My setup:
Linux Mint 20
Docker version 19.03.12
Cisco AnyConnect 4.3.05017
My Issue:
When I connect to my company's VPN I cannot access the internet through my docker containers.
e.g. running docker run -it ubuntu apt update will fail with the message
"Err:1 http://archive.ubuntu.com/ubuntu focal InRelease
Temporary failure resolving 'archive.ubuntu.com'"
Disconnecting from VPN does not fix the issue. (see workaround #2)
I have two workarounds:
running docker with docker run -it --net=host ubuntu apt update will work fine, however, that is not a suitable workaround for my company's scripts and build system. It will do for ad-hoc jobs.
Disconnect from the VPN and run the following script (from https://github.com/moby/moby/issues/36151):
# /bin/bash
docker system prune -a
systemctl stop docker
iptables -F
ip link set docker0 down
brctl delbr docker0
systemctl start docker
will allow it to work again - but then I don't have access to my company's internal servers, which is also needed to build our software.
I have tried these things:
Added DNS to daemon.json (My docker container has no internet)
Fixing the resolv.conf (My docker container has no internet)
https://superuser.com/questions/1130898/no-internet-connection-inside-docker-containers
Docker container can only access internet with --net=host
https://stackoverflow.com/a/35519951/9496422
and basically any other hit on the first two pages of google searching for "docker container no internet behind vpn"
In order to do this you need to enable the setting "Allow local (LAN) access when using VPN (if configured)" in Cisco AnyConnect.
cisco-anyconnect-preferences-window
However, some companies doesn't allow to do this because of security policy.
Related
I'm using Docker version 20.10.21 under Ubuntu server 22.04.
Since a week ago, my Docker containers can't reach public APIs on the internet (for example Public holidays in France). They could reach it before an apt update and upgrade was done.
I was thinking that it was a Docker bridge network related issue in a first place, so I tried this solution:
My docker container has no internet
Then, I tried
docker network prune
, then I tried to uninstall and reinstall Docker.
After investigations, I was wrong about my diagnosis because I can ping public names, but I can't curl any URL:
I don't understand why this issue suddenly happened and I'm out of thoughts to solve this.
UPDATE:
Docker containers can't curl any URL, but my Ubuntu host does.
With docker host network, curl is working for the given API.
On the other hand, if I'm running the same container on Docker Desktop, on my dev computer, that works well.
I finally found out what was the issue. The MTU of my host network interface was different from the default value of the docker network (1500).
I checked my network interface MTU:
ip a | grep mtu
And then, I settled the MTU for the docker daemon in /etc/docker/daemon.json :
{
"mtu" : 1280
}
Then don't forget to restart docker:
systemctl restart docker
I have installed docker/compose on ubuntu focal in wsl2. If the container are started without compose, I am able to ping various external hosts. However, same container when started through compose along with vpn is not able to ping hosts and fails with errors like 'Temporary failure in name resolution'. The problem looks to be related to dns resolution. Has anyone seen this before ?
I was able to get it working with
sudo dockerd --dns 8.8.8.8
However, why this affects only compose is not clear.
I am setting up a microservices architecture using docker for each service. I am also using kong API gateway running in its own docker container. The docker host is Centos 7 running in a VM with an IP 192.168.222.76.
On the host command line, I can access the starter service on port 7000 fine. However, within the kong VM, I ping the IP address but cannot access the service. As you can see from the output below, it says "Host is unreachable".
I am starting docker with --icc=true and --iptables=true and I have made several suggested changes to the firewalld and rich rules, etc. but I continue to not be able to reach the other container from within the kong container.
I am starting the kong container with a named network "kong-net" and the kong database is instance is in the same docker network and THEY seem to be able to communicate. I have added my starter service container to the same network on start up and still no joy. The kong container CAN access the outside world, just not other docker containers on the same host.
Output is below:
[root#docker ~]# clear
[root#docker ~]# curl 192.168.222.76:7000/starter/hello
Hello Anonymous Person!!
[root#docker ~]# docker exec -it kong /bin/ash
# curl 192.168.222.76:7000/starter/hello
curl: (7) Failed to connect to 192.168.222.76 port 7000: Host is unreachable
# curl www.google.com
HTML returned properly...
Any help on this appreciated!
You must have to reach the other container with his container name.
Try this:
docker exec -t kong curl servicename:7000/starter/hello
Kong container and service containers must share the same network
I was able to get ICC working by disabling firewalld all together (stop, disable, mask with systemctl) and opening up everything in iptables. Now its just a matter of setting up rules to block inbound access except on the API gateway and SSH.
Thanks!
I have come across this problem before. If disabling the firewall fixes the problem, DO NOT leave the firewall disabled, this is a very big security concern. The proper way to go about it is firstly, reactivate the firewall and then add a network masquerade.
firewall-cmd --zone=public --add-masquerade --permanent
I am using docker for windows 10 for development. Before I used Docker Toolbox on windows 8. I am used to "tune" the host virtual machine in this case the MobyLinuxVM.
When I try to connect in hyper-v manager i get error cannot connect. When I try to docker-machine ls I get no docker machines. How can I possibly access the underlying machine on docker for windows 10?
Problems I want to solve are (aka why I want to connect):
Ubuntu apt-get doesnt work for me (I am behind proxy) get errors like E: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/xenial/universe/source/Sources Cannot initiate the connection to 3128:80 (0.0.12.56). - connect (22: Invalid argument). On other hand Centos yum, curl,... works. http_proxy variables are set.
I want to turn off swap on the host.
update
Solved problem with apt-get by changin configuration of http proxy in docker settings from 1.2.3.4:1234 to http://1.2.3.4:1234/.
update 2
Worked around the problem by modifying /etc/init.d/automount in host and added swapoff -a.
I was able to access host MobyLinuxVM through container run with various privieleges.
First I ran container like that (note the double slash when mounting root filesystem. Single slash didnt work for me in powershell)
$ docker run --net=host --ipc=host --uts=host --pid=host -it --security-opt=seccomp=unconfined --privileged --rm -v //:/host alpine sh
after that when I got into container I just did
$ chroot /host
and then I could access all i needed. /etc/fstab or swapoff -a.
Unable to login in iscsi initiator in docker container running inside a kubernetes cluster
I have installed open-iscsi package in a docker ubuntu container with privileged mode inside a kubeminion. The iscsi target is running and the iscsi initiator discovery returns the correct initiator name iqn. When I try to login, I get this:
ERROR :
iscsiadm: got read error (0/111), daemon died? iscsiadm: Could not
login to [iface: default, target: iqn.2016-09.com.abcdefg.xyza:name,
portal: 10.102.83.21,3260]. iscsiadm: initiator reported error (18 -
could not communicate to iscsid) iscsiadm: Could not log into all
portals
I tried service iscsid restart and debug with iscsid -d 8 -f command, still login is not successful
Adding --net=host flag and --privileged flag while docker run within the cluster, both iscsi discover and login will be successful. iscsi expects host's networking services to run with privileged access. The command should be,
docker run -it --privileged --net=host name:tag
With the network set to host a container will share the host’s network stack and all interfaces from the host will be available to the container. The container’s hostname will match the hostname on the host system.
For more details, refer the documentation :
https://docs.docker.com/engine/reference/run/#network-settings
Note:Flag --net works on older and latest versions of docker, --network works on latest docker version only.