Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker for Windows Container are not reachable outside host anymore #4391

Closed
2 tasks done
zhujik opened this issue Aug 2, 2019 · 22 comments
Closed
2 tasks done

Docker for Windows Container are not reachable outside host anymore #4391

zhujik opened this issue Aug 2, 2019 · 22 comments

Comments

@zhujik
Copy link

@zhujik zhujik commented Aug 2, 2019

  • I have tried with the latest version of my channel (Stable or Edge)
  • I have uploaded Diagnostics
  • Diagnostics ID:
    58CFA20E-7891-4FB1-B79E-17F960480329/20190802141658

Expected behavior

Docker Containers are from other machines reachable via computername:port from the network

Actual behavior

Docker containers are not reachable from other machines anymore

Information

  • Windows Version: 10
  • Docker Desktop Version: 2.1

Steps to reproduce the behavior

  1. Run a container on a specific port, e.g. docker run --name mynginx1 -p 8080:80 -d nginx
  2. From another machine in the network. type the following in the browser: http://computername:8080/
  3. Expect to see nginx welcome page, instead timeout. Same happens for IP
  4. From the host itself the container is reachable as normal (via localhost and computername and ip)
  5. Issue is there since version 2.1 upgrade, it works on machines that still run the old docker desktop version
@mikeparker
Copy link
Contributor

@mikeparker mikeparker commented Aug 2, 2019

I can't see anything special from your logs other than the fact you have multiple DNS servers. Can you check your DNS settings haven't been reset and look correct from the settings page?

Also I assume you haven't switched between linux and windows container mode?

Loading

@zhujik
Copy link
Author

@zhujik zhujik commented Aug 2, 2019

Hi mikeparker, thank you for your answer.

The DNS settings look normal to me. DNS server is set to automatic and has ever been. I didn't switch between container modes, it's linux for all hosts that we tested this on. So far for all computers that we updated in our department (4), this issue materialized.

Which information could I provide to you to help debug this issue?

Loading

@sjdvda
Copy link

@sjdvda sjdvda commented Aug 2, 2019

I am having the exact same issue (Windows 10, Docker 2.1 Edge and Stable). What I have tried so far:

  • Reinstalling Docker
  • Disabling Hyper-V and enabling it again
  • Resetting all network interfaces

Nothing has worked so far. I can only access my containers from the local machine. Other (non-Docker) programs can be accessed from the LAN so it's definitely a Docker issue.

Loading

@erickhchan
Copy link

@erickhchan erickhchan commented Aug 2, 2019

Having the same issue with Windows 10, Version 2.1.0.0 (36874) after updating just a few hours ago.

My docker containers aren't able to resolve internal hostname. When using the resolved ip address everything works as expected. I've double-checked my dns settings and used both "automatic" and manually specifying the dns server.

Loading

@kjlhgfds
Copy link

@kjlhgfds kjlhgfds commented Aug 4, 2019

I downgraded windows docker and the issue is gone, so definitly an upgrade related issue.

Loading

@sjdvda
Copy link

@sjdvda sjdvda commented Aug 6, 2019

I downgraded windows docker and the issue is gone, so definitly an upgrade related issue.

Did you have to uninstall docker to be able to downgrade? And did you lose your containers when uninstalling?

When I try to run the 2.0.0.3 installer I get the "Existing installation is up to date" message. I'm thinking uninstalling is probably the only way to resolve this issue but I don't want to go through the trouble of setting up 25+ containers again.

Loading

@frankyifei
Copy link

@frankyifei frankyifei commented Aug 6, 2019

I have the same problem. Is there a way to manually set the internal dns?

Loading

@kjlhgfds
Copy link

@kjlhgfds kjlhgfds commented Aug 6, 2019

Did you have to uninstall docker to be able to downgrade? And did you lose your containers when uninstalling?

Yes I did because I have less than 10 containers.
If someone has a way to save volumes outside dockers so we can bakcup them and put them again in the new docker installation, I'd be glade to hear you !

Loading

@djs55
Copy link

@djs55 djs55 commented Aug 6, 2019

@zhujik In the diagnostics I see the container starting and opening a port forward as expected

[16:08:02.627][GoBackendProcess  ][Info   ] Adding tcp forward from 0.0.0.0:80 to 172.17.0.2:80

and the port forwarder has the following:

{"proto":"tcp","out_ip":"0.0.0.0","out_port":80,"out_path":"","in_ip":"172.17.0.2","in_port":80,"in_path":"","annotation":""}

Given that it works on the local machine but not on remote machines I think it must be some kind of firewall issue. Could you try disabling your firewall and trying again?

