My docker container has no internet

Question

I had it working allright but now it stopped. I tried the following commands with no avail:

docker run -dns 8.8.8.8 base ping google.com

docker run base ping google.com

sysctl -w net.ipv4.ip_forward=1 - both on the host and on the container

All I get is unknown host google.com. Docker version 0.7.0

Any ideas?

P.S. ufw disabled as well

Your question fixed my problem: had to run `sysctl -w net.ipv4.ip_forward=1` (on Centos 6) — qwertzguy, Oct 05 '15 at 14:01
Since you may have the problem with docker dns routing, check this similar solution https://stackoverflow.com/questions/35515203/docker-npm-install-error-getaddrinfo-enotfound-registry-npmjs-org-registry-npmj/49936357#49936357 — Aditya Kresna Permana, Aug 10 '18 at 08:41
Same here, after I fixed the /etc/resolv.conf on the host box it didn't won't to work without `sysctl -w net.ipv4.ip_forward=1` — Reeebuuk, Feb 09 '19 at 13:13
Also check that you have the correct values for `/etc/resolv.conf` on the **host** machine — Hanxue, Aug 27 '19 at 10:09
for me after `sysctl -w net.ipv4.ip_forward=1` I had to run `sudo service docker restart`. — Asif Ali, Feb 24 '20 at 09:43
The issue is not necessarily caused by DNS and forwarding settings. [I had to delete the `docker0` interface and restart the daemon](https://stackoverflow.com/a/68800014/4806820). — code_onkel, Aug 16 '21 at 09:08
I have this issue always soon after I load my VM and a simple restart solved the problem: sudo systemctl restart docker Or see: https://stackoverflow.com/a/28086505/450148 — Felipe, Jul 19 '22 at 08:12
While only vaguely related, I thought it could help someone else to mention it. I ran into a situation where it looked like a Docker container couldn't access internet today after setting up internet access through a VPN on the server. I started debugging DNS and didn't find any problems. Turns out that the resource the container was trying to access was hosted on Github, and that Github blocks requests coming from the VPN. Using an alternate CDN for the resource "fixed" the issue. — antonagestam, Sep 16 '22 at 17:20
I had a similar issue, but I could ping IP address. So it was a DNS issue. Rebooting my computer fixed it. — mbomb007, Apr 17 '23 at 15:31

wisbucky · Answer 1 · 2018-06-27T22:37:15.217

216

First thing to check is run cat /etc/resolv.conf in the docker container. If it has an invalid DNS server, such as nameserver 127.0.x.x, then the container will not be able to resolve the domain names into ip addresses, so ping google.com will fail.

Second thing to check is run cat /etc/resolv.conf on the host machine. Docker basically copies the host's /etc/resolv.conf to the container everytime a container is started. So if the host's /etc/resolv.conf is wrong, then so will the docker container.

If you have found that the host's /etc/resolv.conf is wrong, then you have 2 options:

Hardcode the DNS server in daemon.json. This is easy, but not ideal if you expect the DNS server to change.
Fix the hosts's /etc/resolv.conf. This is a little trickier, but it is generated dynamically, and you are not hardcoding the DNS server.

1. Hardcode DNS server in docker daemon.json

Edit /etc/docker/daemon.json
```
{
    "dns": ["10.1.2.3", "8.8.8.8"]
}
```
Restart the docker daemon for those changes to take effect:
sudo systemctl restart docker
Now when you run/start a container, docker will populate /etc/resolv.conf with the values from daemon.json.

2. Fix the hosts's /etc/resolv.conf

A. Ubuntu 16.04 and earlier

For Ubuntu 16.04 and earlier, /etc/resolv.conf was dynamically generated by NetworkManager.
Comment out the line dns=dnsmasq (with a #) in /etc/NetworkManager/NetworkManager.conf
Restart the NetworkManager to regenerate /etc/resolv.conf :
sudo systemctl restart network-manager
Verify on the host: cat /etc/resolv.conf

B. Ubuntu 18.04 and later

Ubuntu 18.04 changed to use systemd-resolved to generate /etc/resolv.conf. Now by default it uses a local DNS cache 127.0.0.53. That will not work inside a container, so Docker will default to Google's 8.8.8.8 DNS server, which may break for people behind a firewall.
/etc/resolv.conf is actually a symlink (ls -l /etc/resolv.conf) which points to /run/systemd/resolve/stub-resolv.conf (127.0.0.53) by default in Ubuntu 18.04.
Just change the symlink to point to /run/systemd/resolve/resolv.conf, which lists the real DNS servers:
sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
Verify on the host: cat /etc/resolv.conf

Now you should have a valid /etc/resolv.conf on the host for docker to copy into the containers.

edited Jun 27 '18 at 22:37

answered Aug 11 '17 at 23:06

wisbucky

33,218
10
150
101

2

This solved the issue on Ubuntu 16.04 with Docker 17.09. – Luís de Sousa Dec 04 '17 at 16:12
2

This resolved my issue (same as OP, Ubuntu 14.04 / Docker 18.01.0-ce). This link can be usefull [test internet connection without ping](https://stackoverflow.com/a/26820300/1456391) if you don't have ping command on your docker image. If your host don't have `systemctl` (Ubuntu 14.04) try [How to restart the networking service?](https://askubuntu.com/a/544686/466140) and/or restart you computer. – Benjamin Jan 31 '18 at 11:15
Worked like a charm! – Homewrecker Jul 03 '18 at 14:26
5

This works on Ubuntu 18.04 (option B). However docker didn't transfer the now correct ```/etc/resolv.conf``` to the container on construction, I had to manually copy the file into the container. – glaux Aug 22 '18 at 11:00
2

On my machine (RedHat 7.4) the host's config file is correct, but the containers file is still pointing towards 172.0.0.11. So what to do now? – Martin Majewski Sep 04 '18 at 11:22
Worked for me, Kubernetes 1.10.6 on Ubuntu 18.04. Thanks. – Kareem Nov 15 '18 at 14:13
The 18.04 fix worked for me, however I wonder if there aren't some potentially unwanted side-effects of following this DNS reconfiguration? – Quolonel Questions Dec 11 '18 at 16:43
Thank you for hint with systemd-behaviour :-/ I solved it with my deamon.json - since I have to use my own nameserver. – cljk Jan 07 '19 at 14:39
adding DNS to /etc/docker/daemon.json worked fine. Thanks. – MUNGAI NJOROGE Feb 20 '19 at 12:53
Hardcoded DNS does not work on Ubuntu 18.04 unfortunately. Running a local cluster is hard work. – onknows Apr 14 '19 at 15:14
1

Option B just broke my host internet connection. Is there any way to fix containers and not break the host? – Gino Pane Jul 25 '19 at 11:58
Hardcode DNS servers option worked for me while running `Ubuntu 18.04 container` on `Ubuntu 16.04 host`... Also Thanks for all details... – akhileshmoghe Aug 31 '19 at 08:19
This resolves the problem on ubuntu 18.04 with netplan, thank you very much! – martinkenneth Jul 09 '20 at 03:38
Thank you for this solution. I solved in first step: cat /etc/resolv.conf That realize my container still maintain my old info (I change the location and internet service in day) Then what I do -> exit container ; stop container ; start container .... voila ... problem solved. – ati ince Feb 01 '21 at 07:11
4

Are there any changes in Ubuntu 20? could you update, please? – mahyard Apr 05 '21 at 18:50
Love this answer because it teaches you how to **debug** the issue. On the long term it's better to learn how to think than to just get a solution that simply _works_ but you don't know how and why. – Cristian Rusanu Feb 07 '22 at 19:14
1

I added both the `daemon.json` and updated the symlink on the host but my containers still have an invalid `/etc/resolve.conf`. I've restarted my machine and run `docker-compose down && docker-compose up` to no avail. Any ideas what might be going on? – Paymahn Moghadasian Mar 09 '22 at 16:48
THANK YOU!! - #1 solved the issue for me. Using Manjaro on RPI4 and docker 20.10.17 – Martins Aug 29 '22 at 19:20

score 164 · Accepted Answer · edited Nov 03 '20 at 02:54

164

Fixed by following this advice:

[...] can you try to reset everything?

pkill docker
iptables -t nat -F
ifconfig docker0 down
brctl delbr docker0
docker -d

It will force docker to recreate the bridge and reinit all the network rules

https://github.com/dotcloud/docker/issues/866#issuecomment-19218300

Seems the interface was 'hung' somehow.

Update for more recent versions of docker:

The above answer might still get the job done for you but it has been quite a long time since this answer was posted and docker is more polished now so make sure you try these first before going into mangling with iptables and all.

sudo service docker restart or (if you are in a linux distro that does not use upstart) sudo systemctl restart docker

edited Nov 03 '20 at 02:54

caxcaxcoatl

8,472
1
13
21

answered Dec 06 '13 at 18:27

Romeo Mihalcea

9,714
12
50
102

51

`docker -d` fails. There is no `-d` flag. – Luís de Sousa Dec 04 '17 at 16:09
1

For those still having the issue, there's an open issue on Moby's github that has been opened for over a year now: https://github.com/moby/moby/issues/26567 – Nepoxx Jan 30 '18 at 18:42
This bug/problem still exists, even on CentOS 7 X86_64 with `docker 18.03.1-ce` installed from official docker repository on `CentOS Linux release 7.5.1804 (Core)` with `3.10.0-862.3.2.el7.x86_64` kernel. Your answer helped me to solve this stupid bug! `docker -d` does not work anymore. I ran `systemctl start docker` instead. – IAmAliYousefi Jun 23 '18 at 08:28
4

