Network unaccessible in Dockerfile when run with Compose

Question

In my project, apt-get fails to work from Dockerfile when I launch it with docker-compose. But when I call docker directly with --network option, it does work.

Here are configs:

docker-compose.yml:

version: '3'

services:
  main:
    build: main
    network_mode: host

main/Dockefile:

FROM osrm/osrm-backend:v5.22.0
RUN apt-get update && apt-get install -y wget nodejs npm osmium-tool

This fails (apt-get can't lookup a domain):

sudo docker-compose build main

This does work:

sudo docker build main --network=host

What's the reason, how to fix it?

Host system is Ubuntu 20.04.

EDIT: Got fixed itself. Well, not itself, but I can't point at what I did exactly to fix it. I was changing /etc/docker/daemon.conf back and forth and rebooted.

Docker compose reads:

version: '3'

services:
  main: 
    build: main

That's it. main/Dockerfile:

FROM osrm/osrm-backend:v5.22.0
RUN echo 123321 && cat /etc/resolv.conf  # echo $number to prevent caching
RUN apt-get update && apt-get install osmium-tool

/etc/docker/daemon.conf:

{}

/etc/default/docker:

...
DOCKER_OPTS=" --dns 127.0.0.53"
...

127.0.0.53 is Ubuntu own DNS forwarding daemon, if I understood the docs correctly.

Running $ docker-compose build main prints me:

Building main
Step 1/5 : FROM osrm/osrm-backend:v5.22.0
 ---> daceec677b86
Step 2/5 : RUN echo 32231 && cat /etc/resolv.conf
 ---> Running in d8c54a39faee
32231
# This file is managed by man:systemd-resolved(8). Do not edit.
...
# operation for /etc/resolv.conf.

nameserver <provider dns ip>
nameserver 8.8.8.8
nameserver 192.168.0.1
search <my wifi router>
Removing intermediate container d8c54a39faee
 ---> 4b07a0fcc889
Step 3/5 : RUN apt-get update && apt-get install osmium-tool
 ---> Running in 71a7c887af04
Get:1 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB]
Ign:2 http://deb.debian.org/debian stretch InRelease

Everything works.

Answer 1

I had the same issue on an oracle VM. The same docker build that worked on my local machine did not work there. All I needed to do to fix that was

sudo systemctl restart docker

Answer 2

UPDATED ANSWER:

sudo firewall-cmd --zone=public --add-masquerade --permanent;

sudo firewall-cmd --reload

sudo systemctl restart docker

You can even get more granular with firewall-cmd rules using the answers found here.

This seemed to fix this issue for me from a "fresh install" of CentOS8. This IP Tables rule has a lot of nuances to it, but this thread seems to really have all the details you could need, should you have a need for highly sensitive security concerns & settings.

Original Answer: I found a workaround for this issue on a CentOS host:

https://github.com/gliderlabs/docker-alpine/issues/386#issuecomment-665123736

Modify the following section in /etc/firewalld/firewalld.conf:

...
# FirewallBackend
# Selects the firewall backend implementation.
# Choices are:
#       - nftables (default)
#       - iptables (iptables, ip6tables, ebtables and ipset)
##FirewallBackend=nftables
FirewallBackend=iptables
...

Then: service firewalld restart

After that when I ran docker-compose up ... on my docker-compose.yml all was right in the world again.