HTTPS request fails in Docker >= 1.10 with virtualized network

Question

I experience a problem that a HTTPS connections cannot be established from inside a Docker container with version 1.10.3 or 1.11.2.

I tried with apt-get, curl and wget and all fail as soon as a HTTPS connection should be established.

E.g., the following command fails:

$ docker run -it ubuntu-curl curl -v https://www.google.com
[...]
* gnutls_handshake() failed: Error in the pull function.
* Closing connection 0

The Docker image ubuntu-curl is based on ubuntu:latest, the only change was apt-get update ; apt-get install curl.

If I use HTTP instead of HTTPs, it works. If I issue the same command from the host, it works. If I start the container without network virtualization (docker run --net="host"), it works. If I downgrade Docker (I tried 1.6.2 and 1.9.1), it works as well.

Any hints what could be wrong? I tried with two hosts, Ubuntu 14 LTS and CoreOS stable without relevant customization - both run inside a OpenStack cluster.

Iptables of the host (although I would not understand why iptables should only block HTTPs traffic):

$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-ISOLATION  all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:12345

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

FYI it appears to be a bug in OpenStack, I filed a bug here: https://bugs.launchpad.net/neutron/+bug/1595762 - also seems to be a duplicate of http://stackoverflow.com/questions/35300497/docker-container-not-connecting-to-https-endpoints — Tarnschaf, Jun 24 '16 at 01:01

score 5 · Accepted Answer · answered Jun 25 '16 at 12:20

I was given a solution by the Docker community

OpenStack network seems to use lower MTU values and Docker does not infer the MTU settings from the host's network card since 1.10.

To run docker daemon with custom MTU settings, you can follow this blog post, that says:

$ cp /lib/systemd/system/docker.service /etc/systemd/system/docker.service

Edit a line in the new file to look like this:

ExecStart=/usr/bin/docker daemon -H fd:// –mtu=1454

MTU of 1454 is the value that seems to be common with OpenStack. You can look it up in your host using ifconfig.

Finally restart Docker:

$ sudo systemctl daemon-reload
$ sudo service docker restart

HTTPS request fails in Docker >= 1.10 with virtualized network

1 Answers1

Linked