17

exploring Docker 17.06.

I've installed docker on Centos 7 and created a container. Started the container with the default bridge. I can ping both host adapters, but not the outside world e.g. www.google.com

All advise out there is based on older versions of Docker and it's iptables settings.

I would like to understand how to ping to the outside world, what is required please?

TIA!

user1945022
  • 179
  • 1
  • 1
  • 3

5 Answers5

16

If you able to ping www.google.com from host machine try following these steps : run on host machine: 

sudo ip addr show docker0

You will get output which includes : 

inet 172.17.2.1/16 scope global docker0

The docker host has the IP address 172.17.2.1 on the docker0 network interface.

Then start the container : 

docker run --rm -it ubuntu:trusty bash

and run 

ip addr show eth0

output will include :

inet 172.17.1.29/16 scope global eth0

Your container has the IP address 172.17.1.29. Now look at the routing table: run:

route

output will include:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.17.2.1     0.0.0.0         UG    0      0        0 eth0

It Means the IP Address of the docker host 172.17.2.1 is set as the default route and is accessible from your container.

try ping now to your host machine ip :

root@e21b5c211a0c:/# ping 172.17.2.1
PING 172.17.2.1 (172.17.2.1) 56(84) bytes of data.
64 bytes from 172.17.2.1: icmp_seq=1 ttl=64 time=0.071 ms
64 bytes from 172.17.2.1: icmp_seq=2 ttl=64 time=0.211 ms
64 bytes from 172.17.2.1: icmp_seq=3 ttl=64 time=0.166 ms

If this works most probably you'll be able to ping www.google.com

Hope it will help!

Shashi Bhushan
  • 670
  • 4
  • 14
  • Thank you so much! – user1945022 Aug 08 '17 at 08:43
  • 3
    OH, I have meet a question, I use the operation above, but in the container i can not ping docker0 getway (ping 172.17.0.1). The 【route -n】 command in container output : Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.17.0.1 0.0.0.0 UG 0 0 0 eth0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 – Julian89757 Oct 04 '19 at 17:01
  • `ip addr show` is what I really needed, WSL(Windows) Docker kills me :D – 7urkm3n Jun 06 '23 at 21:44
14

In my case restarting docker daemon helped

sudo systemctl restart docker

Quak
  • 6,923
  • 4
  • 18
  • 22
2

If iptables is not a reason and if you have no some limitation for change containers network mode - set it to "host" mode. This should solve this issue.

Andrew Khodyakov
  • 29
  • 1
  • 2
    Iptables is most probably always the problem. Setting the container to host mode is bypassing the real problem and could lead to more serious misconfigurations. – secavfr May 20 '22 at 21:39
0

Please verify your existing iptables:

 iptables --list

It should show you list of iptables with source and destination details.

target        prot   opt    source             destination

DOCKER-USER   all    --    anywhere            anywhere

If it is anywhere for both source and destination it should ping outside IPs.(By Default its anywhere)

If not use this command to set your iptable(DOCKER-USER)

iptables -I DOCKER-USER -i eth0 -s 0.0.0.0/0 -j ACCEPT

Hope this will help!

Shashi Bhushan
  • 670
  • 4
  • 14
  • 1
    Thank you for your swift response! I will test and try within 24 hours (away from setup atm). But from memory all is 'anywhere'. – user1945022 Aug 04 '17 at 16:28
  • 2
    Are you pinging outside IPs from inside container or from host machine? IP tables looks fine for you. Can you once try running iptables -nvL and check there too for any restrictions. And where is the server hosted ? Aws? Google? Azure? – Shashi Bhushan Aug 04 '17 at 17:04
  • 1
    Here's the iptables -nvL https://pastebin.com/W95ZTqDN I am pinging from within the container to www.google.com. The server is hosted in a private cloud to which I have full access. No firewall restrictions there. Thanks. – user1945022 Aug 05 '17 at 08:50
  • 1
    Are you able to ping www.google.com from host machine, where your docker running? not from within container , from host ?? – Shashi Bhushan Aug 05 '17 at 21:08
  • 1
    If yes , you are able to ping from host then refer/try my another answer to this question. – Shashi Bhushan Aug 05 '17 at 21:26
0

I had a similar problem, an api docker container needed connection to outside, but the others containers not. So my option was add the flag --dns 8.8.8.8 to the docker run command , and with that the container can ping to outside. I consider this a solution for one container, if you need for more containers, maybe other responses are better. Here the documentation. And full line example:

docker run -d --rm -p 8080:8080 --dns 8.8.8.8 <docker-image-name>

where:

  • -d, detach mode for run containers in background
  • --rm, remove containers if is stop (careful if you are testing and maybe you need to inspect logs, with docker logs , don't use it)
  • -p, specify the port ( <host-port> : <container-port> )
  • --dns, the container can resolve internet domains
Felipe Illanes
  • 419
  • 5
  • 8