Docker-compose created container cannot access Internet

[payalord]

https://forums.docker.com/t/docker-compose-created-container-cannot-access-internet/98199 Host OS is CentOS 8. I’m not behind proxy, at least as i know. firewalld is not installed due to conflict with docker. But my hosting company uses it’s own DNS servers. Here are the problem, when I run from the container that has been created by docker-compose i’m getting every time Connection timeout:

apt-get update
Err:1 http://archive.ubuntu.com/ubuntu bionic InRelease
  Could not connect to archive.ubuntu.com:80 (91.189.88.152), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.88.142), connection timed out
Err:2 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
  Unable to connect to archive.ubuntu.com:http:
Err:3 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
  Unable to connect to archive.ubuntu.com:http:
Err:4 http://downloads.mariadb.com/MariaDB/mariadb-10.4/repo/ubuntu bionic InRelease
  Could not connect to downloads.mariadb.com:80 (172.67.32.229), connection timed out Could not connect to downloads.mariadb.com:80 (104.20.68.208), connection timed out Could not connect to downloads.mariadb.com:80 (104.20.67.208), connection timed out
Err:5 http://security.ubuntu.com/ubuntu bionic-security InRelease
  Could not connect to security.ubuntu.com:80 (91.189.91.38), connection timed out Could not connect to security.ubuntu.com:80 (91.189.88.152), connection timed out Could not connect to security.ubuntu.com:80 (91.189.91.39), connection timed out Could not connect to security.ubuntu.com:80 (91.189.88.142), connection timed out
Reading package lists... Done
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic/InRelease  Could not connect to archive.ubuntu.com:80 (91.189.88.152), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.88.142), connection timed out
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-updates/InRelease  Unable to connect to archive.ubuntu.com:http:
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-backports/InRelease  Unable to connect to archive.ubuntu.com:http:
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/bionic-security/InRelease  Could not connect to security.ubuntu.com:80 (91.189.91.38), connection timed out Could not connect to security.ubuntu.com:80 (91.189.88.152), connection timed out Could not connect to security.ubuntu.com:80 (91.189.91.39), connection timed out Could not connect to security.ubuntu.com:80 (91.189.88.142), connection timed out
W: Failed to fetch http://downloads.mariadb.com/MariaDB/mariadb-10.4/repo/ubuntu/dists/bionic/InRelease  Could not connect to downloads.mariadb.com:80 (172.67.32.229), connection timed out Could not connect to downloads.mariadb.com:80 (104.20.68.208), connection timed out Could not connect to downloads.mariadb.com:80 (104.20.67.208), connection timed out
W: Some index files failed to download. They have been ignored, or old ones used instead.

iptables rules outside the container(on host machine):

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (3 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:mysql
ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:https
ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

/etc/docker/daemon.json

{
  "dns": [
    "10.255.250.40",
    "10.255.251.40"
  ],
  "debug": true
}

ping works fine on host machine without any loss. Same with docker run with busybox ping:

PING google.com (172.217.14.110): 56 data bytes
64 bytes from 172.217.14.110: seq=0 ttl=113 time=76.651 ms
64 bytes from 172.217.14.110: seq=1 ttl=113 time=64.544 ms

--- google.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 64.544/70.597/76.651 ms

I know that with docker run it uses docker0 network and it works fine. While with docker-compose it creates new networks for services and instead of using /etc/resolv.conf it uses built in DNS. But as we can see, everything works fine with DNS, since I can see IP addresses when I run apt-get update inside of container. Plus debug logs shows that dns 10.255.250.40 resolves them fine too. It’s just connection time out. So something doesn’t let the traffic pass after dns resolved everything fine.

Can anyone help me with this problem? Thanks.

[kronenpj]

I think I see this as well, but without anything in /etc/docker/docker.json. Package versions: moby-engine-19.03.11-1.ce.git42e35e6.fc32.x86_64 docker-compose-1.25.4-1.fc32.noarch

Two 'equivalent' containers were created: $ docker run -d --name nginx nginx:alpine $ docker-compose up -d $ cat docker-compose.yml

version: '2'
services:
    nginx:
      image: nginx:alpine

Different results: $ docker exec -it nginx cat /etc/resolv.conf | grep nameserver nameserver 172.16.42.1 $ docker exec -it dnstest_nginx_1 cat /etc/resolv.conf | grep nameserver nameserver 127.0.0.11

And the real problem: $ docker exec -it nginx ping -c2 google.com PING google.com (64.233.177.113): 56 data bytes 64 bytes from 64.233.177.113: seq=0 ttl=103 time=25.080 ms 64 bytes from 64.233.177.113: seq=1 ttl=103 time=22.554 ms

--- google.com ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 22.554/23.817/25.080 ms

$ docker exec -it dnstest_nginx_1 ping -c2 google.com ping: bad address 'google.com'

I can't seem to figure out whether the embedded DNS server is broken or if it's not set up correctly with docker-compose.

UPDATE: Never mind. I verified on FC31 that everything works as expected but it's broken on FC32 with the same package versions.

[nathanfranke]

Docker version 20.10.5, docker-compose version 1.25.0. Reproducible.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[nathanfranke]

I think this still exists, but it is really hard to reproduce. If someone else comes across this, please send in-depth reproduction steps (Unlike me 6 months ago)

[stale[bot]]

This issue has been automatically marked as not stale anymore due to the recent activity.

[sukhneerguron]

I still encounter this issue on rhel8 machines daily. Its rare usually but we encounter this quite often based on the number of orchestrations we launch.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale[bot]]

This issue has been automatically closed because it had not recent activity during the stale period.

[angelmotta]

I have the same problem, anyone could help us about: how to enable internet access to containers created by docker compose?

[payalord]

I have the same problem, anyone could help us about: how to enable internet access to containers created by docker compose?

Not sure if this will help or a good solution (probably not). But you probably can add those containers to docker0 network manually, do the required work and remove them from it or leave as is.

[meonkeys]

I ran into this problem on 64-bit Ubuntu 22.04 LTS server, with one difference: DNS was working, I just couldn't ping or open a UDP or TCP connection to other hosts. Containers started directly with docker did not have the problem... they could reach out to other hosts without issue. It was just a problem with containers started using docker-compose. Anyway, I think the root cause was that I had selected the docker snap package during install, then accidentally installed docker via apt as well. I reinstalled, skipped snaps altogether, installed docker, and the problem went away.

[tommyblue]

same here on an ubuntu host with docker installed through snap. Containers launched by compose cannot connect, but the same containers directly lanched with docker work perfectly