Docker containers with bridge network cannot ping anything (even default gateway)

Question

I cannot ping anything from containers using bridge networking (example: docker run --network bridge --rm -it bash ping 8.8.8.8). Not even the default gateway of the container.

ip route from inside container:

bash-5.1# ip route
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 scope link  src 172.17.0.2

ip link from my machine:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000
    link/ether 6c:02:e0:77:5a:c1 brd ff:ff:ff:ff:ff:ff
    altname enp16s0
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
    link/ether a4:97:b1:86:f9:6b brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
    link/ether 02:42:bd:d0:fb:cc brd ff:ff:ff:ff:ff:ff
6: veth40b832a@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
    link/ether ba:e5:3a:88:e4:67 brd ff:ff:ff:ff:ff:ff link-netnsid 0

The docker0 interface stays down even if containers are running.

brctl shows that the container interfaces don't get bridged to docker0:

bridge name bridge id       STP enabled interfaces
docker0     8000.0242bdd0fbcc   no

Here's the output of iptables -S -t nat:

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN

So far I've tried reinstalling docker and switching between iptables and nftables with iptables-nft. The whole issue started when I tried running a k3d example cluster. I'm running everything on Arch using the official packages.

GENERAL IPTABLES SUPPORT IS OFF-TOPIC. Support questions may be asked on https://superuser.com. — Rob, Jun 09 '21 at 21:18

score 4 · Accepted Answer · answered Jun 09 '21 at 10:27

I finally figured it out

Both NetworkManager and systemd-networkd were running on my system, which messed with the interface IPs via multiple DHCP services. That caused bridge networking not to work as well, which in turn messed with the containers traffic.

Pro tip: don't run multiple daemons trying to do the same thing

score 0 · Answer 2 · answered Jun 07 '21 at 20:14

0

Check
cat /etc/sysctl.conf
if you have
net.ipv4.ip_forward=1

answered Jun 07 '21 at 20:14

ukro

19
4

I don't have that file. Checked with `sysctl net.ipv4.ip_forward` and its set to 1: `net.ipv4.ip_forward = 1` – Hristo Kamenov Jun 07 '21 at 20:35
Check https://stackoverflow.com/questions/31324981/how-to-access-host-port-from-docker-container – ukro Jun 07 '21 at 20:45
Tried a couple of things from the link. The IP assigned to `docker0` is `172.17.0.1`. I can ping it from my maching, but not from within containers, even though it's their default gateway. I also tried adding the `iptables` rule `iptables -A INPUT -i docker0 -j ACCEPT`. Still same situation – Hristo Kamenov Jun 07 '21 at 21:09
? https://forums.docker.com/t/accessing-host-machine-from-within-docker-container/14248/5 – ukro Jun 07 '21 at 21:23

Docker containers with bridge network cannot ping anything (even default gateway)

2 Answers2