Networking

On startup, Docker creates the docker0 virtual interface and selects an unused IP address and subnet (typically, 172.17.0.1/16) to assign to the interface. The virtual interface is used as a virtual Ethernet bridge, and automatically forwards packets among real and virtual interfaces attached to it. The host and all of its containers communicate through this virtual bridge.

Docker can only check directly connected routes, so the subnet it chooses for the virtual bridge might be inappropriate for your environment. To customize the virtual bridge subnet, refer to Docker's advanced network configuration article.

The following list highlights potential communication conflicts:
  • If you use a firewall utility, ensure that it does not conflict with Docker. The default configurations of firewall utilities such as FirewallD include rules that can conflict with Docker, and therefore Control Center. The following interactions illustrate the conflicts:
    • The firewalld daemon removes the DOCKER chain from iptables when it starts or restarts.
    • Under systemd, firewalld is started before Docker. However, if you start or restart firewalld while Docker is running, you must restart Docker.
  • Even if you do not use a firewall utility, your firewall settings might still prevent communications over the Docker virtual bridge. This issue occurs when iptables INPUT rules restrict most traffic. To ensure that the bridge works properly, append an INPUT rule to your iptables configuration that allows traffic on the bridge subnet. For example, if docker0 is bound to 172.17.42.1/16, then a command like the following example would ensure that the bridge works.
    iptables -A INPUT -d 172.17.0.0/16 -j ACCEPT

Additional requirements and considerations

Control Center requires a 16-bit, private IPv4 network for virtual IP addresses. The default network is 10.3/16, but during installation you can select any valid IPv4 16-bit address space.

Before installation, add DNS entries for the Control Center master host and all delegate hosts. Verify that all hosts in Control Center resource pools can
  • Resolve the hostnames of all other delegate hosts to IPv4 addresses. For example, if the public IP address of your host is 192.0.2.1, then the hostname -i command should return 192.0.2.1.
  • Respond with an IPv4 address other than 127.x.x.x when ping Hostname is invoked.
  • Return a unique result from the hostid command.

Control Center relies on Network File System (NFS) for its distributed file system implementation. Therefore, hosts in a Control Center cluster cannot run a general-purpose NFS server, and all hosts require NFS.