Can't access the web inside a container when using port mapping?

Hi everyone,

I’m new to docker and I’m trying to do a proof-of-concept in order to integrate OnlyOffice with my Java application.

I decided to make this post since several days have passed already and I kinda fill that I’m now in a “dead end”/loop/whiteout any ideas.

I’m running a cloud VM with Debian 11 with docker installed (Docker version 27.0.3, build 7d4bcd8) . I’ve configured /etc/docker/daemon.json on my host with the following:

{
  "ip": "127.0.0.1",
  "log-driver": "local",
  "log-opts": {
    "max-file": "5",
    "max-size": "100m"
   }
}

As for my docker compose.yaml I have the following:

services:
  onlyoffice:
    image: onlyoffice/documentserver-de
    container_name: onlyoffice
    ports:
      - "127.0.0.1:8085:80"
    environment:
      - JWT_SECRET=****
    extra_hosts:
      - "my_vm_hostname:host-gateway"

Where I’m using the “extra_hosts” option in order to some request being able to “communicate” with the host (I don’t know if this is the correct way, but it was the only one I’ve found so far that actually worked).

Now here’s my problem:
I’m not able to access the internet inside my onlyoffice container (like doing “apt update” or a “curl google.com” command).

I notice that if I just run the container without any port mapping and using the network mode host I can indeed reach the web (kinda expected from what I’ve been reading):

docker run -i -t --network host -e JWT_SECRET=**** onlyoffice/documentserver-de

After some searching I started to suspect this issue could be related with my nftables rules in-place.
My nftables are as follow:

        chain INPUT {
                type filter hook input priority 0; policy drop;
                iifname "lo" counter accept
                ip daddr 127.0.0.0/8 counter reject
                ct state established,related counter accept
                ct state invalid drop
                tcp dport {ssh,http,https} counter accept
                icmp type echo-request counter accept
                limit rate 5/minute burst 5 packets counter log prefix "iptables denied: " level debug
                counter drop
        }
        chain FORWARD {
            type filter hook forward priority 0; policy drop;
            counter drop
        }
        chain OUTPUT {
            type filter hook output priority 0; policy drop;
            counter accept
        }

To troubleshoot this I’ve run simple test with a different container:

docker run --rm busybox ping -c 4 google.com

Where I wasn’t also able to ping google.com in this case.
Accordingly, I did a small update on my nftables in order to allow forwarding traffic from Docker to other interfaces, by updating my FORWARD chain:

    chain FORWARD {
        type filter hook forward priority 0; policy drop;
        iifname "docker0" oifname != "docker0" counter accept
        oifname "docker0" iifname != "docker0" counter accept
        counter drop
    }

This change was enough to successfully be able to run the previous docker container with the ping command.

Although, on the other end, this change didn’t sort any impact to my original problem, the onlyoffice container, where i can not still access/ping anything on the internet.

My question is: How can I enable web access from my container when using port mapping? Am I missing something? Can docker be messing with nftables rules, preventing the container to access the web?

I also noticed that my onlyoffice container didn’t get the resolv.conf from the host (I’m not even sure if its supposed to).
From my host I have:

nameserver 176.58.xxx.5
nameserver 85.159.xxx.31
nameserver 109.74.xxx.20
search members.abc.com
options rotate

From my onlyoffice container I have:

nameserver 127.0.0.11
search members.abc.com
options rotate ndots:0

From the “working” example container (busybox) - where I can actually run the ping command - I have:

nameserver 176.58.xxx.5
nameserver 85.159.xxx.31
nameserver 109.74.xxx.20
search members.abc.com
options rotate

Which is the very same as my host.

Any pointer would be deeply appreciated.
Thanks in advance for everyone that took some time to read my post.

All the best!

Your issue has nothing to do with the port mapping. Host network means no network namespace = no network isolation, so there is no difference between the network of the container and the network of any process on the host.

The problem must be related to the bridged network. It could indeed be caused by your firewall, but I can’t help you with netfilter rules.

So if a dns setting can solve the issue, then the problem is not the network but the DNS resolution. I heard about firewall problems on Debian, but I don’t use Debian recently as Docker host.

All user-defined bridge networks will provide a built-in dns server so your container names and compose service names can be used as domain names to access other containers.

It seems to me you are not afraid of debugging the network, so I would recommend using the netshoot image and trace the network traffic to get closer to the solution

I also have a description of how Docker network works if it helps

I will extend it in the future.

1 Like

Thank you so much for taking your time to reply and for your feedback and your recommendations!

I will definitely put my attention on the network part in order to understand it better as well to try to debug it.
If I came to any conclusion in the meantime I will post it here.

Thank you once again!

Ok, here’s a “very interesting” finding which I currently cannot explain.
If I run my compose.yaml by command line, i.e., considering my compose.yaml:

services:
  onlyoffice:
    image: onlyoffice/documentserver-de
    container_name: onlyoffice
    ports:
      - "127.0.0.1:8085:80"
    environment:
      - JWT_SECRET=****
    extra_hosts:
      - "my_vm_hostname:host-gateway"

if I run:

docker run -i -t -d -p 127.0.0.1:8085:80 -e JWT_SECRET=**** --add-host my_vm_hostname:host-gateway onlyoffice/documentserver-de

This will work! I mean, I will be able to run apt commands or curl google.com

So my question is, am I doing something wrong with my compose.yaml file? or the compose.yaml behaves differently from running the docker run command directly?

Thanks once again!

All compose projects use such a user-defined or in other words “custom” docker network. That is the difference. The DNS server is not the same

1 Like