := daemon(config); err != nil {
 			log.Fatal(err)

diff --git a/network.go b/network.go
@@ -165,14 +165,21 @@ func CreateBridgeIface(config *DaemonConfig) error {
 	if output, err := ip("link", "set", config.BridgeIface, "up"); err != nil {
 		return fmt.Errorf("Unable to start network bridge: %s (%s)", err, output)
 	}
+
 	if config.EnableIptables {
 		if err := iptables.Raw("-t", "nat", "-A", "POSTROUTING", "-s", ifaceAddr,
 			"!", "-d", ifaceAddr, "-j", "MASQUERADE"); err != nil {
 			return fmt.Errorf("Unable to enable network bridge NAT: %s", err)
 		}
-		// Prevent inter-container communication by default
-		if err := iptables.Raw("-A", "FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j", "DROP"); err != nil {
-			return fmt.Errorf("Unable to prevent intercontainer communication: %s", err)
+
+		if !config.InterContainerCommunication {
+			utils.Debugf("Disable inter-container communication")
+			if err := iptables.Raw("-A", "FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j", "DROP"); err != nil {
+				return fmt.Errorf("Unable to prevent intercontainer communication: %s", err)
+			}
+		} else {
+			utils.Debugf("Enable inter-container communication")
+			iptables.Raw("-D", "FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j", "DROP")
 		}
 	}
 	return nil