Docker 28 no outgoing network on Ubuntu 22 with Plesk

ainblickde · February 20, 2025, 11:45am

After some months our Docker stopped working on Ubuntu 22 after Plesk updated Docker to version 28 this morning. Incoming network traffic was fine, outgoing not working. Also build was not possible.

It works again after going back to 27.5.1

apt-get install docker-ce=5:27.5.1-1~ubuntu.22.04~jammy docker-ce-cli=5:27.5.1-1~ubuntu.22.04~jammy containerd.io

Is there any way to better debug this problem without just going back to 27?

I checked nslookup which did not work inside the Docker but outside, ping might have worked, but I didn’t check.

martinald · February 20, 2025, 2:24pm

Also having similar issues.

On oracle cloud infrastructure, a fresh install of docker from scratch on ubuntu 24.04 with docker 28 does not have outgoing network traffic. After loads of debugging it seems to be missing some iptables rules which i fixed (ICMP and UDP DNS was blocked). I’m not entirely sure what fixed it in the end though as I tried many things.

On GCP it seems to work fine out of the box even on 28.

27 seemed to work fine on OCI too.

ysangkok · February 20, 2025, 2:31pm

I have what I suspect to be the same issue with v5.28 on Debian Bookworm.

failed to bind port 0.0.0.0:63790/tcp: fork/exec /usr/bin/rootlesskit-docker-proxy: no such file or directory

While having this issue, the executable is missing from the package even though apt-file reports it:

 % apt-file search /usr/bin/rootlesskit-docker-proxy
docker-ce-rootless-extras: /usr/bin/rootlesskit-docker-proxy
rootlesskit: /usr/bin/rootlesskit-docker-proxy
 % sudo apt install docker-ce-rootless-extras
docker-ce-rootless-extras is already the newest version (5:28.0.0-1~debian.12~bookworm).
 % dpkg -L docker-ce-rootless-extras
/.
/usr
/usr/bin
/usr/bin/dockerd-rootless-setuptool.sh
/usr/bin/dockerd-rootless.sh
/usr/bin/rootlesskit
/usr/share
/usr/share/doc
/usr/share/doc/docker-ce-rootless-extras
/usr/share/doc/docker-ce-rootless-extras/changelog.Debian.gz

Used this command to resolve my issue:

VER="5:27.5.1-1~debian.12~bookworm"; sudo apt install docker-ce-cli=${VER} docker-buildx-plugin=${VER} docker-ce=${VER} docker-ce-rootless-extras=${VER}

Notably I did not downgrade docker-compose.

After downgrading, the package does contain the executable:

 % dpkg -L docker-ce-rootless-extras
/.
/usr
/usr/bin
/usr/bin/dockerd-rootless-setuptool.sh
/usr/bin/dockerd-rootless.sh
/usr/bin/rootlesskit
/usr/bin/rootlesskit-docker-proxy
/usr/share
/usr/share/doc
/usr/share/doc/docker-ce-rootless-extras
/usr/share/doc/docker-ce-rootless-extras/changelog.Debian.gz

ysangkok · February 20, 2025, 2:39pm

Related threads:

/r/docker/comments/1itvg36/dockerce_update_breaking_networking/
/r/docker/comments/1itw1ve/dont_upgrade_docker_this_morning/
Docker 28 stops containers communicating with tail scale network. · Issue #49498 · moby/moby · GitHub

dominikk95 · February 20, 2025, 8:05pm

Yeah I had the same issue on my Ubuntu 22 LTS… Docker 28 is really broken!

Fix this error by downgrading:

sudo apt remove docker-ce
sudo apt autoremove
sudo apt install docker-ce=5:20.10.13~3-0~ubuntu-jammy #for Ubuntu 22 LTS!!

This fixed all my problems

If you don’t have ubuntu 22 the following command should output the available version for your distro

sudo apt-cache madison docker-ce

Choose the last version of docker 27

slight42 · February 20, 2025, 9:54pm

seems i have the same error:

$ docker compose up -d
[+] Running 2/4
 ✔ Network mydev-net           Created                                                                                                                                                                                                                                                                    0.1s 
 ✔ Container mydev-db          Started                                                                                                                                                                                                                                                                    0.4s 
 ⠼ Container mydev-dev         Starting                                                                                                                                                                                                                                                                   0.4s 
 ⠼ Container mydev-phpmyadmin  Starting                                                                                                                                                                                                                                                                   0.4s 
Error response from daemon: driver failed programming external connectivity on endpoint mydev-phpmyadmin (04145a25f5611c4ddecfe32a716db8040e8f87ffb1d985749a7ab23b1ca304fe): fork/exec /usr/bin/rootlesskit-docker-proxy: no such file or directory

and yesterday evening it did work…

so i checked when the last updates where done.
(its a managed sever setup)
and indeed this morning there were updates for

docker-compose-plugin
docker-buildx-plugin
docker-ce-rootless-extras

$ docker --version 
Docker version 26.0.0, build 2ae903e

$ apt list --installed | grep docker

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

docker-buildx-plugin/bookworm,      now 0.21.0-1~debian.12~bookworm amd64 [installed]
docker-ce-cli/bookworm,             now 5:26.0.0-1~debian.12~bookworm amd64 [installed,upgradable to: 5:28.0.0-1~debian.12~bookworm]
docker-ce-rootless-extras/bookworm, now 5:28.0.0-1~debian.12~bookworm amd64 [installed]
docker-ce/bookworm,                 now 5:26.0.0-1~debian.12~bookworm amd64 [installed,upgradable to: 5:28.0.0-1~debian.12~bookworm]
docker-compose-plugin/bookworm,     now 2.33.0-1~debian.12~bookworm amd64 [installed]

~$ tail -5 /var/log/apt/history.log
Start-Date: 2025-02-20  07:04:08
Commandline: apt-get -q -y --with-new-pkgs -o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confold upgrade
Requested-By: ctrupdate (1001)
Upgrade: docker-compose-plugin:amd64 (2.32.4-1~debian.12~bookworm, 2.33.0-1~debian.12~bookworm), docker-buildx-plugin:amd64 (0.20.0-1~debian.12~bookworm, 0.21.0-1~debian.12~bookworm), docker-ce-rootless-extras:amd64 (5:27.5.1-1~debian.12~bookworm, 5:28.0.0-1~debian.12~bookworm)
End-Date: 2025-02-20  07:04:09

i am not really sure what to try now
maybe the possible update of docker-ce could resolve this…
i hope i can replicate this on my local system
(currently there are only the 5:26. versions installed…)

system / enviroment

$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 12 (bookworm)
Release:        12
Codename:       bookworm

$ uname -a
Linux xxx 6.1.0-30-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.124-1 (2025-01-12) x86_64 GNU/Linux

slight42 · February 20, 2025, 11:00pm

i could reproduce this behavior now on my local system.
after the upgrade of the packages the old docker-ce thing was still active -
and therefore some incompatibility with this half-done update…
a restart fixed this for my local system.
will try the same with the server.

riic · February 24, 2025, 11:24am

Docker version 28 seems to introduce a lot of changes in the networking settings. Check v28 release page. https://docs.docker.com/engine/release-notes/28/

I’m having the same problem as you guys, but on OCI vm. No matter if it’s ubuntu 22 or 24 as the host, the issue is related to docker version 28. Downgrading it to the latest 27.5.1-1 version made it working again. It’s the quickiest solution for now.

I think that now we have to configure iptables/firewall rules ourselves to allow the containers to access the intenet, but since I don’t understand how to do that, I will wait until someone help with clear instructions…

Best

ainblickde · February 24, 2025, 11:42am

Check the link from @ysangkok above:

http://github.com/moby/moby/issues/49498

They disucss what tables to change in order to get it running. We are still reverting to an older version for now.

slight42 · February 26, 2025, 4:00pm

i just found:

Networking
…

The executable rootlesskit-docker-proxy is no longer used, it has been removed from the build and distribution.

hmmm… but why is the deamon (or what ever) trying to use it?

the linked github issue in this networking section explains some more of the background.

the problem persists on my server setup.
it has all the 5:28 versions installed - but i not rebooted yet…
now i understand the mismatch better…

~~hopefully~~ after the reboot it is all fine!

ainblickde · February 27, 2025, 6:31am

Yesterday’s version 28.0.1 fixes the problem.

Topic		Replies	Views
Docker Rootless Netwoks General docker	0	271	April 3, 2023
Docker 28: IPv6 containers unreachable General linux	2	50	March 24, 2025
Docker-compose and 5.10 kernel - networking issues General docker	1	815	February 24, 2021
Containers and networks General docker	0	658	May 23, 2017
Multiple network issues General	0	681	March 5, 2017

Docker 28 no outgoing network on Ubuntu 22 with Plesk

system / enviroment

Related topics