New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker host need to have IP Forwarding enabled #490

Closed
steeve opened this Issue May 1, 2013 · 21 comments

Comments

Projects
None yet
@steeve
Contributor

steeve commented May 1, 2013

If the host running docker doesn't have IP forwarding, then the container won't have access to the outside world.

@shykes

This comment has been minimized.

Show comment
Hide comment
@shykes

shykes May 1, 2013

Collaborator

Yeah I had that problem too. One common symptom is "bad address" when trying to resolve something inside the container, eg.

$ docker run busybox ping www.docker.io
bad address: www.docker.io

(Not the exact error message, this is from memory)

Collaborator

shykes commented May 1, 2013

Yeah I had that problem too. One common symptom is "bad address" when trying to resolve something inside the container, eg.

$ docker run busybox ping www.docker.io
bad address: www.docker.io

(Not the exact error message, this is from memory)

@steeve

This comment has been minimized.

Show comment
Hide comment
@steeve

steeve May 1, 2013

Contributor

The easy fix would be for Docker daemon to run a sysctl -w net.ipv4.ip_forward=1 at startup

Contributor

steeve commented May 1, 2013

The easy fix would be for Docker daemon to run a sysctl -w net.ipv4.ip_forward=1 at startup

@creack

This comment has been minimized.

Show comment
Hide comment
@creack

creack May 1, 2013

Contributor

I think this is more the user's responsability. Docker already setup the iptables, but if the users does not have ip_forward enable, do we really want to enable it for him?

Contributor

creack commented May 1, 2013

I think this is more the user's responsability. Docker already setup the iptables, but if the users does not have ip_forward enable, do we really want to enable it for him?

@tianon

This comment has been minimized.

Show comment
Hide comment
@tianon

tianon May 2, 2013

Member

We discussed this a bit on #313 for Gentoo, and ended with just a warning in the ebuild (so it shows up at install time). Perhaps we should look to add a similar warning to docker itself when it notices that IP Fowarding is disabled? I think as long as we mention that it has security implications, then we'd be pk. Looking around, I see that it looks like Go used to have a handy syscall.Sysctl* set of functions, but that they've since been removed, so this wouldn't be as "simple" as I was thinking, but still doable (especially since it's going to be a very common question).

Member

tianon commented May 2, 2013

We discussed this a bit on #313 for Gentoo, and ended with just a warning in the ebuild (so it shows up at install time). Perhaps we should look to add a similar warning to docker itself when it notices that IP Fowarding is disabled? I think as long as we mention that it has security implications, then we'd be pk. Looking around, I see that it looks like Go used to have a handy syscall.Sysctl* set of functions, but that they've since been removed, so this wouldn't be as "simple" as I was thinking, but still doable (especially since it's going to be a very common question).

@c00w

This comment has been minimized.

Show comment
Hide comment
@c00w

c00w May 28, 2013

Contributor

I just spent ~2 hours figuring out why my install didn't work. Mentioning this somewhere in the docs would be very useful.

Contributor

c00w commented May 28, 2013

I just spent ~2 hours figuring out why my install didn't work. Mentioning this somewhere in the docs would be very useful.

@niclashoyer

This comment has been minimized.

Show comment
Hide comment
@niclashoyer

niclashoyer Jun 6, 2013

I am using an up to date Ubuntu 13.04 server instance inside VirtualBox to test docker.
IP forwarding is enabled:

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

but the container still can't connect to the outside:

$ docker run busybox ping www.docker.io
ping: bad address 'www.docker.io'

what else could be the problem?

niclashoyer commented Jun 6, 2013

I am using an up to date Ubuntu 13.04 server instance inside VirtualBox to test docker.
IP forwarding is enabled:

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

but the container still can't connect to the outside:

$ docker run busybox ping www.docker.io
ping: bad address 'www.docker.io'

what else could be the problem?

@vieux

This comment has been minimized.

Show comment
Hide comment
@vieux

vieux Jun 6, 2013

Collaborator

Could you try with the base image instead of busybox ?

On Thu, Jun 6, 2013 at 2:43 PM, niclashoyer notifications@github.comwrote:

I am using an up to date Ubuntu 13.04 server instance inside VirtualBox to
test docker.
IP forwarding is enabled:

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

but the container still can't connect to the outside:

$ docker run busybox ping www.docker.io

ping: bad address 'www.docker.io'

what else could be the problem?


Reply to this email directly or view it on GitHubhttps://github.com//issues/490#issuecomment-19042404
.

Victor VIEUX
http://vvieux.com

Collaborator

vieux commented Jun 6, 2013

Could you try with the base image instead of busybox ?

On Thu, Jun 6, 2013 at 2:43 PM, niclashoyer notifications@github.comwrote:

I am using an up to date Ubuntu 13.04 server instance inside VirtualBox to
test docker.
IP forwarding is enabled:

$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

but the container still can't connect to the outside:

$ docker run busybox ping www.docker.io

ping: bad address 'www.docker.io'

what else could be the problem?


Reply to this email directly or view it on GitHubhttps://github.com//issues/490#issuecomment-19042404
.