@Pawan: `ip link del docker0` – drewrockshard Aug 01 '18 at 06:15
1

or install bridge-utils – cjdcordeiro Nov 06 '18 at 10:53
18

`docker -d` doesn't exist in newer versions. Instead: `service docker stop`, then `dockerd`, then `service docker start` – Telmo Marques Apr 05 '19 at 16:07
This works but I have to run it every boot - any way around that? – GuySoft Jun 16 '19 at 11:17
`docker -d` is not a valid command. For some, you'll need to run `sudo systemctl restart docker`. – charj Jul 03 '19 at 11:01
1

service docker restart – Roel Van de Paar May 06 '20 at 05:02
1

Ubuntu 16. - sudo systemctl restart docker. This's enough for my case – Mr Special Oct 09 '20 at 08:05
I just enabled the host firewall, which was disabled, which caused docker to not connect to the internet, as expected. So I disabled it again to make it work, for the meantime till I figure out the right firewall rules for docker. At this point 'sudo service docker restart' was required, without which containers were not having internet. – merlachandra Jul 14 '21 at 07:00

bitmask · Answer 3 · 2021-11-20T08:27:57.293

88

The intended way to restart docker is not to do it manually but use the service or systemctl command:

service docker restart

or

systemctl restart docker

edited Nov 20 '21 at 08:27

answered Jan 22 '15 at 10:30

bitmask

32,434
14
99
159

8

if you are in a linux distro that does not use upstart, sudo systemctl restart docker worked for me – jeffrey Mar 16 '16 at 17:31
1

restarting worked fine. I don't know if it has to do with the fact that I enabled it to "auto start" (`systemctl enable docker`) – Lucas Pottersky Apr 06 '16 at 17:53
2

It kinda does, because in the situation OP is describing, resetting docker reinitialises the network interfaces, hence reenabling internet access. It is true that this does not address WHY it sometimes breaks, but it provides a solution to the problem. – bitmask Oct 02 '18 at 19:59
But in production environment, restart docker is impossible. How to solve the problem on this case? – Suyanhanx Dec 23 '18 at 07:20
simple restart fixed problem – jmp Mar 31 '19 at 12:22
A restart worked for me. @Suyanhanx good question. – Felipe Jul 19 '22 at 08:14
1

Thank god I tried this before messing w/ DNS and mangling IP tables. Works in Aug 2023 – GavinBelson Aug 15 '23 at 14:50

score 26 · Answer 4 · edited May 24 '23 at 04:55

26

Tried all answers, none worked for me.

After trying everything else I could find, this did the trick:

reboot

edited May 24 '23 at 04:55

LinFelix

1,026
1
13
23

answered Jul 21 '21 at 18:15

Mauro

3,946
2
27
41

9

This is a ridiculous answer to upvote but I just did ... I spent hours trying to figure out why bizarre things were happening only to discover that my containers using a "bridge" network couldn't access any internet (not just DNS). After many answers above this one I rebooted and the problem is gone. Sigh. – Neil C. Obremski Apr 05 '22 at 20:35
7

I know, it felt even more ridiculous to post it. It's called the Windows technique. – Mauro Apr 06 '22 at 12:26
1

I spent >4 hours tonight trying this and that, having doubts that the changes I did to some docker compose scripts were wrong and this morning I thought what the hell, and rebooted. Now it works again. Tnx – Dietrich Sep 18 '22 at 10:08
I had no internet in my container created by docker-compose. Reboot of server solved it. I still don't know the root cause, but it was something that affected the networking rules in between, because I had older containers started with similar image/compose configuration and they still worked. – CRK Dec 17 '22 at 11:13
1

I tried everything else first because I didn't want to resort to the Windows Technique... I just wasted time. don't make my mistake, reboot first, then think :D – caesarsol May 26 '23 at 21:55

score 22 · Answer 5 · answered Feb 18 '16 at 12:58

22

Updating this question with an answer for OSX (using Docker Machine)

If you are running Docker on OSX using Docker Machine, then the following worked for me:

docker-machine restart

<...wait for it to restart, which takes up to a minute...>

docker-machine env
eval $(docker-machine env)

Then (at least in my experience), if you ping google.com from a container all will be well.

answered Feb 18 '16 at 12:58

lefthandme

373
2
5

Also worked in windows to get network access working again. – Mikael Lepistö May 28 '18 at 10:33
1

That worked for me. I have a docker-icon in the top menu bar, in the menu I had a "restart" option. After that, networking was fine again – olidem Oct 18 '18 at 10:44

score 16 · Answer 6 · 2019-03-26T00:04:28.433

16

I do not know what I am doing but that worked for me :

