[SOLVED] No network when running a container in Arch Linux

valh · January 10, 2016, 7:21pm

Hi everybody,

I’m a complete newbie, when running

docker run jenkins

Everything seems to work fine for the docker, but suddenly I don’t have a network on my host (Arch linux running on my laptop)

Help?

programmerq · January 11, 2016, 4:22pm

can you provide more information about your network setup before and after you start a container?

What is the output of:

ip addr
iptables-save
docker info
ps faux | grep docker # specifically looking for the docker daemon and the options it is running with

valh · January 11, 2016, 5:41pm

Hi Jeff,

I also posted the question on stackoverflow, and I think I need to reinstall / reconfigure the Docker.

But if you think you can suggest something else then please.

> ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether c4:8e:8f:f7:6a:9d brd ff:ff:ff:ff:ff:ff
inet 192.168.1.4/24 brd 192.168.1.255 scope global dynamic wlp2s0
valid_lft 3040sec preferred_lft 3040sec
inet6 fe80::c68e:8fff:fef7:6a9d/64 scope link
valid_lft forever preferred_lft forever

> iptables-save
# Generated by iptables-save v1.4.21 on Mon Jan 11 19:33:53 2016
*nat
:PREROUTING ACCEPT [50763:11316286]
:INPUT ACCEPT [50146:11196027]
:OUTPUT ACCEPT [17266:1062269]
:POSTROUTING ACCEPT [17266:1062269]
COMMIT
# Completed on Mon Jan 11 19:33:53 2016
# Generated by iptables-save v1.4.21 on Mon Jan 11 19:33:53 2016
*mangle
:PREROUTING ACCEPT [574917:384087498]
:INPUT ACCEPT [574294:383966999]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [305409:96060129]
:POSTROUTING ACCEPT [305497:96065929]
:connman-INPUT - [0:0]
:connman-POSTROUTING - [0:0]
-A INPUT -j connman-INPUT
-A POSTROUTING -j connman-POSTROUTING
-A connman-INPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A connman-POSTROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Mon Jan 11 19:33:53 2016
# Generated by iptables-save v1.4.21 on Mon Jan 11 19:33:53 2016
*filter
:INPUT ACCEPT [574294:383966999]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [305409:96060129]
COMMIT
# Completed on Mon Jan 11 19:33:53 2016

> docker info
Containers: 31
Images: 57
Server Version: 1.9.1
Storage Driver: devicemapper
Pool Name: docker-8:5-548039-pool
Pool Blocksize: 65.54 kB
Base Device Size: 107.4 GB
Backing Filesystem:
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 3.584 GB
Data Space Total: 107.4 GB
Data Space Available: 7.741 GB
Metadata Space Used: 7.496 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.14 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.113 (2015-12-05)
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 4.2.5-1-ARCH
Operating System: Arch Linux (containerized)
CPUs: 4
Total Memory: 7.709 GiB
Name: arch
ID: OF5Y:H7O4:M4R6:GCF6:NSEU:LNG6:K7NV:FJDM:DUVI:6KOM:LTRB:EUPP

> \> **ps faux | grep docker**
> val       1663  0.0  0.0  10724  2308 pts/4    S+   19:38   0:00  |       \_ grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn docker
> root      1357  2.8  0.4 470960 36016 ?        Ssl  19:38   0:00 /usr/bin/docker daemon -H fd:// --exec-opt native.cgroupdriver=cgroupfs

programmerq · January 11, 2016, 10:01pm

Is this output before or after you start a container? Can you include the output of the first three commands as seen both before and after?

Additionally, it looks like you are using something called connman. There is a note on the archwiki about connman and docker as well: https://wiki.archlinux.org/index.php/Connman#Blacklist_interfaces

valh · January 12, 2016, 7:13pm

Hi Jeff,

Before I start the container:

arch# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether c4:8e:8f:f7:6a:9d brd ff:ff:ff:ff:ff:ff
inet 192.168.1.4/24 brd 192.168.1.255 scope global dynamic wlp2s0
valid_lft 3189sec preferred_lft 3189sec
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:72:b7:fb:64 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:72ff:feb7:fb64/64 scope link
valid_lft forever preferred_lft forever

arch# iptables-save
# Generated by iptables-save v1.4.21 on Tue Jan 12 20:59:13 2016
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [45:2854]
:POSTROUTING ACCEPT [45:2854]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
# Completed on Tue Jan 12 20:59:13 2016
# Generated by iptables-save v1.4.21 on Tue Jan 12 20:59:13 2016
*mangle
:PREROUTING ACCEPT [1506330:1581501472]
:INPUT ACCEPT [1505336:1581278542]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [871835:287624586]
:POSTROUTING ACCEPT [871926:287632090]
:connman-INPUT - [0:0]
:connman-POSTROUTING - [0:0]
-A INPUT -j connman-INPUT
-A POSTROUTING -j connman-POSTROUTING
-A connman-INPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A connman-POSTROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Tue Jan 12 20:59:13 2016
# Generated by iptables-save v1.4.21 on Tue Jan 12 20:59:13 2016
*filter
:INPUT ACCEPT [258:45205]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [263:57608]
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
COMMIT
# Completed on Tue Jan 12 20:59:13 2016

