On startup, Docker creates the docker0 virtual interface and selects an unused IP address and subnet (typically, 172.17.0.1/16) to assign to the interface. The virtual interface is used as a virtual Ethernet bridge, and automatically forwards packets among real and virtual interfaces attached to it. The host and all of its containers communicate through this virtual bridge.
Docker can only check directly connected routes, so the subnet it chooses for the virtual bridge might be inappropriate for your environment. To customize the virtual bridge subnet, refer to Docker's advanced network configuration article.
- If you use a firewall utility, ensure that it does not conflict with Docker. The
default configurations of firewall utilities such as FirewallD
include rules that can conflict with Docker, and therefore Control Center. The following interactions illustrate the conflicts:
- The firewalld daemon removes the DOCKER chain from iptables when it starts or restarts.
- Under systemd, firewalld is started before Docker. However, if you start or restart firewalld while Docker is running, you must restart Docker.
- Even if you do not use a firewall utility, your firewall settings might still prevent
communications over the Docker virtual bridge. This issue occurs when
iptables INPUT rules restrict most traffic. To ensure that the
bridge works properly, append an INPUT rule to your iptables
configuration that allows traffic on the bridge subnet. For example, if
docker0 is bound to 172.17.42.1/16, then a command like the following
example would ensure that the bridge works.
iptables -A INPUT -d 172.17.0.0/16 -j ACCEPT
Additional requirements and considerations
Control Center requires a 16-bit, private IPv4 network for virtual IP addresses. The default network is 10.3/16, but during installation you can select any valid IPv4 16-bit address space.
- Resolve the hostnames of all other delegate hosts to IPv4 addresses. For example, if the public IP address of your host is 192.0.2.1, then the hostname -i command should return 192.0.2.1.
- Respond with an IPv4 address other than 127.x.x.x when ping Hostname is invoked.
- Return a unique result from the hostid command.
Control Center relies on Network File System (NFS) for its distributed file system implementation. Therefore, hosts in a Control Center cluster cannot run a general-purpose NFS server, and all hosts require NFS.