OTHER_BRIDGE=br-xxxxx # this is the other random docker bridge (`ip addr` to find)    
service docker stop

ip link set dev $OTHER_BRIDGE down
ip link set dev docker0 down
ip link delete $OTHER_BRIDGE type bridge
ip link delete docker0 type bridge
service docker start && service docker stop

iptables -t nat -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
iptables -t nat -A POSTROUTING ! -o docker0 -s 172.18.0.0/16 -j MASQUERADE

service docker start

edited Mar 26 '19 at 00:04

answered Mar 25 '19 at 23:54

2

nice duct tape ! – Mar 25 '19 at 23:56
2

You answer helped to solve similar issue. I spent hours on that! After incomplete Kubespray installation, Docker containers lost internet with the message "Temporary failure resolving" when trying to ping any public host or IP. So I didn't have this rule which is mandatory - `iptables -t nat -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE` . You can check if you have this rule with `iptables -t nat -L POSTROUTING` – laimison Dec 16 '19 at 14:15
whatever this problem is I hate it. I hate it so much lol. Docker never connects to the internet on startup but if I run these things it magically works. Until the next reboot... – Brian Leishman Jun 24 '21 at 14:21
Auto grab the first bridge id with `OTHER_BRIDGE=$(ip addr | grep -E -m 1 -o 'br-[0-9a-f]+')` – Brian Leishman Sep 28 '21 at 15:13

score 8 · Answer 7 · answered Jun 15 '16 at 09:18

I was using DOCKER_OPTS="--dns 8.8.8.8" and later discovered and that my container didn't have direct access to internet but could access my corporate intranet. I changed DOCKER_OPTS to the following:

DOCKER_OPTS="--dns <internal_corporate_dns_address"

replacing internal_corporate_dns_address with the IP address or FQDN of our DNS and restarted docker using

sudo service docker restart

and then spawned my container and checked that it had access to internet.

Simon A. Eugster · Answer 8 · 2017-11-03T08:15:52.143

8

No internet access can also be caused by missing proxy settings. In that case, --network host may not work either. The proxy can be configured by setting the environment variables http_proxy and https_proxy:

docker run -e "http_proxy=YOUR-PROXY" \
           -e "https_proxy=YOUR-PROXY"\
           -e "no_proxy=localhost,127.0.0.1" ...

Do not forget to set no_proxy as well, or all requests (including those to localhost) will go through the proxy.

More information: Proxy Settings in the Archlinux Wiki.

edited Nov 03 '17 at 08:15

answered Nov 03 '17 at 07:52

Simon A. Eugster

4,114
4
36
31

1

This was the solution for me. Beware though: I was using alpine, which has a busybox implementation of wget that appears to ignore the proxy settings, so I wasn't seeing the benefit of having the environment variables set. – pelson Dec 04 '17 at 17:01
Thanks for the hint about busybox; I did not know about it yet! – Simon A. Eugster Dec 06 '17 at 09:54
1

be aware that some os need upper case like in the documentation [link](https://docs.docker.com/network/proxy/#use-environment-variables). – Flo Feb 14 '20 at 14:33
This syntax gave me `docker: invalid reference format.` I think the correct one was in the link mentioned by @Flo : `-e HTTP_PROXY="proxy.."... ` Also, the `\\` to distribute into multiple lines gives a similar error – Bersan May 13 '21 at 14:27
@Bersan This is probably a shell specific issue, the above command works in Bash, which shell are you in? – Simon A. Eugster Jan 07 '23 at 07:03

score 6 · Answer 9 · answered Feb 24 '19 at 04:37

I was stumped when this happened randomly for me for one of my containers, while the other containers were fine. The container was attached to at least one non-internal network, so there was nothing wrong with the Compose definition. Restarting the VM / docker daemon did not help. It was also not a DNS issue because the container could not even ping an external IP. What solved it for me was to recreate the docker network(s). In my case, docker-compose down && docker-compose up worked.

Compose

This forces the recreation of all networks of all the containers:

docker-compose down && docker-compose up

Swarm mode

I suppose you just remove and recreate the service, which recreates the service's network(s):

docker service rm some-service

docker service create ...

If the container's network(s) are external

Simply remove and recreate the external networks of that service:

docker network rm some-external-network

docker network create some-external-network

score 6 · Answer 10 · answered Aug 16 '21 at 09:01

6

Other answers have stated that the docker0 interface (bridge) can be the source of the problem. On Ubuntu 20.04 I observed that the interface was missing its IP address (to be checked with ip addr show dev docker0). Restarting Docker alone did not help. I had to delete the bridge interface manually.

sudo ip link delete docker0
sudo systemctl restart docker

answered Aug 16 '21 at 09:01

code_onkel

2,759
1
16
31

In my case (Synology NAS DS220+), not even this helped. I had to restart the NAS to fix it. – meridius Dec 13 '22 at 16:02

score 5 · Answer 11 · answered May 01 '15 at 21:44

5

For me it was the host's firewall. I had to allow DNS on the host's firewall. And also had to restart docker after changing the host firewall setting.