Victor VIEUX
http://vvieux.com

@niclashoyer

This comment has been minimized.

Show comment
Hide comment
@niclashoyer

niclashoyer Jun 6, 2013

sure. Output is as follows:

$ docker run base ping www.docker.io
ping: unknown host www.docker.io

niclashoyer commented Jun 6, 2013

sure. Output is as follows:

$ docker run base ping www.docker.io
ping: unknown host www.docker.io
@vieux

This comment has been minimized.

Show comment
Hide comment
@vieux

vieux Jun 6, 2013

Collaborator

It's a dns issue, docker run -dns 8.8.8.8 base ping www.docker.io should
solve your issue.

On Thu, Jun 6, 2013 at 3:27 PM, niclashoyer notifications@github.comwrote:

sure. Output is as follows:

$ docker run base ping www.docker.io
ping: unknown host www.docker.io


Reply to this email directly or view it on GitHubhttps://github.com//issues/490#issuecomment-19044770
.

Victor VIEUX
http://vvieux.com

Collaborator

vieux commented Jun 6, 2013

It's a dns issue, docker run -dns 8.8.8.8 base ping www.docker.io should
solve your issue.

On Thu, Jun 6, 2013 at 3:27 PM, niclashoyer notifications@github.comwrote:

sure. Output is as follows:

$ docker run base ping www.docker.io
ping: unknown host www.docker.io


Reply to this email directly or view it on GitHubhttps://github.com//issues/490#issuecomment-19044770
.

Victor VIEUX
http://vvieux.com

@niclashoyer

This comment has been minimized.

Show comment
Hide comment
@niclashoyer

niclashoyer Jun 6, 2013

ok thank you. I stumbled upon this while using docker build, but docker build does not have the -dns switch. I think this is related to #759. I don't know why dns does not work inside the container. Maybe the IP of my local router is colliding with some IP ranges used for the containers.

niclashoyer commented Jun 6, 2013

ok thank you. I stumbled upon this while using docker build, but docker build does not have the -dns switch. I think this is related to #759. I don't know why dns does not work inside the container. Maybe the IP of my local router is colliding with some IP ranges used for the containers.

@eliasp

This comment has been minimized.

Show comment
Hide comment
@eliasp

eliasp Jun 14, 2013

Contributor

Now, that most distributions make use of systemd, what about simply providing a corresponding sysctl.d file to enable IP forwarding?

/usr/lib/sysctl.d/docker-ip-forwarding.conf

net.ipv4.ip_forward = 1

Then the few remaining distributions which don't provide support for systemd (yet) would only have to actually take care about dealing with this.

Regarding issue #313: The current Gentoo policy for installing systemd files is: they're always installed, independent from USE=systemd. For now this file could be shipped from $FILESDIR, once docker provides it itself, it can be dropped from $FILESDIR. A corresponding einfo what to do in case systemd is not used should only be displayed in case of USE=-systemd.

Contributor

eliasp commented Jun 14, 2013

Now, that most distributions make use of systemd, what about simply providing a corresponding sysctl.d file to enable IP forwarding?

/usr/lib/sysctl.d/docker-ip-forwarding.conf

net.ipv4.ip_forward = 1

Then the few remaining distributions which don't provide support for systemd (yet) would only have to actually take care about dealing with this.

Regarding issue #313: The current Gentoo policy for installing systemd files is: they're always installed, independent from USE=systemd. For now this file could be shipped from $FILESDIR, once docker provides it itself, it can be dropped from $FILESDIR. A corresponding einfo what to do in case systemd is not used should only be displayed in case of USE=-systemd.

@eliasp eliasp referenced this issue Jun 14, 2013

Closed

Gentoo #313

@tianon

This comment has been minimized.

Show comment
Hide comment
@tianon

tianon Jun 17, 2013

Member

Well, the reason this was not automatically enabled by default in the first place was because enabling IP forwarding has security implications, so having it happen automatically when a package is installed is kind of a dangerous thing. This is why the ebuild I've created and am maintaining for Gentoo includes a nice ewarn explaining how to enable it just until the next reboot or how to do so permanently (via /etc/sysctl.d/). I still believe there would be some value in including a warning in docker itself, possibly with a link to some wiki page or similar explaining the implications of the setting, especially since docker can be used successfully without it, you just don't get internet access.

Member

tianon commented Jun 17, 2013

Well, the reason this was not automatically enabled by default in the first place was because enabling IP forwarding has security implications, so having it happen automatically when a package is installed is kind of a dangerous thing. This is why the ebuild I've created and am maintaining for Gentoo includes a nice ewarn explaining how to enable it just until the next reboot or how to do so permanently (via /etc/sysctl.d/). I still believe there would be some value in including a warning in docker itself, possibly with a link to some wiki page or similar explaining the implications of the setting, especially since docker can be used successfully without it, you just don't get internet access.

@jpetazzo

This comment has been minimized.

Show comment
Hide comment
@jpetazzo

jpetazzo Jun 26, 2013

Contributor

+1; I think docker should at least show a big obnoxious warning when IP forwarding is not enabled.

