Question

0

No network access from within Docker container

rated 0 times [ 0] [ 0] / answers: 1 / hits: 4243 / 2 Years ago, thu, may 12, 2022, 4:04:27

I can't access the Internet or even the local network (a network printer) from within a container.
For example, pinging google.com's IP:

docker run --rm busybox ping -c 2 142.250.186.142

outputs:

PING 142.250.186.142 (142.250.186.142): 56 data bytes



--- 142.250.186.142 ping statistics ---

2 packets transmitted, 0 packets received, 100% packet loss

With --network=host, it works:

docker run --rm --network=host busybox ping -c 2 142.250.186.142

Host is Ubuntu 22.10.
And it used to work until last week. My colleagues using Windows as an host can ping fine.

I tried:

restart docker

reboot the host

uninstall and reinstall Docker from the repository.

More details:

$ lsb_release -a

No LSB modules are available.

Distributor ID: Ubuntu

Description:    Ubuntu 22.10

Release:        22.10

Codename:       kinetic



$ docker info

Client:

 Context:    default

 Debug Mode: false

 Plugins:

  app: Docker App (Docker Inc., v0.9.1-beta3)

  buildx: Docker Buildx (Docker Inc., v0.9.1-docker)

  compose: Docker Compose (Docker Inc., v2.12.2)

  scan: Docker Scan (Docker Inc., v0.21.0)



Server:

 Containers: 1

  Running: 0

  Paused: 0

  Stopped: 1

 Images: 1

 Server Version: 20.10.21

 Storage Driver: overlay2

  Backing Filesystem: extfs

  Supports d_type: true

  Native Overlay Diff: true

  userxattr: false

 Logging Driver: json-file

 Cgroup Driver: systemd

 Cgroup Version: 2

 Plugins:

  Volume: local

  Network: bridge host ipvlan macvlan null overlay

  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog

 Swarm: inactive

 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc

 Default Runtime: runc

 Init Binary: docker-init

 containerd version: a05d175400b1145e5e6a735a6710579d181e7fb0

 runc version: v1.1.4-0-g5fd4c4d

 init version: de40ad0

 Security Options:

  apparmor

  seccomp

   Profile: default

  cgroupns

 Kernel Version: 5.19.0-26-generic

 Operating System: Ubuntu 22.10

 OSType: linux

 Architecture: x86_64

 CPUs: 8

 Total Memory: 15.4GiB

 Name: boris-ThinkPad-T480

 ID: ZN24:57QW:KT4M:J5H6:BIHZ:BF6I:KDV2:EAM6:CESL:UWNE:43AL:LUAJ

 Docker Root Dir: /var/lib/docker

 Debug Mode: true

  File Descriptors: 24

  Goroutines: 34

  System Time: 2022-12-12T20:08:42.528459605+01:00

  EventsListeners: 0

 Registry: https://index.docker.io/v1/

 Labels:

 Experimental: false

 Insecure Registries:

  127.0.0.0/8

 Live Restore Enabled: false



$ docker version

Client: Docker Engine - Community

 Version:           20.10.21

 API version:       1.41

 Go version:        go1.18.7

 Git commit:        baeda1f

 Built:             Tue Oct 25 18:01:58 2022

 OS/Arch:           linux/amd64

 Context:           default

 Experimental:      true



Server: Docker Engine - Community

 Engine:

  Version:          20.10.21

  API version:      1.41 (minimum version 1.12)

  Go version:       go1.18.7

  Git commit:       3056208

  Built:            Tue Oct 25 17:59:49 2022

  OS/Arch:          linux/amd64

  Experimental:     false

 containerd:

  Version:          1.6.12

  GitCommit:        a05d175400b1145e5e6a735a6710579d181e7fb0

 runc:

  Version:          1.1.4

  GitCommit:        v1.1.4-0-g5fd4c4d

 docker-init:

  Version:          0.19.0

  GitCommit:        de40ad0



$ cat /proc/sys/net/ipv4/ip_forward

1



$ iptables -Z && iptables -nvL > before.txt && docker run --rm busybox ping -c 3 142.250.186.142 > ping.txt  &&  iptables -nvL > after.txt && cat before.txt && cat ping.txt && diff before.txt after.txt

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 LIBVIRT_INP  all  --  *      *       0.0.0.0/0            0.0.0.0/0           



Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           

    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           

    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

    0     0 LIBVIRT_FWX  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

    0     0 LIBVIRT_FWI  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

    0     0 LIBVIRT_FWO  all  --  *      *       0.0.0.0/0            0.0.0.0/0           



Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 LIBVIRT_OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           



Chain DOCKER (1 references)

 pkts bytes target     prot opt in     out     source               destination         



Chain DOCKER-ISOLATION-STAGE-1 (1 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           

    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           



Chain DOCKER-ISOLATION-STAGE-2 (1 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           

    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           



Chain DOCKER-USER (1 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           



Chain LIBVIRT_FWI (1 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED

    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable



Chain LIBVIRT_FWO (1 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           

    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable



Chain LIBVIRT_FWX (1 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           



Chain LIBVIRT_INP (1 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53

    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67

    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67



Chain LIBVIRT_OUT (1 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:53

    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:53

    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68

    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:68

PING 142.250.186.142 (142.250.186.142): 56 data bytes



--- 142.250.186.142 ping statistics ---

3 packets transmitted, 0 packets received, 100% packet loss

1c1

< Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

---

> Chain INPUT (policy ACCEPT 220 packets, 56220 bytes)

3c3

<     0     0 LIBVIRT_INP  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

---

>   220 56220 LIBVIRT_INP  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

5c5

< Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

---

> Chain FORWARD (policy ACCEPT 3 packets, 252 bytes)

7,8c7,8

<     0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

<     0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

---

>     6   504 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

>     6   504 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

11c11

<     0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           

---

>     3   252 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           

13,15c13,15

<     0     0 LIBVIRT_FWX  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

<     0     0 LIBVIRT_FWI  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

<     0     0 LIBVIRT_FWO  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

---

>     3   252 LIBVIRT_FWX  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

>     3   252 LIBVIRT_FWI  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

>     3   252 LIBVIRT_FWO  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

17c17

< Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

---

> Chain OUTPUT (policy ACCEPT 267 packets, 34045 bytes)

19c19

<     0     0 LIBVIRT_OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

---

>   267 34045 LIBVIRT_OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

26,27c26,27

<     0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           

<     0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

---

>     3   252 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           

>     6   504 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

32c32

<     0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

---

>     3   252 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

36c36

<     0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

---

>     6   504 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0



$ sudo iptables -L -v -n -t  nat

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

  129 46233 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL



Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         



Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL



Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    6   504 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           

18336 2849K LIBVIRT_PRT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           



Chain DOCKER (2 references)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           



Chain LIBVIRT_PRT (1 references)

 pkts bytes target     prot opt in     out     source               destination         

   29  2852 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        

    0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     

    2   120 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535

    6  3810 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535

    2    64 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

nerta

Add To Favorites

Follow

Total Points: 414

Total Questions: 103

Total Answers: 97

Location: England

Member since Wed, Apr 19, 2023

1 Year ago

nerta questions

1 Unable to create custom iso Ubuntu 22.04 using autoinstall

Thu, Dec 2, 21, 09:19, 3 Years ago

1 How to delete part of a line and keep the rest using Bash?

Thu, May 27, 21, 00:41, 3 Years ago

1 Error: build and install Containernet (Mininet) on ubuntu 20.04

Fri, May 6, 22, 00:25, 2 Years ago

1 GNU grub instead of grub 2

Sun, Dec 11, 22, 08:33, 1 Year ago

1 How can I use Docker with socks5 in Ubuntu?

Tue, Sep 28, 21, 16:37, 3 Years ago

View All

answered 2 Years ago ingwhin · Accepted Answer

After some debug commands it turned out the container does send out the icmp request packet, and the response packet arrives at the host.

Right now it is unclear why the response icmp packet is not forwarded to the container. Iptables (filter and nat) looked ok. Something inside docker failed.
The system was up to date and docker was installed in the latest (current) version.

Solution:

Setup an own bridged network. Like network create --subnet=172.20.0.0/24 --gateway=172.20.0.1 docker20 read documentation for details.

See answer answer for details.

Disclaimer: I’m not able to reproduce this issue. The root cause is still unclear but will not be investigated any more.

Recommendation: instead of starting containers directly with docker run use docker compose files instead.
A docker compose file would look like

version: "3.1"

services:

  alpine-sshd:

    image: busybox 

    container_name: busybox    

    command:   [ping , "-c2", "142.250.186.142"]

# optional own network   

networks:

   default:

     external: true

     name: <NETWORKNAME>