Host OS is CentOS 8. I’m not behind proxy, at least as i know. firewalld is not installed due to conflict with docker. But my hosting company uses it’s own DNS servers. Here are the problem, when I run from the container that has been created by docker-compose i’m getting every time Connection timeout:
apt-get update
Err:1 http://archive.ubuntu.com/ubuntu bionic InRelease
Could not connect to archive.ubuntu.com:80 (91.189.88.152), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.88.142), connection timed out
Err:2 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Unable to connect to archive.ubuntu.com:http:
Err:3 http://archive.ubuntu.com/ubuntu bionic-backports InRelease
Unable to connect to archive.ubuntu.com:http:
Err:4 http://downloads.mariadb.com/MariaDB/mariadb-10.4/repo/ubuntu bionic InRelease
Could not connect to downloads.mariadb.com:80 (172.67.32.229), connection timed out Could not connect to downloads.mariadb.com:80 (104.20.68.208), connection timed out Could not connect to downloads.mariadb.com:80 (104.20.67.208), connection timed out
Err:5 http://security.ubuntu.com/ubuntu bionic-security InRelease
Could not connect to security.ubuntu.com:80 (91.189.91.38), connection timed out Could not connect to security.ubuntu.com:80 (91.189.88.152), connection timed out Could not connect to security.ubuntu.com:80 (91.189.91.39), connection timed out Could not connect to security.ubuntu.com:80 (91.189.88.142), connection timed out
Reading package lists... Done
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic/InRelease Could not connect to archive.ubuntu.com:80 (91.189.88.152), connection timed out Could not connect to archive.ubuntu.com:80 (91.189.88.142), connection timed out
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-updates/InRelease Unable to connect to archive.ubuntu.com:http:
W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/bionic-backports/InRelease Unable to connect to archive.ubuntu.com:http:
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/bionic-security/InRelease Could not connect to security.ubuntu.com:80 (91.189.91.38), connection timed out Could not connect to security.ubuntu.com:80 (91.189.88.152), connection timed out Could not connect to security.ubuntu.com:80 (91.189.91.39), connection timed out Could not connect to security.ubuntu.com:80 (91.189.88.142), connection timed out
W: Failed to fetch http://downloads.mariadb.com/MariaDB/mariadb-10.4/repo/ubuntu/dists/bionic/InRelease Could not connect to downloads.mariadb.com:80 (172.67.32.229), connection timed out Could not connect to downloads.mariadb.com:80 (104.20.68.208), connection timed out Could not connect to downloads.mariadb.com:80 (104.20.67.208), connection timed out
W: Some index files failed to download. They have been ignored, or old ones used instead.
iptables rules outside the container(on host machine):
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:mysql
ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:https
ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
/etc/docker/daemon.json
{
"dns": [
"10.255.250.40",
"10.255.251.40"
],
"debug": true
}
ping works fine on host machine without any loss. Same with docker run with busybox ping:
docker run --rm busybox ping google.com -c 2
PING google.com (172.217.14.110): 56 data bytes
64 bytes from 172.217.14.110: seq=0 ttl=113 time=76.651 ms
64 bytes from 172.217.14.110: seq=1 ttl=113 time=64.544 ms
--- google.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 64.544/70.597/76.651 ms
I know that with docker run it uses docker0 network and it works fine. While with docker-compose it creates new networks for services and instead of using /etc/resolv.conf it uses built in DNS. But as we can see, everything works fine with DNS, since I can see IP addresses when I run apt-get update inside of container. Plus debug logs shows that dns 10.255.250.40 resolves them fine too. It’s just connection time out. So something doesn’t let the traffic pass after dns resolved everything fine.
Can anyone help me with this problem? Thanks.