answered May 01 '15 at 21:44

Adrian Gunawan

13,979
11
40
41

Or you could disable the iptables by `sudo service iptables stop` and `sudo chkconfig iptables off` (on CentOS/RHEL). – MichaelZ Aug 17 '15 at 02:19

score 5 · Answer 12 · answered Feb 05 '20 at 11:00

5

for me, my problem was because of iptables-services was not installed, this worked for me (CentOS):

sudo yum install iptables-services
sudo service docker restart

answered Feb 05 '20 at 11:00

Viet Hoang

124
1
4

remember start and enable iptable services too – Jay Jul 12 '20 at 18:51
also works on red hat 7.3 – Jasti Sri Radhe Shyam Sep 20 '21 at 15:05

score 5 · Answer 13 · answered Feb 03 '21 at 05:59

5

Sharing a simple and working solution for posterity. When we run a docker container without explicitly mentioning the --network flag, it connects to its default bridge network which prohibits connecting to the outside world. To resolve this issue, we have to create our own bridge network(user-defined bridge) and have to explicitly mention it with the docker run command.

docker network create --driver bridge mynetwork
docker run -it --network mynetwork image:version

answered Feb 03 '21 at 05:59

Prasanth Rajendran

4,570
2
42
59

We had something like this - we reconfigured a machine to have NAT but the bridge was stuck. – Tim Baverstock May 24 '23 at 10:04
see also: https://superuser.com/questions/1130898/no-internet-connection-inside-docker-containers/1582710#1582710 – n0099 Jul 18 '23 at 13:23

score 5 · Answer 14 · answered Feb 01 '22 at 11:07

it help me:

sudo ip link delete docker0
sudo systemctl stop docker.socket
sudo systemctl stop docker.service

sudo systemctl start docker.socket
sudo systemctl start docker.service

NOTE: after this, interface docker0 must have ip adress smth like that:

inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0

score 4 · Answer 15 · edited Aug 29 '17 at 13:28

4

You may have started your docker with dns options --dns 172.x.x.x

I had the same error and removed the options from /etc/default/docker

The lines:

# Use DOCKER_OPTS to modify the daemon startup options.
DOCKER_OPTS="--dns 172.x.x.x"

edited Aug 29 '17 at 13:28

knb

9,138
4
58
85

answered May 03 '16 at 14:47

Thami Bouchnafa

1,987
1
15
21

score 4 · Answer 16 · answered Jul 12 '20 at 06:09

4

On centos 8, My problem was that I did not install & start iptables before starting docker service. Make sure iptables service is up and running before you start docker service.

answered Jul 12 '20 at 06:09

Rajesh Guptan

237
2
3

I had the same issue on centos8 – Martin Barth Sep 07 '20 at 17:04

score 3 · Answer 17 · answered Mar 29 '16 at 00:30

3

If you're on OSX, you might need to restart your machine after installing Docker. This has been an issue at times.

answered Mar 29 '16 at 00:30

Will Stern

17,181
5
36
22

score 3 · Answer 18 · answered Sep 30 '16 at 23:43

3

For me it was an iptables forwarding rule. For some reason the following rule, when coupled with docker's iptables rules, caused all outbound traffic from containers to hit localhost:8080:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

answered Sep 30 '16 at 23:43

brandones

1,847
2
18
36

3

So...what's the solution? :) I have the first rule and need it to redirect inbound traffic on 80 to 8080. How do I change this to not affect outbound traffic? – mrooney Mar 26 '17 at 22:14
Sorry, my memory of iptables is faded, but in my setup script I see `iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080` as the very last line, after the defaults (`iptables -P INPUT DROP` etc). No OUTPUT...REDIRECT line. – brandones Aug 05 '20 at 00:57

score 3 · Answer 19 · answered May 10 '18 at 11:39

I had the problem on Ubuntu 18.04. However the problem was with the DNS. I was in a corporate network that has its own DNS server and block other DNS servers. This is to block some websites (porn, torrents, ... so on )

To resolve your problem

find your DNS on host machine
use --dns your_dns as suggested by @jobin

docker run --dns your_dns -it --name cowsay --hostname cowsay debian bash

score 3 · Answer 20 · answered Jun 10 '19 at 16:04

3

For Ubuntu 19.04 using openconnect 8.3 for VPN, I had to symlink /etc/resolve.conf to the one in systemd (opposite of answerby wisbucky )

sudo ln -sf /etc/resolv.conf /run/systemd/resolve/resolv.conf

Steps to debug

Connect to Company VPN
Look for correct VPN settings in either /etc/resolv.conf or /run/systemd/resolve/resolv.conf
Whichever has the correct DNS settings, we'll symlink that to the other file ( Hint: Place one with correct settings on the left of assignment )

Docker version: Docker version 19.03.0-rc2, build f97efcc

answered Jun 10 '19 at 16:04

Jeff Beagley

945
9
19

2

Thank you. With Ubuntu 18.04, upon connecting to company VPN only the /etc/resolve.conf was getting updated by the DHCP and the /run/systemd/resolve/resolve/conf remained constant/static. This solution helped. Now, containers in local machine connect to servers in VPN (which was not happening earler for me) – nashter Mar 25 '20 at 20:33

score 3 · Answer 21 · answered Jun 01 '20 at 09:00

3

for me, using centos 7.4, it was not issue of /etc/resolve.conf, iptables, iptables nat rules nor docker itself. The issue is the host missing the package bridge-utils which docker require to build the bridge using command brctl. yum install -y bridge-utils and restart docker, solve the problem.

