Container host unreachable inside Docker container

[crunchtime-ali]

Output of docker version: Docker version 1.11.2, build b9f10c9

Output of docker info:

Containers: 17
 Running: 8
 Paused: 0
 Stopped: 9
Images: 38
Server Version: 1.11.2
Storage Driver: devicemapper
 Pool Name: docker-253:1-524092-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 12.65 GB
 Data Space Total: 107.4 GB
 Data Space Available: 44.61 GB
 Metadata Space Used: 19.11 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.128 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.107-RHEL7 (2015-12-01)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: host bridge null
Kernel Version: 3.10.0-327.18.2.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.64 GiB
Name: v22016063660335501.happysrv.de
ID: KXJP:BJWS:XM3P:GJKI:VZMX:5TL5:E6DT:3OIJ:3REI:UT6V:OLWI:PCBP
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): false
Registry: https://index.docker.io/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Additional environment details (AWS, VirtualBox, physical, etc.):
physical machine

* Problem description:*
I've got a docker container on host 183.83.83.83 (example)
The A record of a subdomain mycontainer.example.com points to this IP.

A curl to 183.83.83.83 or mycontainer.example.com gives HTTP status 200 and the correct website.

However the same curl from inside every container on that host (to both the IP or hostname above) fails to connect:

curl: (7) Failed to connect to mycontainer.example.com port 80: Host is unreachable

This doesn't happen when trying this from a Docker container from another host or from the host itself.

What is going wrong here?

[thaJeztah]

Can you provide more information how you started your containers? (What options?), perhaps a minimal case to reproduce?

[tallandtree]

I've the same issue. In my case, it was caused by my firewall rules. I solved it by adding:

sudo iptables -I INPUT 1 -i <docker-bridge-interface> -j ACCEPT.

Now I can do curl -v <dockerhost:port> from my container running in the docker-bridge-interface network and exposing above port on the dockerhost.

I think this should be solved by docker: whenever a bridge network is created, a firewall rule should be set to allow the container to reach the host on it's own exposed (host) port.

Steps to reproduce (ubuntu 16.04 with docker 1.11.2 and 1.12.0, fedora 21 with docker 1.9.1):
$ sudo iptables -P INPUT DROP
$ docker network create -d bridge mynetwork
$ docker run -d -p 8000:8000 --net=mynetwork --name=revealjs amouat/revealjs:latest docker exec -ti revealjs /bin/bash
$ curl -v <dockerhost-ip>:8000
curl: (7) Failed to connect to <dockerhost-ip> port 8000: Connection refused
Or depending on your overall firewall rules, you could also get a timeout.

Solved it by:

$ sudo iptables -I INPUT 1 <interfacename-mynetwork> -j ACCEPT

Ideally (IMHO), docker should add this rule when a bridge or other network is created.

[thaJeztah]

Closing because we didn't get more information from OP

[tallandtree]

Hi @thaJeztah , I don't think the issue should be closed. I've provided you with reproduce steps and a workaround. But I still think docker should solve this when setting up the iptables rules when a container or network is created.
Some webapplications unfortunately are using their own baseurl to load pages instead of a relative url and therefore need to be able to communicate to the host from the container.

The problem is also with docker 1.12.1, on debian jessie, ubuntu 16.04 and fedora 21.

[crunchtime-ali]

Hey, I sadly can't remember anymore which application caused this issue and therefore can't reproduce it anymore.
What do you say regarding the solution of @tallandtree? I would at least add the iptables bit to the Docker FAQ.

[tallandtree]

Hi @thaJeztah, can you please respond? Should I create a new issue or can this issue be re-opened?

[cdauth]

This is still an issue 4 years later. Any suggestions how to solve it that doesn't involve hard-coding interface names into my iptables rules?