I am trying to reach host-x.com from docker container running on MacOS but it fails: $ docker run ubuntu:latest \ /bin/bash -c \ 'apt-get update && apt-get -y install netcat && nc -v -z -w 3 host-x.com 443 &> /dev/null && echo "Online" || echo "Offline"' Offline It works fine when: I run a docker container in another machine: Online I run it on my Mac, outside of a docker container: nc -v -z -w 3 host-x.com 443 &> /dev/null && echo "Online" || echo "Offline"' Online I run it on my Mac from docker container, for other target hosts: $ docker run ubuntu:latest \ /bin/bash -c \ 'apt-get update && apt-get -y install netcat && nc -v -z -w 3 www.google.com 443 &> /dev/null && echo "Online" || echo "Offline"' Online UPDATE #1 As suggested I logged in into container and checked DNS. Host name is correctly resolved: root@55add56ecc11:/# ping host-x.com PING s1-host-x.com (172.22.187.101) 56(84) bytes of data. However, ping packages are not delivered. I though this could be caused by the conflict of IP range in internal docker network and corporate network (172.17.X.X). I tried to fix the docker bridge IP address in my daemon configuration and re-check the connectivity but it didn't help: "bip" : "10.10.10.1/8" I checked with 3 other persons in my company (4 in total including me). 50% has access to this host (Online), 50% doesn't (Offline). I tried what @mko suggested, using netcat in interactive mode inside the container. Still timeout. root@37c61acc5aa5:/# nc -v -z -w 3 host-x.com 443 s1-host-x.com [172.22.187.101] 443 (?) : Connection timed out I tried tracing the route but no success: traceroute -m 10 -w 1 host-x.com traceroute to host-x.com (172.22.187.101), 10 hops max, 60 byte packets 1 10.10.10.1 (10.10.10.1) 0.444 ms 0.388 ms 0.364 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * How can I investigate that?

Reputation: 4524

Investigating Docker connectivity issue

I am trying to reach host-x.com from docker container running on MacOS but it fails:

$ docker run ubuntu:latest \ 
   /bin/bash -c \
   'apt-get update &&
     apt-get -y install netcat &&
     nc -v -z -w 3 host-x.com 443  &> /dev/null && echo "Online" || echo "Offline"'

Offline

It works fine when:

I run a docker container in another machine:
```
Online
```

I run it on my Mac, outside of a docker container:

 nc -v -z -w 3 host-x.com 443  &> /dev/null && echo "Online" || echo "Offline"'     

 Online

I run it on my Mac from docker container, for other target hosts:

$ docker run ubuntu:latest \ 
   /bin/bash -c \
   'apt-get update &&
    apt-get -y install netcat &&
    nc -v -z -w 3 www.google.com 443  &> /dev/null && echo "Online" || echo "Offline"'   

Online

UPDATE #1

As suggested I logged in into container and checked DNS. Host name is correctly resolved:

root@55add56ecc11:/# ping host-x.com
PING s1-host-x.com (172.22.187.101) 56(84) bytes of data.

However, ping packages are not delivered. I though this could be caused by the conflict of IP range in internal docker network and corporate network (172.17.X.X). I tried to fix the docker bridge IP address in my daemon configuration and re-check the connectivity but it didn't help:
```
"bip" : "10.10.10.1/8"
```
I checked with 3 other persons in my company (4 in total including me). 50% has access to this host (Online), 50% doesn't (Offline).

I tried what @mko suggested, using netcat in interactive mode inside the container. Still timeout.

 root@37c61acc5aa5:/# nc -v -z -w 3 host-x.com 443
 s1-host-x.com [172.22.187.101] 443 (?) : Connection timed out

I tried tracing the route but no success:

traceroute -m 10 -w 1 host-x.com
traceroute to host-x.com (172.22.187.101), 10 hops max, 60 byte packets
 1  10.10.10.1 (10.10.10.1)  0.444 ms  0.388 ms  0.364 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *

How can I investigate that?

Upvotes: 14

Answers (2)

arykalin

Reputation: 403

Very likely it's the problem with routes. Check route table with ip r or netstat -rn inside docker container and your host. Make sure that your changes of bip were applied by running ip a command inside container it should have address in your BIP range. Also it maybe that you new bip range 10.10.10.1 is also conflicting with corporate networks. In this case you should contact your network administrator and ask him what network you should choose for your docker containers. Also it is possible that host host-x.com is blocking requests from your docker container IP addresses.

Upvotes: 0

Logu

Reputation: 1024

Could be your firewall (pf) is blocking it. Check the firewall rules on the host and check the route.

Upvotes: 0

Investigating Docker connectivity issue

Answers (2)

Related Questions