0 0 Share PDF

Can I disable inter-container communication (icc) in Docker EE?

Article ID: KB000770

Issue

Can I disable inter-container communication (icc) in Docker EE?

Resolution

The Docker daemon provides a flag --icc that can be set to enable or disable inter-container communication (icc). Setting the --icc flag to true (the default value) allows containers connected to the default docker0 bridge interface to communicate with each other. Setting the flag to false prevents this communication between containers across the docker0 bridge interface.

The UCP containers on both manager and worker nodes are connected to the docker0 bridge and need to be able to communicate with each other over this interface for UCP to function. Therefore icc must not be set to false at a Docker daemon level.

What's Next

Some third-party sources may suggest that disabling icc at a Docker daemon level is required to secure the Docker environment; however, in Docker EE isolation and security are maintained via other methods, whilst leaving icc enabled.

  • The UCP components are connected to the docker0 bridge, on which icc is enabled. However, services deployed within your Docker EE cluster will be attached to the docker_gwbridge bridge interface for their egress networking. The docker_gwbridge interface has icc disabled by default to prevent inter-container communication and only permit egress from containers to external network addresses, and ingress for published ports.
  • UCP's Role-Based-Access-Control (RBAC) is used to control a user's ability to schedule containers attached to the docker0 bridge. By default a user granted the Restricted Control role on an object will not be able to attach containers to the docker0 bridge, with only users granted the Full Control role able to do so. Additional more granular roles can also be created to determine permissions.
  • The ability for containers within Docker services to communicate is controlled by attaching services to overlay networks. In this way you can isolate services, so only those that require the ability to communicate can do so. UCP's RBAC can be used to control who can access and schedule services on these overlay networks.

For further reading on Docker EE security please see Docker Reference Architecture: Securing Docker EE and Security Best Practices (Docker EE 17.06).