Docker containers not reachable from host in rootless mode

[sighoya]

Docker containers not reachable from host in rootless mode

The IPs of docker containers aren't reachable from the outside when starting docker in rootless mode. The bridge docker0 with IP 172.17.0.1 can be pinged
could be pinged, but not the container with IP 172.17.0.3

Steps to reproduce the issue:

1. docker run -it --tty archlinux /bin/bash
2. ip a --> 172.17.0.X
3. ping 172.17.0.X from docker host

Describe the results you received:
ping 172.17.0.3
PING 172.17.0.3 (172.17.0.3) 56(84) bytes of data.
From 172.17.0.1 icmp_seq=1 Destination Host Unreachable
From 172.17.0.1 icmp_seq=2 Destination Host Unreachable
From 172.17.0.1 icmp_seq=3 Destination Host Unreachable

Describe the results you expected:
PING 172.17.0.3 (172.17.0.3) 56(84) bytes of data.
64 bytes from 172.17.0.3: icmp_seq=1 ttl=64 time=0.035 ms
64 bytes from 172.17.0.3: icmp_seq=2 ttl=64 time=0.071 ms
64 bytes from 172.17.0.3: icmp_seq=3 ttl=64 time=0.074 ms

Output of docker version:

Docker version 20.10.16, build aa7e414fdc

Output of docker info:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc., v0.8.2-docker)
  compose: Docker Compose (Docker Inc., 2.5.1)

Server:
 Containers: 6
  Running: 2
  Paused: 0
  Stopped: 4
 Images: 4
 Server Version: 20.10.16
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: false
  userxattr: true
 Logging Driver: json-file
 Cgroup Driver: none
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 212e8b6fa2f44b9c21b2798135fc6fb7c53efc16.m
 runc version: 
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
  rootless
  cgroupns
 Kernel Version: 5.15.40-1-lts
 Operating System: Arch Linux
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 62.47GiB
 Name: phantom
 ID: SMDW:PBEU:YHFR:NAVA:5WGK:ELUL:YRF3:SIHN:JEZB:FV52:LQZD:GUSE
 Docker Root Dir: /home/sighoya/vm/docker
 Debug Mode: true
  File Descriptors: 40
  Goroutines: 59
  System Time: 2022-05-21T16:02:20.585738277+02:00
  EventsListeners: 0
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: Running in rootless-mode without cgroups. Systemd is required to enable cgroups in rootless-mode.

Additional environment details (AWS, VirtualBox, physical, etc.):
ArchLinux Linux phantom 5.15.40-1-lts #1 SMP Sun, 15 May 2022 19:07:59 +0000 x86_64 GNU/Linux

[AkihiroSuda]

Expected behavior, because Rootless Docker is executed inside a dedicated network namespace and has no permission to set up "reachable" IP addresses.
Please use port forwarding (docker run -p).

[AkihiroSuda]

Alternatively you can use DOCKERD_ROOTLESS_ROOTLESSKIT_NET=lxc-user-nic for assigning reachable IPs, but needs manual configuration of lxc https://linuxcontainers.org/lxc/manpages/man5/lxc-usernet.5.html

moby/contrib/dockerd-rootless.sh

Line 12 in 8abb84c

# * DOCKERD_ROOTLESS_ROOTLESSKIT_NET=(slirp4netns|vpnkit|lxc-user-nic): the rootlesskit network driver. Defaults to "slirp4netns" if slirp4netns (>= v0.4.0) is installed. Otherwise defaults to "vpnkit".

[SunSDSE]

Better yet... Is there some documentation that would allow us to reinstall a previous build of Docker that works? My Docker Swarm is down hard since I attempted to upgrade to the latest release.

[thaJeztah]

@SunSDSE I don't think there has been a version that supported this in rootless mode; is your issue related to rootless mode?

[thaJeztah]

For installing specific versions; the docker packages from download.docker.com are regular deb or rpm packages, and all releases can be found there (e.g. for ubuntu "focal"; https://download.docker.com/linux/ubuntu/dists/focal/pool/stable/amd64/)

You can specify a version to install using the package manager you're using (which also allows downgrading with the right options set);

• https://askubuntu.com/questions/138284/how-to-downgrade-a-package-via-apt-get
• https://docs.docker.com/engine/install/ubuntu/#install-docker-engine

Take into account that a Docker installation consists of multiple packages (cli, engine, containerd, compose, etc.) each of which can be upgraded/downgraded individually.

[SunSDSE]

I ran into an odd problem where two nodes out of seven node swarm were downloading the armv7 images of InfluxDB, when all the nodes in the swarm are identical armv8 nodes. It was recommended to get current so I upgrade all my nodes to Debian GNU/Linux 11 (bullseye) then rebuilt the nodes using the get-docker.sh script.

I found out that rootless would not bind to the service port 2377 on the advertised address unless run under sudo. So clearly this is not working right. After reading all these bugs for rootless (20.20.17) I figured I would just go back to the previous release. As my development environment is down.