I have two Redhat 8 virtual machines. I'm running Docker on both, in this case as a host for the application called Graphite.
The VMs started out identical to each other, and I pulled the same Docker image to both of them. However, somehow the two VMs have ended up with very different iptables configurations, especially where it pertains to Docker.
One machine's iptables --list output contains a block called DOCKER-INTERNAL. This machine gives me errors like the following, which prevent the image from working properly:
<twisted.internet.tcp.Connector instance at 0x7f145c18eb50 disconnected IPv4Address(type='TCP', host='127.0.0.1', port=2204)> will retry in 5 seconds CarbonClientFactory(127.0.0.1:2204:prod_c::clientConnectionFailed (127.0.0.1:2204) Connection was refused by other side:111: Connection refused. As you can see, the iptables/firewall setup is somehow preventing localhost from connecting to itself. All this application needs is the ability to listen on certain predefined ports on the host machine, but that isn't working.
On the other VM, the iptables --list output contains DOCKER-ISOLATION-STAGE-1 and DOCKER-ISOLATION-STAGE-2, but there is no DOCKER-INTERNAL at all. On this machine, the port listening works perfectly fine, as do the processes that depend on it.
Questions include:
-How can I configure the VM with DOCKER-INTERNAL in its iptables, to instead use the DOCKER-ISOLATION-STAGE clauses, which seem to work better? Where in Docker is this behavior configured?
-If that doesn't work: how can I get the DOCKER-INTERNAL machine to allow the Graphite image to listen on the localhost port? The other machine, that has DOCKER-ISOLATION-STAGE, has no problem with this.
-How did the two machines end up with different configurations in the first place? (Once again, these were identical RHEL8 VMs, and I pulled the same Docker image to both.)
I will add the full iptables outputs in the comments if necessary.
