Docker CE on Ubuntu : unable to reach container ports (whatever containers are)

Hello, whatever container I run, it seems that container network ports communication is blocked.
I tried with portainer and nginx, also a ruby http server, impossible to reach container from host.

Example with nginx :

docker run -d -p 7878:80 --rm --name webserver nginx

docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
08cdc8400686 nginx "nginx -g 'daemon of…" 4 seconds ago Up 3 seconds 0.0.0.0:7878-80/tcp webserver

docker inspect 08cdc8400686 | grep IPAddress
            "SecondaryIPAddresses": null,
            "IPAddress": "172.17.0.2",
                    "IPAddress": "172.17.0.2",

So basically, nginx port 80 is exposed, and at host level it’s reachable at port 7878 … it should.
But when I test connection from localhost :

telnet localhost 7878
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.     ### connection OK

telnet 172.17.0.2 80
Trying 172.17.0.2...
^]  ### connection KO

It seems that forwarding to bridge works, but IP or port of container is blocked. I could ICMP network bridge gateway but not the container :crazy_face: drive me crazy !!

ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
ping: sendmsg: Operation not permitted

ping 172.17.0.1
PING 172.17.0.1 (172.17.0.1) 56(84) bytes of data.
64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.141 ms

I reinstall docker-ce on my Ubuntu Xenial laptop but it did not solve this problem.
Is this a common problem ? I googled all afternoon yesterday without success, even with playing with iptables

Someone has an idea to help ?
Thanks

The IP address this returns is internal to Docker and is basically totally useless. (You should almost never need to run docker inspect for anything.)

Yes, that’s right; and you should be able to point a browser at http://localhost:7878/; and from other machines you should be able to point at the host’s port 7878, using the host’s DNS name (or IP address). That’s all normal.

What do you think isn’t working correctly?

Precisely, this is not working : browser to http://localhost:7878/ loads and loads endlessly …
Same thing observed with curl command :persevere:
That’s why I tried to debug access to container port 80.

Port 7878 is listened at host level, and probably forwarded to container:80, but container port seems to be blocked or unavailable.

netstat -tunlp | grep 7878
tcp6       0      0 :::7878                 :::*                    LISTEN      32334/docker-proxy

Does the container output anything interesting (docker logs webserver)?

If you’re loading custom configuration into the container somehow, does it have a listen statement that points to some alternate port? (Docker does strongly imply that the stock nginx container as shipped listens on port 80.)

Do you have any non-default networking setup on the host? Have you tried to configure Docker’s networking in any interesting way? Does your host have some sort of firewalling enabled?

I’ve a Cisco VPN client to connect my work office; it may interfere in network forwarding, even if docker is local, you’re right.

This week-end I will create a fresh VM with same OS level and Docker-ce version and test it if it the same.
I keep you informed.
Anyway, many thanks for your support :slight_smile:

Hello David, this was precisely my Cisco VPN client, it places some rules that prevent communication on docker0 network bridge.

  1. test same docker install on a fresh guest Ubuntu in a VM : docker nginx test OK
  2. on my host I disable Cisco daemon to start at boot time : docker nginx test OK
  3. because I need Cisco VPN agent, I reactivate Cisco deamon and go through iptables assessment and cleanup ==> docker nginx test OK

Thanks David for your insight :wink: