Docker Community Forums

Share and learn in the Docker community.

Docker-compose created container cannot access Internet

Host OS is CentOS 8. I’m not behind proxy, at least as i know. firewalld is not installed due to conflict with docker. But my hosting company uses it’s own DNS servers. Here are the problem, when I run from the container that has been created by docker-compose i’m getting every time Connection timeout:

apt-get update
Err:1 http://archive.ubuntu.com/ubuntu bionic InRelease
  Could not connect to archive.ubuntu.com:80 (91.189.88.152), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.88.142), connection timed out
Err:2 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
  Unable to connect to archive.ubuntu.com:http:
Err:3 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
  Unable to connect to archive.ubuntu.com:http:
Err:4 http://downloads.mariadb.com/MariaDB/mariadb-10.4/repo/ubuntu bionic InRelease
  Could not connect to downloads.mariadb.com:80 (172.67.32.229), connection timed out Could not connect to downloads.mariadb.com:80 (104.20.68.208), connection timed out Could not connect to downloads.mariadb.com:80 (104.20.67.208), connection timed out
Err:5 http://security.ubuntu.com/ubuntu bionic-security InRelease
  Could not connect to security.ubuntu.com:80 (91.189.91.38), connection timed out Could not connect to security.ubuntu.com:80 (91.189.88.152), connection timed out Could not connect to security.ubuntu.com:80 (91.189.91.39), connection timed out Could not connect to security.ubuntu.com:80 (91.189.88.142), connection timed out
Reading package lists... Done
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic/InRelease  Could not connect to archive.ubuntu.com:80 (91.189.88.152), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.88.142), connection timed out
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-updates/InRelease  Unable to connect to archive.ubuntu.com:http:
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-backports/InRelease  Unable to connect to archive.ubuntu.com:http:
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/bionic-security/InRelease  Could not connect to security.ubuntu.com:80 (91.189.91.38), connection timed out Could not connect to security.ubuntu.com:80 (91.189.88.152), connection timed out Could not connect to security.ubuntu.com:80 (91.189.91.39), connection timed out Could not connect to security.ubuntu.com:80 (91.189.88.142), connection timed out
W: Failed to fetch http://downloads.mariadb.com/MariaDB/mariadb-10.4/repo/ubuntu/dists/bionic/InRelease  Could not connect to downloads.mariadb.com:80 (172.67.32.229), connection timed out Could not connect to downloads.mariadb.com:80 (104.20.68.208), connection timed out Could not connect to downloads.mariadb.com:80 (104.20.67.208), connection timed out
W: Some index files failed to download. They have been ignored, or old ones used instead.

iptables rules outside the container(on host machine):

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (3 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:mysql
ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:https
ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

/etc/docker/daemon.json

{
  "dns": [
    "10.255.250.40",
    "10.255.251.40"
  ],
  "debug": true
}

ping works fine on host machine without any loss. Same with docker run with busybox ping:

docker run --rm busybox ping google.com -c 2
PING google.com (172.217.14.110): 56 data bytes
64 bytes from 172.217.14.110: seq=0 ttl=113 time=76.651 ms
64 bytes from 172.217.14.110: seq=1 ttl=113 time=64.544 ms

--- google.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 64.544/70.597/76.651 ms

I know that with docker run it uses docker0 network and it works fine. While with docker-compose it creates new networks for services and instead of using /etc/resolv.conf it uses built in DNS. But as we can see, everything works fine with DNS, since I can see IP addresses when I run apt-get update inside of container. Plus debug logs shows that dns 10.255.250.40 resolves them fine too. It’s just connection time out. So something doesn’t let the traffic pass after dns resolved everything fine.

Can anyone help me with this problem? Thanks.

Check /etc/default/docker to ensure it doesn’t have the following line:

DOCKER_OPTS="–iptables=false"
Also check /etc/docker/daemon.json to ensure it doesn’t have the following key:

{
“iptables”:false
}
We added this on one server to get UFW working with docker. We then changed to an external firewall. Spent ages looking for the reason external networking wasn’t working because it was removed from our deploy guide. Hope this helps someone else.

/etc/default/docker this file doesn’t exists. daemon.json’s content are:

{
  "dns": [
    "10.255.250.40",
    "10.255.251.40"
  ],
  "debug": true
}

Issue are still. But thanks for trying to help me anyway.

I temporary solved this issue by connecting my containers manually to default network bridge with docker network connect bridge <CONTAINER NAME>. But I’m not sure that this is a good solution. But worked for me at least.