Leaseweb: after upgrading VM from Ubuntu 14.04 to 16.04, docker refuses connections to localhost

Question

I'm totally at loss here. After upgrading to Ubuntu 16.04 from 14.04 on Leaseweb virtual server, docker no longer accepts connections to localhost. Using original CouchBase server image, running the following command on my laptop works perfectly (Docker version 1.12.1, build 23cf638):

$ docker run --rm -ti --name couchbase-server -p 127.0.0.1:8091:8091 couchbase/server:community-4.5.0
Starting Couchbase Server -- Web UI available at http://<ip>:8091 and logs available in /opt/couchbase/var/lib/couchbase/logs

$ curl localhost:8091
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://localhost:8091/ui/index.html>here</a>.</p></body></html>

Yet, when I run the very same command on my Ubuntu 16.04 VM hosted on Leaseweb (the very same docker Docker version 1.12.1, build 23cf638), it fails:

# curl localhost:8091
curl: (7) Failed to connect to localhost port 8091: Connection refused
# netstat -tnlp|grep 8091
tcp        0      0 127.0.0.1:8091          0.0.0.0:*               LISTEN      7387/docker-proxy
# iptables -t nat -L                                                                                                                                                                  
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8080
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:https redir ports 8443
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        anywhere            
MASQUERADE  all  --  172.18.0.0/16        anywhere            
MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:8091

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
DNAT       tcp  --  anywhere             localhost            tcp dpt:8091 to:172.17.0.2:8091

However, when I open the port to public, it starts to work:

# docker run --rm -ti --name couchbase-server -p 8091:8091 couchbase/server:community-4.5.0
# netstat -tnlp|grep 8091
tcp6       0      0 :::8091                 :::*                    LISTEN      15434/docker-proxy
# curl localhost:8091
&lt!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">&lthtml>&lthead>&lttitle>301 Moved Permanently&lt/title>&lt/head>&ltbody>&lth1>Moved Permanently&lt/h1>&ltp>The document has moved &lta href="http://localhost:8091/ui/index.html>here&lt/a>.&lt/p>&lt/body>&lt/html>
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8080
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:https redir ports 8443
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  172.17.0.0/16        anywhere            
MASQUERADE  all  --  172.18.0.0/16        anywhere            
MASQUERADE  tcp  --  172.17.0.2           172.17.0.2           tcp dpt:8091

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            
DNAT       tcp  --  anywhere             anywhere             tcp dpt:8091 to:172.17.0.2:8091

The only difference is in the last line, destination anywhere VS localhost. However, on my home machine the relevant iptables rule says localhost as well, and it works. In fact, on my home machine the iptables rules are totally the same but they work. Home machine uses newer kernel (4.8.0-34-generic vs 4.4.0-59-generic on the VM) and runs on bare metal vs paravirtualization on the VM. Maybe that is the case? Support says that the above works flawlessly on Ubuntu 14.04 VM, maybe I shouldn't have upgraded...

Possible duplicate of [What causes the 'Connection Refused' message?](http://serverfault.com/questions/725262/what-causes-the-connection-refused-message) — user9517, Jan 17 '17 at 07:50
I'm sorry - linking this issue to a generic one and downvoting because of that? The "no process is listening" is ruled out by netstat above. The tcpdump both on docker0 and br-b0a2fa74174f captures nothing. tcpdump -n icmp works. I am able to access+ping non-dockerized services on that server, I'm just not able to access dockerized services from localhost unless they are published. — Martin Vysny, Jan 18 '17 at 09:11

Leaseweb: after upgrading VM from Ubuntu 14.04 to 16.04, docker refuses connections to localhost

0 Answers0