You are not logged in.

Pages: 1

#1 2022-06-30 19:50:24

t0w3rh0u53
Member
Registered: 2018-04-11
Posts: 11

Docker cannot access internet, only works with --net=host

I'm not sure what happened, but suddenly my docker is not able anymore to access the internet. I'm not sure what caused this issue, whether it was an update or something else...
Fact is that a week ago it still worked.

I'm not able to run a simple Dockerimage with contents like:

FROM debian:buster
RUN apt-get update

I keep getting these error messages:

#0 20.18 Err:1 http://security.debian.org/debian-security bullseye-security InRelease                                                                                                                                                                                                                                                     
#0 20.18   Temporary failure resolving 'security.debian.org'                                                                                                                                                                                                                                                                              
#0 20.18 Err:2 http://deb.debian.org/debian bullseye InRelease                                                                                                                                                                                                                                                                            
#0 20.18   Temporary failure resolving 'deb.debian.org'
#0 40.20 Err:3 http://deb.debian.org/debian bullseye-updates InRelease
#0 40.20   Temporary failure resolving 'deb.debian.org'

Ping doesn't work either, at least not anything on the internet:

$ docker run alpine ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes

<it doesn't respond from here>

and

$ docker run -it --dns=8.8.8.8 --rm busybox ping -w1 www.google.com
ping: bad address 'www.google.com'

But the IP address of my host does work:

$ docker run alpine ping 192.168.1.197
PING 192.168.1.197 (192.168.1.197): 56 data bytes
64 bytes from 192.168.1.197: seq=0 ttl=64 time=0.096 ms
64 bytes from 192.168.1.197: seq=1 ttl=64 time=0.051 ms
64 bytes from 192.168.1.197: seq=2 ttl=64 time=0.065 ms

--- 192.168.1.197 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 0.051/0.065/0.096 ms

And with --net=host as well:

$ docker run -it --net=host --rm busybox ping -w1 google.com
PING google.com (142.251.36.46): 56 data bytes
64 bytes from 142.251.36.46: seq=0 ttl=60 time=3.462 ms

--- google.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 3.462/3.462/3.462 ms

This is how my /etc/docker/daemon.json looks like:

$ cat /etc/docker/daemon.json 
{
        "dns": ["8.8.8.8","8.8.4.4"],
    "debug": true
}

I'm actually not sure where to start. I checked this webpage: https://wiki.archlinux.org/title/docker … d-networkd
and I've checked my iptables and stuff, so far I haven't found anything odd. Pinging 8.8.8.8 from my host works without any issue, but docker isn't able to reach the internet.

I even tried removing Docker completely from the system and install it again, but without luck.

Last edited by t0w3rh0u53 (2022-06-30 20:01:02)