arch# docker info
Containers: 42
Images: 57
Server Version: 1.9.1
Storage Driver: devicemapper
Pool Name: docker-8:5-548039-pool
Pool Blocksize: 65.54 kB
Base Device Size: 107.4 GB
Backing Filesystem:
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 3.692 GB
Data Space Total: 107.4 GB
Data Space Available: 6.533 GB
Metadata Space Used: 9.204 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.138 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.113 (2015-12-05)
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 4.2.5-1-ARCH
Operating System: Arch Linux (containerized)
CPUs: 4
Total Memory: 7.709 GiB
Name: arch
ID: OF5Y:H7O4:M4R6:GCF6:NSEU:LNG6:K7NV:FJDM:DUVI:6KOM:LTRB:EUPP

Now, I run

docker run -p jenkins

And now the output of the first three commands is:

arch# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wlp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether c4:8e:8f:f7:6a:9d brd ff:ff:ff:ff:ff:ff
inet 192.168.1.4/24 brd 192.168.1.255 scope global dynamic wlp2s0
valid_lft 2816sec preferred_lft 2816sec
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:72:b7:fb:64 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:72ff:feb7:fb64/64 scope link
valid_lft forever preferred_lft forever
7: veth21e0600@if6: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 22:ab:91:58:b4:84 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::20ab:91ff:fe58:b484/64 scope link
valid_lft forever preferred_lft forever

arch# iptables-save
# Generated by iptables-save v1.4.21 on Tue Jan 12 21:05:29 2016
*nat
:PREROUTING ACCEPT [16:1412]
:INPUT ACCEPT [2:515]
:OUTPUT ACCEPT [117:7371]
:POSTROUTING ACCEPT [117:7371]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
COMMIT
# Completed on Tue Jan 12 21:05:29 2016
# Generated by iptables-save v1.4.21 on Tue Jan 12 21:05:29 2016
*mangle
:PREROUTING ACCEPT [1508715:1582563648]
:INPUT ACCEPT [1506675:1581613560]
:FORWARD ACCEPT [1038:726642]
:OUTPUT ACCEPT [873219:288212461]
:POSTROUTING ACCEPT [874348:288946607]
:connman-INPUT - [0:0]
:connman-POSTROUTING - [0:0]
-A INPUT -j connman-INPUT
-A POSTROUTING -j connman-POSTROUTING
-A connman-INPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A connman-POSTROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
COMMIT
# Completed on Tue Jan 12 21:05:29 2016
# Generated by iptables-save v1.4.21 on Tue Jan 12 21:05:29 2016
*filter
:INPUT ACCEPT [1597:380223]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1647:645483]
:DOCKER - [0:0]
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
COMMIT
# Completed on Tue Jan 12 21:05:29 2016

arch# docker info
Containers: 43
Images: 57
Server Version: 1.9.1
Storage Driver: devicemapper
Pool Name: docker-8:5-548039-pool
Pool Blocksize: 65.54 kB
Base Device Size: 107.4 GB
Backing Filesystem:
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 3.702 GB
Data Space Total: 107.4 GB
Data Space Available: 6.403 GB
Metadata Space Used: 9.355 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.138 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.113 (2015-12-05)
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 4.2.5-1-ARCH
Operating System: Arch Linux (containerized)
CPUs: 4
Total Memory: 7.709 GiB
Name: arch
ID: OF5Y:H7O4:M4R6:GCF6:NSEU:LNG6:K7NV:FJDM:DUVI:6KOM:LTRB:EUPP

Also and indeed I can see in

ps aux

That I have a connman process. Will learn about it, thanks for pointing out to that!

valh · January 12, 2016, 8:25pm

So after visiting the link you provided, I fixed the problem. As described there,

Blacklist interfaces
If something like Docker is creating virtual interfaces Connman may attempt to connect to one of these instead of your physical adapter if the connection drops. A simple way of avoiding this is to blacklist the interfaces you do not want to use. Connman will by default blacklist interfaces starting with “vmnet”, “vboxnet”, “virbr” and “ifb” so those need to be included as well.
Blacklisting interface names is also useful to avoid a race condition where connman may access eth# or wlan# before systemd/udev can change it to use a predictable interface name like enp4s0. Blacklisting the conventional (and unpredictable) interface prefixes makes connman wait until they are renamed.
If it does not already exist, create /etc/connman/main.conf:

[General]
NetworkInterfaceBlacklist=vmnet,vboxnet,virbr,ifb,docker,veth,eth,wlan

So I created the directory and the file, added the above lines to it, restarted connman, and now everything seems to work as expected. Thank you Jeff!!