Network unreachable inside docker container without --net=host parameter

Question

Problem: there is no internet connection in the docker container.

Symptoms: ping 8.8.8.8 doesn't work. Wireshark from host system gives back:

 19 10.866212113   172.17.0.2 -> 8.8.8.8      ICMP 98 Echo (ping) request  id=0x0009, seq=0/0, ttl=64
 20 11.867231972   172.17.0.2 -> 8.8.8.8      ICMP 98 Echo (ping) request  id=0x0009, seq=1/256, ttl=64
 21 12.868331353   172.17.0.2 -> 8.8.8.8      ICMP 98 Echo (ping) request  id=0x0009, seq=2/512, ttl=64
 22 13.869400083   172.17.0.2 -> 8.8.8.8      ICMP 98 Echo (ping) request  id=0x0009, seq=3/768, ttl=64

But! If container was started with --net=host internet would work perfectly.

What I've tried so far:

• altering DNS
• adding --ip-masq=true to /etc/default/docker (with restart off)
• enabling everything related to masquerade / ip_forward
• altering default route
• everything suggested here

Host config:

$ sudo route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.4.2.1      0.0.0.0         UG    0      0        0 eno1.3001
default         10.3.2.1      0.0.0.0         UG    100    0        0 eno2
10.3.2.0      *               255.255.254.0   U     100    0        0 eno2
10.4.2.0      *               255.255.254.0   U     0      0        0 eno1.3001
nerv8.i         10.3.2.1      255.255.255.255 UGH   100    0        0 eno2
172.17.0.0      *               255.255.0.0     U     0      0        0 docker0

sudo iptables -L, cat /etc/network/interfaces, ifconfig, iptables -t nat -L -nv

Everything is fine, forwarding is also enabled:

$ sudo sysctl net.ipv4.ip_forward 
net.ipv4.ip_forward = 1

Answer 1

This is the not full answer you are looking for. But I would like to give some explanation on why the internet is working

If container was started with --net=host internet would work perfectly.

Docker by default supports three networks. In this mode(HOST) container will share the host’s network stack and all interfaces from the host will be available to the container. The container’s host name will match the hostname on the host system

# docker run -it --net=host ubuntu:14.04 /bin/bash
root@labadmin-VirtualBox:/# hostname
labadmin-VirtualBox
Even the IP configuration is same as the host system's IP configuration
root@labadmin-VirtualBox:/# ip addr | grep -A 2 eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:b5:82:2f brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
       valid_lft forever preferred_lft forever
3: lxcbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 
root@labadmin-VirtualBox:/# exit
exit

HOST SYSTEM IP CONFIGURATION

# ip addr | grep -A 2 eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:b5:82:2f brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global eth0
       valid_lft forever preferred_lft forever
3: lxcbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default 

Refer this for more information about docker networking.

Answer 2

Can you run "sudo ifconfig" and see if the range of IPs for your internet connection (typically wlan0) is colliding with the range for docker0 interface 172.17.0.0 ?

I had this issue with my office network (while it was working fine at home) that it ran on 172.17.0.X and Docker tried to pick exactly that range.

This might be of help: http://jpetazzo.github.io/2013/10/16/configure-docker-bridge-network/

I ended up creating my own bridge network for Docker.

Answer 3

Check that net.ipv4.conf.all.forwarding (not net.ipv4.ip_forward) is set to 1, if not, turn it on:

$ sysctl net.ipv4.conf.all.forwarding

net.ipv4.conf.all.forwarding = 0

$ sysctl net.ipv4.conf.all.forwarding=1

$ sysctl net.ipv4.conf.all.forwarding

net.ipv4.conf.all.forwarding = 1