Hi everyone,
I’m new to docker and I’m trying to do a proof-of-concept in order to integrate OnlyOffice with my Java application.
I decided to make this post since several days have passed already and I kinda fill that I’m now in a “dead end”/loop/whiteout any ideas.
I’m running a cloud VM with Debian 11 with docker installed (Docker version 27.0.3, build 7d4bcd8) . I’ve configured /etc/docker/daemon.json on my host with the following:
{
"ip": "127.0.0.1",
"log-driver": "local",
"log-opts": {
"max-file": "5",
"max-size": "100m"
}
}
As for my docker compose.yaml I have the following:
services:
onlyoffice:
image: onlyoffice/documentserver-de
container_name: onlyoffice
ports:
- "127.0.0.1:8085:80"
environment:
- JWT_SECRET=****
extra_hosts:
- "my_vm_hostname:host-gateway"
Where I’m using the “extra_hosts” option in order to some request being able to “communicate” with the host (I don’t know if this is the correct way, but it was the only one I’ve found so far that actually worked).
Now here’s my problem:
I’m not able to access the internet inside my onlyoffice container (like doing “apt update” or a “curl google.com” command).
I notice that if I just run the container without any port mapping and using the network mode host I can indeed reach the web (kinda expected from what I’ve been reading):
docker run -i -t --network host -e JWT_SECRET=**** onlyoffice/documentserver-de
After some searching I started to suspect this issue could be related with my nftables rules in-place.
My nftables are as follow:
chain INPUT {
type filter hook input priority 0; policy drop;
iifname "lo" counter accept
ip daddr 127.0.0.0/8 counter reject
ct state established,related counter accept
ct state invalid drop
tcp dport {ssh,http,https} counter accept
icmp type echo-request counter accept
limit rate 5/minute burst 5 packets counter log prefix "iptables denied: " level debug
counter drop
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
counter drop
}
chain OUTPUT {
type filter hook output priority 0; policy drop;
counter accept
}
To troubleshoot this I’ve run simple test with a different container:
docker run --rm busybox ping -c 4 google.com
Where I wasn’t also able to ping google.com in this case.
Accordingly, I did a small update on my nftables in order to allow forwarding traffic from Docker to other interfaces, by updating my FORWARD chain:
chain FORWARD {
type filter hook forward priority 0; policy drop;
iifname "docker0" oifname != "docker0" counter accept
oifname "docker0" iifname != "docker0" counter accept
counter drop
}
This change was enough to successfully be able to run the previous docker container with the ping command.
Although, on the other end, this change didn’t sort any impact to my original problem, the onlyoffice container, where i can not still access/ping anything on the internet.
My question is: How can I enable web access from my container when using port mapping? Am I missing something? Can docker be messing with nftables rules, preventing the container to access the web?
I also noticed that my onlyoffice container didn’t get the resolv.conf from the host (I’m not even sure if its supposed to).
From my host I have:
nameserver 176.58.xxx.5
nameserver 85.159.xxx.31
nameserver 109.74.xxx.20
search members.abc.com
options rotate
From my onlyoffice container I have:
nameserver 127.0.0.11
search members.abc.com
options rotate ndots:0
From the “working” example container (busybox) - where I can actually run the ping command - I have:
nameserver 176.58.xxx.5
nameserver 85.159.xxx.31
nameserver 109.74.xxx.20
search members.abc.com
options rotate
Which is the very same as my host.
Any pointer would be deeply appreciated.
Thanks in advance for everyone that took some time to read my post.
All the best!