I attempted to reproduce the problem locally but it works as expected for me (unfortunately).

Loading

@sjdvda
Copy link

@sjdvda sjdvda commented Aug 6, 2019

I have disabled my firewall but unfortunately the issue still persists.

Diagnostic ID: 3AF31CA1-733A-4D1C-972E-46213C91A1AA/20190806175545

Loading

@frankyifei
Copy link

@frankyifei frankyifei commented Aug 7, 2019

same here
AD945C75-43E0-4F00-8D23-FE2061E742D0/20190807082423

Loading

@bigtongue5566
Copy link

@bigtongue5566 bigtongue5566 commented Aug 8, 2019

same problem.
I disabled windows firewall for public network and it works for me.

Loading

@zhujik
Copy link
Author

@zhujik zhujik commented Aug 8, 2019

@djs55 thank you for your answer.
When the domain firewall is disabled, the issue is resolved. However, since turning off the domain firewall imposes a security issue, this is not a permanent workaround. What do I need to configure in this firewall to resolve this issue?

Still, I don't know why the domain firewall blocks containers that run with docker desktop 2.1 and not for older versions?!

Loading

@sjdvda
Copy link

@sjdvda sjdvda commented Aug 8, 2019

Disabling Windows Firewall for both Private networks and Public networks made containers reachable again for me as well. But as @zhujik said, this is not a permanent workaround.

Loading

@sjdvda
Copy link

@sjdvda sjdvda commented Aug 8, 2019

I noticed that the program name changed from "Docker for Windows" to "Docker Desktop" between 2.0 and 2.1 and so did the executable. I checked the Advanced Windows Firewall rules and I noticed that there was an entry to allow all inbound and outbound connections for "C:\Program Files\Docker\Docker\Docker for Windows.exe" (a file that no longer exists) but no such rule for "C:\Program Files\Docker\Docker\Docker Desktop.exe".

Unfortunately, creating new inbound and outbound "Allow all" rules in Windows Firewall for "Docker Desktop.exe" does not make a difference for me. My containers are still only reachable from the host machine.

Loading

@sjdvda
Copy link

@sjdvda sjdvda commented Aug 12, 2019

After a lot of trial and error, I believe I have solved the issue:

In Windows Defender Firewall with Advanced Security, the following rule needs to be created:

Type: Inbound
Program: C:\Program Files\Docker\Docker\resources\com.docker.backend.exe
Allow all connections

Other machines on the local network can now reach my containers. My nginx reverse proxy is also working again and I can access my exposed containers from the internet.

Hopefully this fix will work for others in this thread.

Loading

@simonfagerholm
Copy link

@simonfagerholm simonfagerholm commented Aug 13, 2019

Had the same issue, and solved it the same way as @sjdvda (unfortunately I didn't find this issue until after).
I used netstat -nab to figure out which application was using the ports that where configured for the docker containers. In the issue above it would be 8080. In case this happens again, the same steps should usable to resolse the issue.

Loading

@DougSchmidt-AI
Copy link

@DougSchmidt-AI DougSchmidt-AI commented Jan 21, 2020

Just had the same problem.

Was running Docker for Windows 2.1.0.5, and my containers could be accessed over the network.
I upgraded to v2.2.0.0 and none of my containers could be accessed over the network, only via localhost.

I tried the @sjdvda workaround, but no luck. After an hour of fidlling, my only option was to uninstall v2.2.0.0 and reinstall v2.1.0.5. My containers were now accessible again.

Loading

@gmerciel
Copy link

@gmerciel gmerciel commented Apr 5, 2020

@DougSchmidt-AI I had the same problem. Search for a blocking rule call com.docker.bakend added after upgrade. Blocking takes precedence, that's why it doesn't work even if you the rule in @sjdvda workaround.

Loading

@Neurrone
Copy link

@Neurrone Neurrone commented Apr 15, 2020

@gmerciel thanks so much, I wasted hours trying to figure out why services in Docker containers wouldn't be reachable outside localhost even though I've already added a rule to open the right ports.

The question then is whether these rules are automatically added by default somehow - if so, this would be a pretty annoying problem.

Windows firewall itself is also broken because even with logging enabled, the dropped packets arent even logged, making troubleshooting extremely difficult.

Loading

@docker-desktop-robot
Copy link
Collaborator

@docker-desktop-robot docker-desktop-robot commented Jul 14, 2020

Issues go stale after 90 days of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30 days of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

Loading

@docker-desktop-robot
Copy link
Collaborator

@docker-desktop-robot docker-desktop-robot commented Sep 12, 2020

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked

Loading

@docker docker locked and limited conversation to collaborators Sep 12, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet