Arch Linux

lorebett

Member

Registered: 2021-12-22

Posts: 15

Can't connect to network from within a Docker container

Hi

I've always been using Docker in other distributions, but that's the first time in Arch.

I run a container like this:

docker run --rm -it archlinux /bin/bash

And from within the container, I can see that

# cat /etc/resolv.conf 
# Generated by NetworkManager
search ...
nameserver 192.168.5.1

which looks good. However, I cannot ping 192.168.5.1 so I cannot access the Internet from within the container.

I seem to understand that this is related to https://wiki.archlinux.org/title/Docker … d-networkd
where I read

Docker attempts to enable IP forwarding globally, but by default systemd-networkd overrides the global sysctl setting for each defined network profile. Set IPForward=yes in the network profile.

This is the contents of

> ll /etc/systemd/network/
-rw-r--r-- 1 root root 178 30 giu 12.03 20-ethernet.network
-rw-r--r-- 1 root root 179 30 giu 12.12 20-wlan.network
-rw-r--r-- 1 root root 179 30 giu 12.14 20-wwan.network

So I seem to understand that I have to add "IPForward=yes" in all of them.
I did and then I restarted systemd-networkd.service and then docker.service but the problem is still there.

I also get

> networkctl list
IDX LINK        TYPE     OPERATIONAL SETUP      
  1 lo          loopback carrier     unmanaged
  2 wlp0s20f3   wlan     routable    configured 
  3 docker0     bridge   no-carrier  unmanaged
 32 veth79eb8cb ether    carrier     configuring

which I seem to understand is NOT OK, is it?

The wiki also mentions nft, but that's not installed.

Any help, please?
Thanks in advance

t0w3rh0u53

Member

Registered: 2018-04-11

Posts: 11

Re: Can't connect to network from within a Docker container

I seemed to have some nft rules enabled together with iptables, which were conflicting, so it seemed. After flushing the nft ruleset, everything worked just fine. You can check if any rules are enabled by:

sudo nft list ruleset

If so, try flushing them:

sudo nft flush ruleset

lorebett

Member

Registered: 2021-12-22

Posts: 15

Re: Can't connect to network from within a Docker container

I seemed to have some nft rules enabled together with iptables, which were conflicting, so it seemed. After flushing the nft ruleset, everything worked just fine. You can check if any rules are enabled by:

sudo nft list ruleset

If so, try flushing them:

sudo nft flush ruleset

As I said in my post, nft is not installed at all.

lfitzgerald

Member

Registered: 2021-07-16

Posts: 162

Re: Can't connect to network from within a Docker container

I don't remember doing any extra steps besides just "sudo pacman -S docker" and your example command works for me. When I spin up the Arch container, I can ping 8.8.8.8. I don't have a 192.168.5.1, but I have a printer at 192.168.1.20 for instance and the container can ping it also.

The networkctl gives me:

$ networkctl list
WARNING: systemd-networkd is not running, output will be incomplete.

IDX LINK        TYPE      OPERATIONAL SETUP
  1 lo          loopback  n/a         unmanaged
  2 enp31s0     ether     n/a         unmanaged
  3 wlp30s0     wlan      n/a         unmanaged
  5 vpn   wireguard n/a         unmanaged
  6 docker0     bridge    n/a         unmanaged
  8 vethcc4e255 ether     n/a         unmanaged

6 links listed.

You mention resolv.conf, but I believe this is for DNS, no? When you're pinging an IP it should be irrelevant.

Apologies if this is obvious but have you read through https://docs.docker.com/network/ ? Perhaps the issue is related to Docker networking? For example, Docker normally comes with a default bridge-type network which is called "bridge", but this is a stripped down, legacy version of the bridge-type networks created by "docker network ...". The point of the bridge is that you can connect to the host's LAN as well as other containers on the same Docker network, but maybe in your case "bridge" is misconfigured or you're using another one. In any case, try creating a new bridge-type network as described in the Docker docs, and then make sure your container is attached to it (I think there's a "--network" argument for docker run).

Also, make sure you can ping the same IP from your host

lorebett

Member

Registered: 2021-12-22

Posts: 15

Re: Can't connect to network from within a Docker container

Hi

As you said in https://bbs.archlinux.org/viewtopic.php … 0#p2043730

Someone mentioned he had NetworkManager and systemd-networkd running at the same time

and, indeed, disabling systemd-networkd and rebooting solved my issue (I'm using NetworkManager).
I haven't enabled systemd-networkd myself... maybe it's the default in Arch?
The wiki doesn't say anything about that.

seanmceligot

Member

Registered: 2014-02-27

Posts: 5

Re: Can't connect to network from within a Docker container

I seemed to have some nft rules enabled together with iptables, which were conflicting, so it seemed. After flushing the nft ruleset, everything worked just fine. You can check if any rules are enabled by:

sudo nft list ruleset

If so, try flushing them:

sudo nft flush ruleset

As I said in my post, nft is not installed at all.

I did have nftables installed. So this fixed the same issue for me. Just in case someone else has the same problem.

sudo pacman -R nftables