Offline

#2 2022-07-01 07:31:52

t0w3rh0u53
Member
Registered: 2018-04-11
Posts: 11

Re: Docker cannot access internet, only works with --net=host

And this is the tcpdump of my docker0 interface, 

$ sudo tcpdump -v -i docker0 
tcpdump: listening on docker0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:25:33.917462 IP6 (hlim 1, next-header Options (0) payload length: 56) fe80::42:26ff:fe04:1537 > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 2 group record(s) [gaddr ff02::1:ff04:1537 to_ex, 0 source(s)] [gaddr ff02::6a to_ex, 0 source(s)]
09:25:33.924481 IP6 (hlim 1, next-header Options (0) payload length: 36) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 1 group record(s) [gaddr ff02::1:ff07:cf30 to_ex, 0 source(s)]
09:25:34.095034 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has arch-erik tell ewa-ancr-tc1-r1.attalascom.net, length 28
09:25:34.095042 ARP, Ethernet (len 6), IPv4 (len 4), Reply arch-erik is-at 02:42:26:04:15:37 (oui Unknown), length 28
09:25:34.095057 IP (tos 0x0, ttl 64, id 38739, offset 0, flags [DF], proto ICMP (1), length 84)
    ewa-ancr-tc1-r1.attalascom.net > dns.google: ICMP echo request, id 1, seq 0, length 64
09:25:34.662469 IP6 (hlim 1, next-header Options (0) payload length: 56) fe80::42:26ff:fe04:1537 > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 2 group record(s) [gaddr ff02::1:ff04:1537 to_ex, 0 source(s)] [gaddr ff02::6a to_ex, 0 source(s)]
09:25:34.921465 IP6 (hlim 1, next-header Options (0) payload length: 56) fe80::42:26ff:fe04:1537 > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 2 group record(s) [gaddr ff02::1:ff04:1537 to_ex, 0 source(s)] [gaddr ff02::6a to_ex, 0 source(s)]
09:25:35.095114 IP (tos 0x0, ttl 64, id 39277, offset 0, flags [DF], proto ICMP (1), length 84)
    ewa-ancr-tc1-r1.attalascom.net > dns.google: ICMP echo request, id 1, seq 1, length 64
09:25:35.334460 IP6 (hlim 1, next-header Options (0) payload length: 56) fe80::42:26ff:fe04:1537 > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 2 group record(s) [gaddr ff02::1:ff04:1537 to_ex, 0 source(s)] [gaddr ff02::6a to_ex, 0 source(s)]
09:25:36.095176 IP (tos 0x0, ttl 64, id 39396, offset 0, flags [DF], proto ICMP (1), length 84)
    ewa-ancr-tc1-r1.attalascom.net > dns.google: ICMP echo request, id 1, seq 2, length 64
09:25:37.095243 IP (tos 0x0, ttl 64, id 39682, offset 0, flags [DF], proto ICMP (1), length 84)
    ewa-ancr-tc1-r1.attalascom.net > dns.google: ICMP echo request, id 1, seq 3, length 64
09:25:38.095313 IP (tos 0x0, ttl 64, id 40414, offset 0, flags [DF], proto ICMP (1), length 84)
    ewa-ancr-tc1-r1.attalascom.net > dns.google: ICMP echo request, id 1, seq 4, length 64
09:25:39.095384 IP (tos 0x0, ttl 64, id 41251, offset 0, flags [DF], proto ICMP (1), length 84)
    ewa-ancr-tc1-r1.attalascom.net > dns.google: ICMP echo request, id 1, seq 5, length 64
09:25:40.095458 IP (tos 0x0, ttl 64, id 41834, offset 0, flags [DF], proto ICMP (1), length 84)
    ewa-ancr-tc1-r1.attalascom.net > dns.google: ICMP echo request, id 1, seq 6, length 64
09:25:41.095527 IP (tos 0x0, ttl 64, id 42099, offset 0, flags [DF], proto ICMP (1), length 84)
    ewa-ancr-tc1-r1.attalascom.net > dns.google: ICMP echo request, id 1, seq 7, length 64
09:25:42.095596 IP (tos 0x0, ttl 64, id 42728, offset 0, flags [DF], proto ICMP (1), length 84)
    ewa-ancr-tc1-r1.attalascom.net > dns.google: ICMP echo request, id 1, seq 8, length 64
09:25:43.095661 IP (tos 0x0, ttl 64, id 43293, offset 0, flags [DF], proto ICMP (1), length 84)
    ewa-ancr-tc1-r1.attalascom.net > dns.google: ICMP echo request, id 1, seq 9, length 64
09:25:44.095727 IP (tos 0x0, ttl 64, id 44050, offset 0, flags [DF], proto ICMP (1), length 84)
    ewa-ancr-tc1-r1.attalascom.net > dns.google: ICMP echo request, id 1, seq 10, length 64
09:25:45.095792 IP (tos 0x0, ttl 64, id 44556, offset 0, flags [DF], proto ICMP (1), length 84)
    ewa-ancr-tc1-r1.attalascom.net > dns.google: ICMP echo request, id 1, seq 11, length 64
09:25:46.095857 IP (tos 0x0, ttl 64, id 44578, offset 0, flags [DF], proto ICMP (1), length 84)
    ewa-ancr-tc1-r1.attalascom.net > dns.google: ICMP echo request, id 1, seq 12, length 64

while running 

docker run alpine ping 8.8.8.8

Maybe that gives some new insight.

Last edited by t0w3rh0u53 (2022-07-01 07:32:44)

Offline

#3 2022-07-01 10:34:10

lorebett
Member
Registered: 2021-12-22
Posts: 15

Re: Docker cannot access internet, only works with --net=host

This looks similar to the one I posted yesterday https://bbs.archlinux.org/viewtopic.php?id=277638

Offline

#4 2022-07-01 11:18:26

t0w3rh0u53
Member
Registered: 2018-04-11
Posts: 11

Re: Docker cannot access internet, only works with --net=host

lorebett wrote:

This looks similar to the one I posted yesterday https://bbs.archlinux.org/viewtopic.php?id=277638

Did you make any progress on this one? Someone mentioned he had NetworkManager and systemd-networkd running at the same time, which caused the issue, but that's not the case for me.
I'm trying a bunch of stuff for almost two days now, but no progress at all. A fresh installation of Arch might fix the issue, but that shouldn't be the only way to fix this haha.

I'm currently looking for any conflicting packages and removing them.....

$ pacman -Q | grep net            
glib-networking 1:2.72.1-1
haskell-network 3.1.2.7-28
haskell-network-uri 2.6.4.1-85
inetutils 2.2-1
libmanette 0.2.6-3
libnet 1:1.1.6-1
libnetfilter_conntrack 1.0.9-1
libnfnetlink 1.0.2-1
netpbm 10.73.37-1
nettle 3.8-1
networkmanager 1.38.2-1
networkmanager-qt 5.95.0-1
perl-net-http 6.22-2
python-netifaces 0.11.0-3
sonnet 5.95.0-1

Last edited by t0w3rh0u53 (2022-07-01 12:06:48)

Offline

#5 2022-07-01 13:58:13

t0w3rh0u53
Member
Registered: 2018-04-11
Posts: 11

Re: Docker cannot access internet, only works with --net=host

Solved! Seemed I had some nft rules set which were conflicting with the iptables. Just a simple command as flushing the nft ruleset, fixed the issue:

 sudo nft flush ruleset

Offline

Pages: 1

Board footer

Powered by FluxBB