No internet connection inside Docker containers
docker run ubuntu /bin/echo 'Hello world' docker run ubuntu apt-get update Err:1 http://archive.ubuntu.com/ubuntu xenial InRelease Temporary failure resolving 'archive.ubuntu.com' Err:2 http://archive.ubuntu.com/ubuntu xenial-updates InRelease Temporary failure resolving 'archive.ubuntu.com' Err:3 http://archive.ubuntu.com/ubuntu xenial-security InRelease Temporary failure resolving 'archive.ubuntu.com' Reading package lists. W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial/InRelease Temporary failure resolving 'archive.ubuntu.com' W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial-updates/InRelease Temporary failure resolving 'archive.ubuntu.com' W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial-security/InRelease Temporary failure resolving 'archive.ubuntu.com' Similar with pip and ping . I am on Ubuntu 16.04 and not using firewall or corporate proxy server and have tried to restart Docker. Upd: Update in interactive mode fails in the same fashion.
docker exec -ti angry_goodall /bin/bash apt-get update #fails ping google.com #fails with "unknown host" message ping 8.8.8.8 # shows PING 8.8.8.8 (8.8.8.8): 56 data bytes # and than hangs indefinetly sudo apt-get update runs successfully on host, i.e. on my computer outside docker. Upd Docker version 1.12.1, build 23cf638
Нет доступа к сети Интернет из Docker контейнера?
Проблема:
Из любого контейнера, поднятого в системе, нет доступа во внешку.
ping 8.8.8.8 — тишина, 100% потерь.
Контейнер имеет свою собственную external bridge сеть.
Из контейнера УСПЕШНО пингуется интерфейс eth0.
net.ipv4.conf.all.forwarding=1 — установлено.
Docker демона перезапускал.
Уже понятия не имею куда копать.
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all — anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all — anywhere anywhere
ACCEPT all — anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all — anywhere anywhere
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all — anywhere anywhere
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all — anywhere anywhere
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all — anywhere anywhere
ufw-before-output all — anywhere anywhere
ufw-after-output all — anywhere anywhere
ufw-after-logging-output all — anywhere anywhere
ufw-reject-output all — anywhere anywhere
ufw-track-output all — anywhere anywhere
Chain DOCKER (3 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all — anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all — anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all — anywhere anywhere
RETURN all — anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all — anywhere anywhere
DROP all — anywhere anywhere
DROP all — anywhere anywhere
RETURN all — anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all — anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp — anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp — anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp — anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp — anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp — anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp — anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all — anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all — anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix «[UFW BLOCK] «
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all — anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp — anywhere anywhere icmp destination-unreachable
ACCEPT icmp — anywhere anywhere icmp time-exceeded
ACCEPT icmp — anywhere anywhere icmp parameter-problem
ACCEPT icmp — anywhere anywhere icmp echo-request
ufw-user-forward all — anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all — anywhere anywhere ctstate INVALID
DROP all — anywhere anywhere ctstate INVALID
ACCEPT icmp — anywhere anywhere icmp destination-unreachable
ACCEPT icmp — anywhere anywhere icmp time-exceeded
ACCEPT icmp — anywhere anywhere icmp parameter-problem
ACCEPT icmp — anywhere anywhere icmp echo-request
ACCEPT udp — anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all — anywhere anywhere
ACCEPT udp — anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp — anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all — anywhere anywhere
Сложный 2 комментария
Docker compose нет интернета
[Docker](http://www.docker.io) is an open-source project to easily create lightweight, portable, self-sufficient containers from any application. The same container that a developer builds and tests on a laptop can run at scale, in production, on VMs, bare metal, OpenStack clusters, public clouds and more.
I have a question regarding networking in a docker-compose. Here is my docker-compose.yml:
version: ‘3.5’ services: jenkins: container_name: jenkins build: context: ./jenkins/master dockerfile: dockerfile networks: vpn: ipv4_address: 10.5.0.6 ports: — ‘8000:8080’ — ‘9000:9080’ restart: always volumes: — ‘jenkins:/var/jenkins_home’ — «/var/run/docker.sock:/var/run/docker.sock» openvpn: container_name: openvpn cap_add: — NET_ADMIN image: kylemanna/openvpn networks: vpn: ipv4_address: 10.5.0.8 ports: — «3000:1194/udp» restart: always volumes: — ./openvpn/volume-data/openvpn-data/conf:/etc/openvpn jira: container_name: jira build: context: ./jira dockerfile: dockerfile networks: vpn: ipv4_address: 10.5.0.10 ports: — ‘5050:8080’ restart: always volumes: — ‘jira:/var/atlassian/application-data/jira’ networks: vpn: name: vpn ipam: config: — subnet: 10.5.0.0/16 volumes: jenkins: jira:
I know that using static ips are not considered best practice, but I am pretty much just doing what I am told at this point. Anyway, to my question. The docker-compose builds and runs fine, but when I deploy it on an Ubuntu node, I am noticing that they are unable to connect to the internet. This same docker-compose works well on my local machine that is using Docker for Windows, and my containers can access the internet just fine. The reason why I believe they cannot access the internet is that I cannot run apt update when I exec into one of the containers. I get a time out error. However, when I run a container that is not inside of a custom network, I can access the internet just fine. Has anyone run into this type of situation before? I am unsure if this is an error that I have in my docker-compose, or if there is something wrong with the node itself.
Edit: Thanks for the replies! I wrote my solution in the comments, but I’ll pin this here so it has better views in case someone else runs into this! I first checked my firewall, but I had opened those ports already and nothing looked unusual. I found my error when I ran an ifconfig and saw I had multiple aliases with the same subnet. For some odd reason, my docker-compose created multiple aliases at some point. I removed them and reran my docker-compose, and now I am able to reach my VPN at its port!
docker-compose macvlan can’t access internet
I’m running ubuntu desktop in a virtual box (my host is mac), and inside this virtual machine I’m experimenting with macvlan docker network driver with docker-compose. Here’s my docker-compose.yml file:
version: '3.7' services: trader: build: ./ image: giuliotrader container_name: giuliotrader networks: trading: ipv4_address: 172.16.86.33 depends_on: - tws tws: build: ./ib-docker image: ibconnect container_name: ibconnect ports: - "4001:4001" - "4003:4003" - "5901:5901" volumes: - ./ib-docker/config.ini:/root/ibc/config.ini - ./ib-docker/gatewaystart.sh:/opt/ibc/gatewaystart.sh networks: trading: ipv4_address: 172.16.86.22 networks: trading: driver: macvlan driver_opts: parent: enp0s3.10 ipam: config: - subnet: 172.16.86.0/24 #gateway: 172.16.86.1 I’m having troubles with these two containers to access the internet. I can access the machines via docker exec -it ibconnect /bin/bash , but there’s no way they can access the network, if I apt-get install iputils-ping I get:
Temporary failure resolving 'archive.ubuntu.com' and if I nc -l 5047 on one container and nc 172.16.86.22 5047 on the other I get Connection refused . If I uncomment the last line ( gateway ) docker-compose reports an error:
ERROR: The Compose file './docker-compose.yml' is invalid because: networks.trading.ipam.config value Additional properties are not allowed ('gateway' was unexpected), I’m not sure what I’m missing in the configuration for configuring the gateway. How can I properly configure the network in this setup? I couldn’t find any decent documentation. Thanks,