answered Jun 01 '20 at 09:00

Jasonw

5,054
7
43
48

1

which is why I upvoted it. But my remark was meant as a gentle reminder that cause and defect are sometimes a bit apart and that filing a ticket could help solve it for others, even though the first instinct would be to work around the underlying issue. – 0xC0000022L Dec 15 '20 at 15:22

score 2 · Answer 22 · answered Oct 27 '16 at 15:57

2

On windows (8.1) I killed the virtualbox interface (via taskmgr) and it solved the issue.

answered Oct 27 '16 at 15:57

Eli

707
8
16

Achintya Ashok · Answer 23 · 2018-04-03T03:10:35.327

Originally my docker container was able to reach the external internet (This is a docker service/container running on an Amazon EC2).

Since my app is an API, I followed up the creation of my container (it succeeded in pulling all the packages it needed) with updating my IP Tables to route all traffic from port 80 to the port that my API (running on docker) was listening on.

Then, later when I tried rebuilding the container it failed. After much struggle, I discovered that my previous step (setting the IPTable port forwarding rule) messed up the docker's external networking capability.

Solution: Stop your IPTable service:

sudo service iptables stop

Restart The Docker Daemon:

sudo service docker restart

Then, try rebuilding your container. Hope this helps.

Follow Up

I completely overlooked that I did not need to mess with the IP Tables to forward incoming traffic to 80 to the port that the API running on docker was running on. Instead, I just aliased port 80 to the port the API in docker was running on:

docker run -d -p 80:<api_port> <image>:<tag> <command to start api>

In my case, I just have to restart docker Daemon, and it works — okante, Aug 18 '20 at 00:38

score 2 · Answer 24 · answered Nov 04 '21 at 15:32

2

I've tried most answers in here, but the only thing that worked was re-creating the network:

$ docker network rm the-network
$ docker network create --driver=bridge the-network

I also needed to re-create the docker container that used it:

$ sudo docker create --name the-name --network the-network

Then it started with internet access.

answered Nov 04 '21 at 15:32

mythz

141,670
29
246
390

see also: https://superuser.com/questions/1130898/no-internet-connection-inside-docker-containers/1582710#1582710 – n0099 Jul 18 '23 at 13:23

score 2 · Answer 25 · answered Dec 22 '21 at 16:37

I am on Arch Linux and after trying all the above answers I realized that I had a firewall enabled in my machine, nftables, and disabling it did the trick. I did :

sudo systemctl disable nftables
sudo systemctl stop nftables
sudo reboot

My network cards:

➜  ~ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000
    link/ether 68:f7:28:84:e7:fe brd ff:ff:ff:ff:ff:ff
3: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
    link/ether d0:7e:35:d2:42:6d brd ff:ff:ff:ff:ff:ff
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 02:42:43:3f:ff:94 brd ff:ff:ff:ff:ff:ff
5: br-c51881f83e32: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:ae:34:49:c3 brd ff:ff:ff:ff:ff:ff
6: br-c5b2a1d25a86: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:72:d3:6f:4d brd ff:ff:ff:ff:ff:ff
8: veth56f42a2@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP mode DEFAULT group default 
    link/ether 8e:70:36:10:4e:83 brd ff:ff:ff:ff:ff:ff link-netnsid 0

and my firewal configuration, /etc/nftables.conf, which I now disabled and will futurely try to improve so I can have the docker0 network card rules setup correctly:

#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:

# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.

table inet filter
delete table inet filter
table inet filter {
  chain input {
    type filter hook input priority filter
    policy drop

    ct state invalid drop comment "early drop of invalid connections"
    ct state {established, related} accept comment "allow tracked connections"
    iifname lo accept comment "allow from loopback"
    ip protocol icmp accept comment "allow icmp"
    meta l4proto ipv6-icmp accept comment "allow icmp v6"
    #tcp dport ssh accept comment "allow sshd"
    pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
    counter
  }
  chain forward {
    type filter hook forward priority filter
    policy drop
  }

Thanks for posting this. I'm also on arch and using nftables, and this was all I needed to do. I _had_ already stopped and disabled nftables, but the changes didn't affect docker until I rebooted in full. — covert, Jun 29 '23 at 23:12

score 1 · Answer 26 · answered Oct 16 '18 at 11:16

1

Just adding this here in case someone runs into this issue within a virtualbox container running docker. I reconfigured the virtualbox network to bridged instead of nat, and the problem went away.

answered Oct 16 '18 at 11:16

thorie

160
1
7

score 1 · Answer 27 · answered Jun 23 '21 at 02:44

There are lot of good answer already. I faced similar problem in my orange pi pc running armbian recently. Docker container was blocked to internet. This command solve the problem in my case. So I like to share it

docker run --security-opt seccomp=unconfined imageName

score 1 · Answer 28 · answered Jun 29 '22 at 21:01

The only thing that works on my computer (which 8.8.8.8 didn't work)

find out the dns used in your local machine:

$ netstat -ntpl | grep :53
tcp        0      0 10.194.128.1:53         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.2.1:53            0.0.0.0:*               LISTEN      -

modify your docker config sudo vim /etc/docker/daemon.json based on the information above on your own computer

{
  "dns": ["192.168.122.1","10.194.128.1"]
}

restart docker

sudo ip link delete docker0
sudo systemctl restart docker

XD this one the only answer works for me, apparently I was the one that answer it in the past XD — Kokizzu, Apr 14 '23 at 18:40

score 1 · Answer 29 · answered Jul 27 '22 at 12:21

If you're running Docker rootless and facing this issue, during its installation, iptables may not be configured properly, mainly because of using --skip-iptables option when Docker complained about iptables:

[ERROR] Missing system requirements. Run the following commands to
[ERROR] install the requirements and run this tool again.
[ERROR] Alternatively iptables checks can be disabled with --skip-iptables .

########## BEGIN ##########
sudo sh -eux <<EOF
# Load ip_tables module
modprobe ip_tables
EOF
########## END ##########

Let's check if this is the issue: is ip_tables kernel module loaded?

sudo modprobe ip_tables

If there is no output, this answer may not help you (you could try anyway). Otherwise, the output's something like this:

modprobe: FATAL: Module ip_tables not found in directory /lib/modules/5.18.9-200.fc36.x86_64

Let's fix it!

First, uninstall Docker rootless (no need to stop the service via systemctl, the script handles that):

dockerd-rootless-setuptool.sh uninstall --skip-iptables

Ensure iptables package is installed, although it's shipped by default by major distributions.

Now, make ip_tables module visible to modprobe and install it (thanks to this):

sudo depmod
sudo modprobe ip_tables

Now, re-install Docker rootless:

dockerd-rootless-setuptool.sh install

If it doesn't bother about iptables, you're done and problem should be fixed. Don't forget to enable the service (i.e. systemctl enable --user --now docker)!

score 1 · Answer 30 · answered Nov 29 '22 at 17:46

For me iwas facing the same issue as user of redhat/centos/fedora using podman

firewall-cmd --zone=public --add-masquerade
firewall-cmd --permanent --zone=public --add-masquerade

for more firewalld and podman (or docker) – no internet in the container and could not resolve host

MKM · Answer 31 · 2023-06-07T05:46:45.057

1

As we know, the default bridge is built on a different docker0 interface and its IP is different from the main IP of the system.

To access the Internet, after reaching the gateway related to docker0, the packet must follow the path from the main gateway of the system, but this packet transfer is not possible because in the Arch operating system has a package that installed along with Docker that controls the connections, the name of this package is nftables.

To solve the problem I did this (You can have better settings for nftables):

1- First, I ran sudo vim /etc/nftables.conf and opened the configuration file

2- In the section below, I changed the chain forward and allow access for docker0 interface (thanks to @Lenar Hoyt).

chain forward {
    type filter hook forward priority filter
    policy drop
    
    ct state { established, related } accept
    ct state invalid drop
    iif docker0 accept
  }

3- In the last step, we execute these two commands

sudo systemctl restart nftables
sudo systemctl restart docker

edited Jun 07 '23 at 05:46

answered May 28 '23 at 22:19

MKM

503
1
7
16

1

Wouldn't that allow any ingress to be routed to the container? – Lenar Hoyt Jun 03 '23 at 09:53
You are right, the problem is due to nftables and more precise settings can be made to fix the problem! – MKM Jun 04 '23 at 10:20
1

These rules in the forward chain with `policy drop` should do the trick: `ct state established,related accept; ct state invalid; iif docker0 accept`. This then only allows routed packages originating from `docker0` and any subsequent ("established") ingress. – Lenar Hoyt Jun 04 '23 at 21:30
1

Oops, it should be `ct state invalid drop`. Not sure why this is required (because invalid/untracked packets should be dropped by not matching any rule), but this line is pretty much ubiquitous, see e.g. the bottommost script here: https://openwrt.org/docs/guide-user/firewall/misc/nftables – Lenar Hoyt Jun 06 '23 at 09:30

score 1 · Answer 32 · answered Jun 16 '23 at 09:33

I encountered this issue, it turned out to be the Docker + iptables conflict when the networking was set to host. The host could be using the newer nftables whereas Docker could still be using the iptables-legacy. This GitHub issue issues to explain the problem. Additionally, our setup was Docker-in-Docker where the container inside the container had no internet.

Verify if you have this issue

Run the following commands in your container to verify if this is the case:

ping google.com  # Should fail since your container will have no internet
iptables -L
iptables-legacy -L

If the Docker rules are not present in iptables -L command output, then the conflict exists and we need to solve it.

