no internet inside docker-compose service

Question

I cannot reach external network from docker-compose containers.

Consider the following docker-compose file:

version: '2'
services:
    nginx:
      image: nginx

Using the simple docker run -it nginx bash I manage to reach external IPs or Internet IPs (ping www.google.com).

On the other hand if I use docker-compose and attach to the container, I cannot reach external IP addresses / DNS.

docker info:

Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 1
Server Version: 1.12.1
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 7
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge null host overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-38-generic
Operating System: Ubuntu 16.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.859 GiB
Name: ***
ID: ****
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
 127.0.0.0/8

docker-compose 1.8.1, build 878cff1

daemon.json file:

{
  "iptables" : false,
  "dns" : ["8.8.8.8","8.8.4.4"]
}

Do you use `docker exec -it ping google.com` ? That should work. — Bernard, Oct 05 '16 at 11:17
Did you looked into networks? What is _docker network inspect bridge_ showing? Assuming 'bridge' is default network. — aholbreich, Mar 03 '17 at 13:56

peedee · Answer 1 · 2018-12-21T14:46:08.017

9

The last time I had a problem like that, I solved it like this:

https://github.com/docker/docker/issues/866#issuecomment-19218300

pkill docker
iptables -t nat -F
ifconfig docker0 down
brctl delbr docker0
docker -d

It will force docker to recreate the bridge and reinit all the network rules.

As for reasons why this happens, I don't have good answers. But I did recently trace the problem back to journald. When I restart journald (for example because I changed its config), DNS resolution inside docker-compose containers consistently/reproducibly breaks. I don't know why exactly, I can only say that this is a reliable way for me to reproduce it on RHEL.

EDIT The docker -d command might not work for you based on the version of docker you are using but don't worry about it, you can omit that command.

edited Dec 21 '18 at 14:46

answered May 04 '17 at 01:34

peedee

3,257
3
24
42

3

`ip link del docker0` if you're not using ifconfig, which you probably aren't in 2020. – Chaim Eliyah Sep 08 '20 at 05:05
Thanks @ChaimEliyah that helped me, but now I get this for `brctl delbr docker0 ` -> ` Command "brctl" not found, but can be installed with:` – Zaffer Dec 31 '21 at 14:32
@Zaffer My guess is you're using a system that doesn't include brctl by default. Linux is assumed here. – Chaim Eliyah Jan 05 '22 at 17:29
If Linux is assumed, it needs to also be assumed bridge-utils is not installed by default. Run yum install bridge-utils, or if you're using that Debain stuff, run apt-get install bridge-utils – Midiman Mar 15 '22 at 22:01
Please DON'T run 'ip link del docker0' in 2020 or any other year...it doesn't bring your configuration down, it deletes it! – Midiman Mar 15 '22 at 22:06
Try this instead: 'ip link set docker0 down'. Note that if you run brctl delbr it will delete it as well, so you then have to recreate it..something like: ip link add docker0 type bridge ip addr add "$IFADDR" dev docker0 ip link set docker0 up – Midiman Mar 15 '22 at 22:12

score 9 · Answer 2 · answered Apr 25 '18 at 02:20

9

Check /etc/default/docker to ensure it doesn't have the following line:

DOCKER_OPTS="--iptables=false"

Also check /etc/docker/daemon.json to ensure it doesn't have the following key:

{
"iptables":false
}

We added this on one server to get UFW working with docker. We then changed to an external firewall. Spent ages looking for the reason external networking wasn't working because it was removed from our deploy guide. Hope this helps someone else.

answered Apr 25 '18 at 02:20

cornernote

1,055
1
12
20

Thanks this helped me. A while ago I'd noticed docker was leaving ports open on the host, and overriding ufw. I had disabled iptables as per this: [link](https://fralef.me/docker-and-iptables.html) Reversing this enabled container networking again. – Giablo Mar 05 '19 at 03:36

score 3 · Answer 3 · answered Jun 22 '21 at 16:53

I just ran into this. Running any container with docker run -it <image> bash, I was able to do anything network related that I needed, but attaching to a container started through docker-compose with docker exec -it <conatiner> bash could run nothing. Even apt-get would fail with a "temporary failure in name resolution error."

