You are not logged in.
Hi. I've just installed docker and I'm experiencing some issues trying to connect to the network. For example:
$ docker run -it alpine sh
/ # ping google.com
ping: bad address 'google.com'I've found here two ways to get around this:
Adding the flag --network=host to the docker command
Running sudo nft flush ruleset. Running nft flush chain inet filter forward as adviced in the troubleshooting did not work
These solutions seem temporary, I'd like to find a better way to do it if there is.
I've installed both arch and docker following the ArchWiki. I use NetworkManager. I've chosen nftables as firewall, installing iptables-nft to prevent conflicts with iptables. I don't think I've ever changed any dns or ip config manually, I don't use a vpn or proxy server.
I don't think I use systemd-networkd but tried adding IPForward=yes to /usr/lib/systemd/network/80-container-host0.network following docker troubleshooting and the wiki troubleshooting.
I also tried with the nftables troubleshooting. Not sure if my interpretation was correct. I added the drop-in file /etc/systemd/system/docker.service.d/netns.conf:
[Service]
PrivateNetwork=yes
# cleanup
ExecStartPre=-nsenter -t 1 -n -- ip link delete docker0
# add veth
ExecStartPre=nsenter -t 1 -n -- ip link add docker0 type veth peer name docker0_ns
ExecStartPre=sh -c 'nsenter -t 1 -n -- ip link set docker0_ns netns "$$BASHPID" && true'
ExecStartPre=ip link set docker0_ns name eth0
# bring host online
ExecStartPre=nsenter -t 1 -n -- ip addr add 10.0.0.1/24 dev docker0
ExecStartPre=nsenter -t 1 -n -- ip link set docker0 up
# bring ns online
ExecStartPre=ip addr add 10.0.0.100/24 dev eth0
ExecStartPre=ip link set eth0 up
ExecStartPre=ip route add default via 10.0.0.1 dev eth0Then added this to /etc/nftables.conf:
table nat {
chain postrouting {
type nat hook postrouting priority 100;
iifname "docker0" oifname "eth0" masquerade;
}
}I've removed all this changes. My config is below.
Docker version 23.0.3, build 3e7cbfdee1
/etc/resolv.conf file looks the same in both the container and the host.
# Generated by NetworkManager
nameserver 192.168.152.155networkctl list
WARNING: systemd-networkd is not running, output will be incomplete.
IDX LINK TYPE OPERATIONAL SETUP
1 lo loopback - unmanaged
2 enp1s0 ether - unmanaged
3 wlp2s0 wlan - unmanaged
4 docker0 bridge - unmanaged
4 links listed.sysctl -a | grep forwarding
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.docker0.bc_forwarding = 0
net.ipv4.conf.docker0.forwarding = 1
net.ipv4.conf.docker0.mc_forwarding = 0
net.ipv4.conf.enp1s0.bc_forwarding = 0
net.ipv4.conf.enp1s0.forwarding = 1
net.ipv4.conf.enp1s0.mc_forwarding = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.wlp2s0.bc_forwarding = 0
net.ipv4.conf.wlp2s0.forwarding = 1
net.ipv4.conf.wlp2s0.mc_forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.docker0.forwarding = 0
net.ipv6.conf.docker0.mc_forwarding = 0
net.ipv6.conf.enp1s0.forwarding = 0
net.ipv6.conf.enp1s0.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.wlp2s0.forwarding = 0
net.ipv6.conf.wlp2s0.mc_forwarding = 0/etc/nftables.conf
#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:
# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
table inet filter
delete table inet filter
table inet filter {
chain input {
type filter hook input priority filter
policy drop
ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"
iifname lo accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
tcp dport ssh accept comment "allow sshd"
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter
}
chain forward {
type filter hook forward priority filter
policy drop
}
}nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop comment "early drop of invalid connections"
ct state { established, related } accept comment "allow tracked connections"
iifname "lo" accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
tcp dport 22 accept comment "allow sshd"
meta pkttype host limit rate 5/second counter packets 0 bytes 0 reject with icmpx admin-prohibited
counter packets 64 bytes 9957
}
chain forward {
type filter hook forward priority filter; policy drop;
}
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 xt target "MASQUERADE"
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
xt match "addrtype" counter packets 0 bytes 0 jump DOCKER
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 xt match "addrtype" counter packets 0 bytes 0 jump DOCKER
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 4 bytes 224 jump DOCKER-ISOLATION-STAGE-2
counter packets 4 bytes 224 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 4 bytes 224 return
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 4 bytes 224 jump DOCKER-USER
counter packets 4 bytes 224 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" xt match "conntrack" counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 4 bytes 224 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
chain DOCKER-USER {
counter packets 4 bytes 224 return
}
}Not sure what else to try. I saw somebody solved the issue by removing nftables but as it was highly recommended to have a firewall, I prefer not to follow that path.
Last edited by huansan (2023-04-24 08:03:35)
Offline