Solutions

Using update-alternatives to switch to iptables-legacy which would also be available in your distribution: https://wiki.debian.org/iptables#Current_status

Be sure to restart Docker after changing to iptables-legacy for this work,

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

Alternative tips

If you are having this problem while building a Docker-in-Docker container then an easy workaround is to build using --network=host.
Bash solution to solve the conflict: https://github.com/garutilorenzo/iptables-docker if nothing works. Haven't tried, let me know if this worked for you.

score 0 · Answer 33 · answered Jun 27 '19 at 10:34

I also encountered such an issue while trying to set up a project using Docker-Compose on Ubuntu.

The Docker had no access to internet at all, when I tried to ping any IP address or nslookup some URL - it failed all the time.

I tried all the possible solutions with DNS resolution described above to no avail.

I spent the whole day trying to find out what the heck is going on, and finally found out that the cause of all the trouble was the antivirus, in particular it's firewall which for some reason blocked Docker from getting the IP address and port.

When I disabled it - everything worked fine.

So, if you have an antivirus installed and nothing helps fix the issue - the problem could be the firewall of the antivirus.

score 0 · Answer 34 · answered Sep 21 '19 at 11:55

I've had a similar problem for the last few days. For me the cause was a combination of systemd, docker and my hosting provider. I'm running up-to-date CentOS (7.7.1908).

My hosting provider automatically generates a config file for systemd-networkd. Starting with systemd 219 which is the current version for CentOS 7, systemd-networkd took control of network-related sysctl parameters. Docker seems to be incompatible with this version and will reset the IP-Forwarding flags everytime a container is launched.

My solution was to add IPForward=true in the [Network]-section of my provider-generated config file. This file might be in several places, most likely in /etc/systemd/network.

The process is also described in the official docker docs: https://docs.docker.com/v17.09/engine/installation/linux/linux-postinstall/#ip-forwarding-problems

Could you please specify the exact location that you have set this parameter? I'm having the exact same location as you, running a VM on Google Cloud Platform and couldn't find any *.network files on the server. Only on `/usr/lib/sysctl.d/50-default.conf` but the syntax is different. — el.severo, Sep 22 '19 at 01:07
My cluster is self-managed and my provider only does basic bootstrapping on setup. The network configuration was at `/etc/systemd/network/10-mainif.network` for me. Other places you might check are `/usr/local/lib/systemd/` and `/usr/lib/systemd/` as per systemd manpage. — BlackCetha, Sep 22 '19 at 09:51

Arihant Jain · Answer 35 · 2021-12-20T11:42:23.693

After struggling for hours I finally solved my problem

The issue was of linux using old version of libseccomp2

Get signing keys to verify the new packages, otherwise they will not install

rpi ~$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 04EE7237B7D453EC 648ACFD622F3D138

Add the Buster backport repository to apt sources.list

rpi ~$ echo 'deb http://httpredir.debian.org/debian buster-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list.d/debian-backports.list

rpi ~$ sudo apt update
rpi ~$ sudo apt install libseccomp2 -t buster-backports

After this try

rpi ~$ docker run -it --rm alpine:3.15.0
(alpine shell)# apk update

apk update will fetch and hence your are connected to internet

I was using

Linux raspberrypi 5.10.63-v7l+ #1496 SMP Wed Dec 1 15:58:56 GMT 2021 armv7l GNU/Linux

you may check using uname -a

score 0 · Answer 36 · answered May 12 '22 at 12:48

In my case, for some unknown reason, docker was configured (by someone else) to not generate the iptables rules containers need for networking. The docker container could only ping the host, nothing else. Most answers here did not help; recreating the bridge nor restarting the service changed anything.

But then, by pure chance, I found the following:

$ cat /etc/docker/daemon.json
{"iptables": false}

I deleted the file /etc/docker/daemon.json and restarted the daemon (default is to create the iptables rules). This solved the networking problem.

Below, the iptables rules before the fix:

$ iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Now, the iptables rules after the fix:

$ iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.2           tcp dpt:8443

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

score 0 · Answer 37 · answered Aug 12 '23 at 21:17

I just solve that problem, my container $container didn't have internet connection but it wasn't nothing to do with DNS because not even ping 8.8.8.8 was working. For a unknown reason the traffic of the container wasn't forwarding to my physical gateway so it wasn't out of my host/PC. So, I just add a masquerade rule for NAT:

Get virtual container bridge name:

network_name=$(docker inspect --format '{{ range $key, $value := .NetworkSettings.Networks }}{{ $key }}{{ end }}' $container)
etwork_id=$(docker network inspect -f {{.Id}} $network_name)
bridge_name="br-${network_id:0:12}"

Obtain IP network address of the virtual bridge:

IP=$(ip addr show $bridge_name | grep 'inet ' | awk '{print $2}')

Masquerade all outgoing traffic from the $IP subnet:

sudo iptables -t nat -A POSTROUTING ! -o $bridge_name -s $IP -j MASQUERADE

Check it:

user@host:~$ docker exec -u 0 -it $container /bin/bash 
root@772bc683889a:/var/www/html# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=12.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=9.50 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=118 time=4.98 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 4.979/8.850/12.070/2.931 m