I found that adding network_mode: "bridge" to each service would enable external networking in each container, at the expense of attaching everything to the default docker network. I wanted to keep the stack isolated though, so set about an alternative solution.

I ran docker inspect network bridge to view the default network, and the same with my stack network. The only significant differences I found were a difference in subnet/gateway (which I believe is to be expected, however the IPs listed differed significantly, 192.* vs 172.*), and that the default network had several options that were not present in the stack network:

"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"

I was able to isolate it to "com.docker.network.bridge.default_bridge": "true", however this broke networking for containers outside the stack, to the point where I eventually had to completely remove and reinstall docker. I'm assuming the docker daemon gets confused with two networks marked as default and is unable to resolve it, even after removing the stack network.

One thing I noticed after doing that though was that the subnet and getway were just off by one from the default adapter. I verified that removing the above option reverted the subnet and gateway to what I saw originally, which it did. I then used this network config in my compose file:

networks:
  default:
    driver: "bridge"
    ipam:
      driver: default
      config:
        - subnet: X.X.0.0/16

Where the first value of the subnet was the same as the default bridge adapater, and the second value was plus one. And that at least got everything working fine, sans the default adapter still being broken.

Interestingly enough, when I went to reinstall docker to try and repair the default network, I basically ran the following after looking at the docker compose network documentation for external networking.

sudo snap remove docker
sudo sysctl net.ipv4.conf.all.forwarding=1
sudo iptables -P FORWARD ACCEPT
sudo snap install docker

And a subsequent docker-compose up -d with the network settings removed resulted in the same subnet IP that I had defined earlier without having the config present for it. I believe the underlying issue is simply that something was preventing the docker daemon from properly finding an available, valid subnet, and once that is resolved everything should again work out of the box.

Thanks for the detailed investigation here! We ran into the exact same symptoms today (Ubuntu 22.04.1, Docker installed through `snap`) and in our case the solution was... to reboot. — DomQ, Nov 04 '22 at 09:31
@DomQ same thing here, after spending hours on this, I read your comment and decided to reboot and it worked. — Imad, Dec 14 '22 at 15:31

score 0 · Answer 4 · edited May 23 '17 at 11:54

0

Docker containers has the ability to access internet by default. Here is how I solved the problem last week: docker container can only access internet with net host

Or you just let the container in host mode:

version: '2'
service:
  nginx:
    image: nginx
    network_mode: host

But as @peedee pointed out on comment, this solution will lost network separation between host and containers.

edited May 23 '17 at 11:54

Community

1
1

answered May 03 '17 at 22:50

Gao Shenghan

359
5
11

1

By doing this you lose all separation between the host and the container. – peedee May 04 '17 at 01:31
@peedee Yes, I have to admit this. I checked the compose file for [faas](get-faas.com) project, it just use overlay network and seems should be able to access internet. But I couldn't do this in my computer. – Gao Shenghan May 05 '17 at 18:40
4

From the Docker documentation: "Note: --network="host" gives the container full access to local system services such as D-bus and is therefore considered insecure." – kewne Jul 12 '17 at 12:37

score 0 · Answer 5 · edited Jul 18 '17 at 15:25

The image nginx you are pulling doesn't have ping installed by default. So if you are really using ping to test your connection, you must first install it.

I created a custom Dockerfile to have it installed:

FROM nginx:latest
RUN apt update && apt -y install iputils-ping

Then I built it locally and tagged as mynginx.

Then I changed docker-compose.yml to use the custom image mynginx:

version: '2'
services:
  nginx:
    image: mynginx

Finally, I fired docker-compose up, and did a docker exec into it, and tested ping. All worked just fine. I also did docker run -ti ... and it worked.

What bugs me on your question is how docker run can give you a container with different behaviour than if created by docker-compose up.

More clarity on how you check internet access would be helpful though.

score -1 · Answer 6 · answered Jul 19 '21 at 05:06

-1

In my case I had docker installed via snap, after removing it and installing by following instructions from the official website it started to work normally.

answered Jul 19 '21 at 05:06

Dmitrij Kultasev

5,447
5
44
88

no internet inside docker-compose service

6 Answers6

Linked