-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker container cannot connect to docker host on it's own exposed port if INPUT chain policy is DROP #27817
Comments
#dibs |
how can I find the value of |
Where is the subnet of the docker network.
|
+1 This really needs fixed |
+1 |
+1 Lost some time with this one |
Could someone explain why the communication between docker and host port fails here. Does http play a role here. |
nope, it's due to the firewall configuration (iptables) on the docker host. |
In the same machine i have a total of 4 containers.There is a ha load balancer container and a emqtt container. The traffic from load balancer is able to reach the emqtt container without adding the firewall rule mentioned here as workaround. Any idea why it isnt working between two other containers where one container is making a http call to a service running in another container. |
Not sure, depends on your exact configuration. But maybe in your case the containers run in the same docker network and the load balancer finds the other containers directly through the container name. It is only a problem if they go via the docker host (http calls usually go via the docker host - dns name resolves to docker host ip address). Probably if they'd use the container name, it would be working as then the traffic remains inside the docker network. I have an apache container running in the same network as my applications and apache also reaches the other containers via the container name directly. The application containers, however, use a baseurl (which resolves to the ip address of the host) and this causes the problem. I cannot set the baseurl to the container name. |
I got exact same problem. iptables are managed by docker daemon. What's the recommended (and working) way of doing this? |
I wrote some ansible scripts and library (python) to handle this for all servers that need it. |
It seems that this is still not working ...
Here a simple test
As suggested above, I can fix this by adding
|
The above method does not work for me. The general solution is that pay attention to |
bump |
If you're explicitly configuring this, it's probably better covered by improving documentation. Unless someone wants to propose a way to opt-in such modification and then provides a PR that gets through review. It could be equally unexpected that Docker made such a modification on it's own (which has been an issue in the past with port publishing bypassing existing firewall management via UFW / firewalld). If you don't have the INPUT You can set |
Description
I've got a docker container running in it's own bridge network on a docker host . The containers port 8080 is exposed. I've got iptables default policy on the host set to DROP. Docker daemon manages the docker iptables rules.
If I run curl outside my container to http://:8080 I get HTTP status 200 and the correct website my container is running.
However the same curl from inside my container on that host (to both the IP or hostname) fails to connect:
curl: (7) Failed to connect to on port 8080: Host is unreachable
This doesn't happen when trying this from a Docker container from another host or from the host itself.
I can solve this by adding the following iptables rule:
sudo iptables -I INPUT 1 -i <docker-bridge-interface> -j ACCEPT
Where
<docker-bridge-interface>
is the name of the bridge interface, in which the docker container is running.Now I can do curl -v dockerhost:port from my container running in the docker-bridge-interface network and exposing above port on the dockerhost.
I think this should be solved by docker: whenever a bridge network is created, a firewall rule should be set to allow the containers in this network to reach the host on it's own exposed (host) port. Reason we need this is that some webapplications use a baseurl instead relative urls internally.
Steps to reproduce the issue:
Describe the results you received:
This doesn't happen when trying this from a Docker container from another host or from the host itself.
Describe the results you expected:
Additional information you deem important (e.g. issue happens only occasionally):
I can solve this by adding an iptables rule to allow connections from docker network to host:
$ sudo iptables -I INPUT 1 <interfacename-mynetwork> -j ACCEPT
However, IMHO docker should add this rule when a bridge or other network is created.
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
This is reproducable on the following environments:
The text was updated successfully, but these errors were encountered: