Network unreachable inside docker container without --net=host parameter

networking docker iptables

18,780

This is the not full answer you are looking for. But I would like to give some explanation on why the internet is working

If container was started with --net=host internet would work perfectly.

Docker by default supports three networks. In this mode(HOST) container will share the host’s network stack and all interfaces from the host will be available to the container. The container’s host name will match the hostname on the host system

# docker run -it --net=host ubuntu:14.04 /bin/bash
root@labadmin-VirtualBox:/# hostname
labadmin-VirtualBox
Even the IP configuration is same as the host system's IP configuration
root@labadmin-VirtualBox:/# ip addr | grep -A 2 eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:b5:82:2f brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
       valid_lft forever preferred_lft forever
3: lxcbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
root@labadmin-VirtualBox:/# exit
exit

HOST SYSTEM IP CONFIGURATION

# ip addr | grep -A 2 eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:b5:82:2f brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
       valid_lft forever preferred_lft forever
3: lxcbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default

Refer this for more information about docker networking.

18,780

Author by

beyondfloatingpoint

Love shipping great products

Updated on June 13, 2022

Comments

beyondfloatingpoint almost 2 years

Problem: there is no internet connection in the docker container.

Symptoms: ping 8.8.8.8 doesn't work. Wireshark from host system gives back:

 19 10.866212113   172.17.0.2 -> 8.8.8.8      ICMP 98 Echo (ping) request  id=0x0009, seq=0/0, ttl=64
 20 11.867231972   172.17.0.2 -> 8.8.8.8      ICMP 98 Echo (ping) request  id=0x0009, seq=1/256, ttl=64
 21 12.868331353   172.17.0.2 -> 8.8.8.8      ICMP 98 Echo (ping) request  id=0x0009, seq=2/512, ttl=64
 22 13.869400083   172.17.0.2 -> 8.8.8.8      ICMP 98 Echo (ping) request  id=0x0009, seq=3/768, ttl=64

But! If container was started with --net=host internet would work perfectly.

What I've tried so far:

altering DNS
adding --ip-masq=true to /etc/default/docker (with restart off)
enabling everything related to masquerade / ip_forward
altering default route
everything suggested here

Host config:

$ sudo route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.4.2.1      0.0.0.0         UG    0      0        0 eno1.3001
default         10.3.2.1      0.0.0.0         UG    100    0        0 eno2
10.3.2.0      *               255.255.254.0   U     100    0        0 eno2
10.4.2.0      *               255.255.254.0   U     0      0        0 eno1.3001
nerv8.i         10.3.2.1      255.255.255.255 UGH   100    0        0 eno2
172.17.0.0      *               255.255.0.0     U     0      0        0 docker0

sudo iptables -L, cat /etc/network/interfaces, ifconfig, iptables -t nat -L -nv

Everything is fine, forwarding is also enabled:

$ sudo sysctl net.ipv4.ip_forward 
net.ipv4.ip_forward = 1

Marcell over 2 years

This didn't work for me. Plus I had to start the container with the "--privileged" option or I would get a "Read-only file system" message.