[SOLVED] "docker run -it alpine" cannot ping google.com - router/conf?

newsboost · 2021-11-30 20:53:57

Hi,

Sorry, noob question: When I run "docker run -it alpine" I cannot ping google.com and I cannot ping 8.8.8.8 - so I probably don't have any internet at all, from inside the container (but outside I do). I don't know if it's some isolated "docker default network" stuff, if I need to startup some network stuff first - or if's just my router configuration (could also be, there are some custom iptables-stuff, maybe this causes problems). My normal network gateway is 192.168.1.1, but docker sets the gateway to 172.17.0.1. I don't know really what I'm supposed to (or should) do. Please see output below:

$ docker run -it alpine

/ # ping google.com
ping: bad address 'google.com'

/ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.17.0.1      0.0.0.0         UG    0      0        0 eth0
172.17.0.0      *               255.255.0.0     U     0      0        0 eth0

/ # ip -4 a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
64: eth0@if65: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
    inet 172.17.0.4/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
167 packets transmitted, 0 packets received, 100% packet loss

Could anyone please help me in the right direction? I would be grateful, if so, thanks!

Last edited by newsboost (2021-12-01 15:31:24)

seth · 2021-11-30 21:33:38

Did you see https://wiki.archlinux.org/title/Docker … d-networkd ?

newsboost · 2021-11-30 21:58:31

seth wrote:

Did you see https://wiki.archlinux.org/title/Docker … d-networkd ?

I did - briefly - but it's a bit confusing and unfortunately didn't help me. Some testing output:

# This should be ok:
# sysctl -a 2>/dev/null | grep -i 'ip_forward '
net.ipv4.ip_forward = 1

# While something timed out, I got this via "dmesg":
[163303.715529] vethfb3a413: renamed from eth0
[163303.898696] device vethe5c27f2 left promiscuous mode
[163303.898721] docker0: port 1(vethe5c27f2) entered disabled state

# I don't know if it's okay that this is "not running"? But I think this is okay:
# networkctl list
WARNING: systemd-networkd is not running, output will be incomplete.

IDX LINK            TYPE     OPERATIONAL SETUP    
  1 lo              loopback n/a         unmanaged
  2 eno1            ether    n/a         unmanaged
  3 wlo1            wlan     n/a         unmanaged
  4 docker0         bridge   n/a         unmanaged
  5 br-a8bfb745edb1 bridge   n/a         unmanaged
 37 vethc4abe04     ether    n/a         unmanaged

# This, I'm a bit afraid of messing with - at least I'll make a backup - do any of you change that from the default?
# cat /etc/nftables.conf 
#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:

# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.

table inet filter
delete table inet filter
table inet filter {
  chain input {
    type filter hook input priority filter
    policy drop

    ct state invalid drop comment "early drop of invalid connections"
    ct state {established, related} accept comment "allow tracked connections"
    iifname lo accept comment "allow from loopback"
    ip protocol icmp accept comment "allow icmp"
    meta l4proto ipv6-icmp accept comment "allow icmp v6"
    tcp dport ssh accept comment "allow sshd"
    pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
    counter
  }
  chain forward {
    type filter hook forward priority filter
    policy drop
  }
}

But I've also messed a lot with my router, which are running some iptables rules that I think prevents traffic to/from other than 192.168.1.0/24 and 192.168.10.0/24. It's my understanding that Docker will manage the network such that my router will only see the computer that docker is running on and not "the docker machine" itself? If that is the case, I can rule out the network-stuff on the router and it must then be my local pc/docker configuration (which I thought/think should be relatively "default" as I don't remember having changed settings)... Any ideas?

Is it correct to assume that on normal installations, when people run "docker run -it alpine", then they can ping e.g. google.com on the internet without any special network setup, just by using the default settings (wherever they're stored)? If so, I must've screwed something up, somewhere :-)

newsboost · 2021-11-30 22:25:37

Oooohhhh.... STOP.... I decided to upgrade everything - and reboot - and now it works? Damn... What went wrong? I know I sometimes have to reboot, if I've upgraded the linux kernel... I'll mark the post as [SOLVED] soon, would just like to know if anyone has any idea about why it didn't work? Is this typical for docker?

At least, for the record: If it doesn't work, upgrade all and reboot and see if it works...

Arch Linux

#1 2021-11-30 20:53:57

[SOLVED] "docker run -it alpine" cannot ping google.com - router/conf?

#2 2021-11-30 21:33:38

Re: [SOLVED] "docker run -it alpine" cannot ping google.com - router/conf?

#3 2021-11-30 21:58:31

Re: [SOLVED] "docker run -it alpine" cannot ping google.com - router/conf?

#4 2021-11-30 22:25:37

Re: [SOLVED] "docker run -it alpine" cannot ping google.com - router/conf?

Board footer