Contributor

jpetazzo commented Jun 26, 2013

+1; I think docker should at least show a big obnoxious warning when IP forwarding is not enabled.

@ismell ismell referenced this issue Jun 26, 2013

Closed

Network Issue #1026

@StanAngeloff

This comment has been minimized.

Show comment
Hide comment
@StanAngeloff

StanAngeloff Jul 15, 2013

[..] Perhaps we should look to add a similar warning to docker itself when it notices that IP Fowarding is disabled? [..] I still believe there would be some value in including a warning in docker itself...
@tianon


I just spent ~2 hours figuring out why my install didn't work. Mentioning this somewhere in the docs would be very useful.
@c00w


I also spent hours trying to figure out why the containers didn't have network access. Docker already checks for local 127.* IPs in resolv.conf. It would be nice to print a warning if the host doesn't have IP forwarding set up as per @tianon comments.

StanAngeloff commented Jul 15, 2013

[..] Perhaps we should look to add a similar warning to docker itself when it notices that IP Fowarding is disabled? [..] I still believe there would be some value in including a warning in docker itself...
@tianon


I just spent ~2 hours figuring out why my install didn't work. Mentioning this somewhere in the docs would be very useful.
@c00w


I also spent hours trying to figure out why the containers didn't have network access. Docker already checks for local 127.* IPs in resolv.conf. It would be nice to print a warning if the host doesn't have IP forwarding set up as per @tianon comments.

@crosbymichael

This comment has been minimized.

Show comment
Hide comment
@crosbymichael

crosbymichael Aug 14, 2013

Contributor

The pull request to add the warning was merged 11 days ago. I think we can close this issue now, thanks.

Contributor

crosbymichael commented Aug 14, 2013

The pull request to add the warning was merged 11 days ago. I think we can close this issue now, thanks.

@alexbeletsky

This comment has been minimized.

Show comment
Hide comment
@alexbeletsky

alexbeletsky Sep 11, 2013

I still see that warning,

root@dokku:~# docker run base echo hello
WARNING: IPv4 forwarding is disabled.
hello

on,

Docker version 0.6.1, build 5105263

is it supposed to be fixed on new versions?

alexbeletsky commented Sep 11, 2013

I still see that warning,

root@dokku:~# docker run base echo hello
WARNING: IPv4 forwarding is disabled.
hello

on,

Docker version 0.6.1, build 5105263

is it supposed to be fixed on new versions?

@dsissitka

This comment has been minimized.

Show comment
Hide comment
@dsissitka

dsissitka Sep 11, 2013

Contributor

IP forwarding detection is currently broken. See #1659. You can make the warning go away by restarting Docker.

Contributor

dsissitka commented Sep 11, 2013

IP forwarding detection is currently broken. See #1659. You can make the warning go away by restarting Docker.

@alexbeletsky

This comment has been minimized.

Show comment
Hide comment
@alexbeletsky

alexbeletsky Sep 11, 2013

@dsissitka thanks for clarification.. could you plz tell me, how docker can be restarted? just with service stop/start ?

alexbeletsky commented Sep 11, 2013

@dsissitka thanks for clarification.. could you plz tell me, how docker can be restarted? just with service stop/start ?

@pdaether

This comment has been minimized.

Show comment
Hide comment
@pdaether

pdaether Sep 19, 2013

@alexanderbeletsky:

service docker restart

pdaether commented Sep 19, 2013

@alexanderbeletsky:

service docker restart
@MikeSpreitzer

This comment has been minimized.

Show comment
Hide comment
@MikeSpreitzer

MikeSpreitzer Sep 23, 2016

This issue is specific to the bridge network driver, right? Other network drivers may or may not need ip_forward set in the main network namespace, depending on how they work. Have I got this right?

MikeSpreitzer commented Sep 23, 2016

This issue is specific to the bridge network driver, right? Other network drivers may or may not need ip_forward set in the main network namespace, depending on how they work. Have I got this right?

@uzzal2k5

This comment has been minimized.

Show comment
Hide comment
@uzzal2k5

uzzal2k5 Apr 10, 2018

vieux is right, I add "RUN echo "nameserver 8.8.8.8">/etc/resolv.conf" into my Dockerfile and its work gr8

uzzal2k5 commented Apr 10, 2018

vieux is right, I add "RUN echo "nameserver 8.8.8.8">/etc/resolv.conf" into my Dockerfile and its work gr8

kevindew added a commit to alphagov/govuk-puppet that referenced this issue Aug 13, 2018

Enable kernel ip_forward setting
This setting is enabled to allow Docker containers access to the outside
world [1]. The reason for adding this in is because we have found that
suddenly our docker containers are not able to build.

Investigating into why our docker containers started suddenly having
problems reveals that when Docker starts it changes this value and then
if this gets reset elsewhere the docker service will need a restart to
start working again. Changing this here stops the risk of this
occurring.

This could be changed to only run as part of govuk_docker however this
would be a messier more complicated solution.

[1]: moby/moby#490
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment