Develop Reference

Docker container can not connect to host machine

I use docker-compose to operate with 3 containers and a network with the bridge driver.
Network is created with following command:
docker network create -d bridge --subnet 192.168.60.0/24 --gateway 192.168.60.1 mynet
The problem is that containers are not available by their address from host machine:
curl: (7) Failed to connect to 192.168.60.3 port 80: Connection refused. I know exactly that container is running and listening on the port.
From the inside of container host machine is unavailable either: curl: (7) Failed to connect to 192.168.60.1.
There must be some trouble with driver, because the network is not listed in interfaces. I did the same thing on another machine and found all docker networks with names likevethXXXXXXX. But on this machine ifconfig -a shows:
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:98:c3:b9:63 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 41250 bytes 11892280 (11.8 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 41250 bytes 11892280 (11.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.202.43 netmask 255.255.255.0 broadcast 192.168.202.255
inet6 fe80::65e5:6492:9305:2d71 prefixlen 64 scopeid 0x20<link>
ether d4:3b:04:74:5c:48 txqueuelen 1000 (Ethernet)
RX packets 693406 bytes 537178014 (537.1 MB)
RX errors 0 dropped 884 overruns 0 frame 0
TX packets 2803399 bytes 572926991 (572.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
What kind of problem it could be? Why the network is not shown in interfaces list?

LXC on host's lan running under normal user

I have set up LXC container using this manual. It's working great under root, but I can't run it under my normal user.
Start of lxc container failed with followed error:
lxc-start Test 20221009142640.181 ERROR network - network.c:lxc_create_network_unpriv_exec:2629 - lxc-user-nic failed to configure requested network: cmd/lxc_user_nic.c: 1209: main: Quota reached
lxc-start Test 20221009142640.182 ERROR start - start.c:lxc_spawn:1786 - Failed to create the network
lxc-start Test 20221009142640.182 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:859 - Received container state "ABORTING" instead of "RUNNING"
lxc-start Test 20221009142640.182 ERROR lxc_start - tools/lxc_start.c:main:308 - The container failed to start
lxc-start Test 20221009142640.182 ERROR lxc_start - tools/lxc_start.c:main:311 - To get more details, run the container in foreground mode
lxc-start Test 20221009142640.182 ERROR lxc_start - tools/lxc_start.c:main:313 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start Test 20221009142640.184 ERROR start - start.c:__lxc_start:1999 - Failed to spawn container "Test"
I suspect that issue is from reason that normal user can't setup proprial network runed from lxc.net.0.script.up.
I'm not so familiar with Linux networking, so I'll appreciate if somebody help me.
cat default.conf
#lxc.apparmor.profile = generated
#lxc.apparmor.allow_nesting = 1
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.include = /etc/lxc/default.conf
######################################
lxc.net.0.type = veth
lxc.net.0.veth.pair = veth0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
lxc.net.0.ipv4.address = 192.168.1.13/32
lxc.net.0.ipv4.gateway = 192.168.1.10
lxc.net.0.script.up = /var/lib/lxc/netup.sh 192.168.1.13
lxc.net.0.script.down = /var/lib/lxc/netdown.sh 192.168.1.13
cat lxc-usernet
pi veth veth0 2
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fd03:d926:5f2b:0:1b5a:7e3f:e65f:cf49 prefixlen 64 scopeid 0x0<global>
inet6 fd03:d926:5f2b::10 prefixlen 128 scopeid 0x0<global>
inet6 fe80::1b9:aa6:c2f3:b99c prefixlen 64 scopeid 0x20<link>
ether dc:a6:32:d3:22:99 txqueuelen 1000 (Ethernet)
RX packets 121141930 bytes 157518188138 (146.7 GiB)
RX errors 2 dropped 2 overruns 0 frame 0
TX packets 65951525 bytes 48575917258 (45.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lxcbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 10.0.3.1 netmask 255.255.255.0 broadcast 10.0.3.255
ether 00:16:3e:00:00:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Can't reach service of host from container

On the host, there is a service
#server# netstat -ln | grep 3308
tcp6 0 0 :::3308 :::* LISTEN
It can be reached from remote.
The container is in a user-defined bridge network.
The server IP address is 192.168.1.30
#localhost ~]# ifconfig
br-a54fd3b63acd: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
inet6 fe80::42:1eff:fecc:92e8 prefixlen 64 scopeid 0x20<link>
ether 02:42:1e:cc:92:e8 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:37ff:fe9f:e4f1 prefixlen 64 scopeid 0x20<link>
ether 02:42:37:9f:e4:f1 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34 bytes 4018 (3.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.30 netmask 255.255.255.0 broadcast 192.168.1.255
And ping from container also works.
#33208c18aa61:~# ping -c 2 192.168.1.30
PING 192.168.1.30 (192.168.1.30) 56(84) bytes of data.
64 bytes from 192.168.1.30: icmp_seq=1 ttl=64 time=0.120 ms
64 bytes from 192.168.1.30: icmp_seq=2 ttl=64 time=0.105 ms
And the service is available.
#server# telnet 192.168.1.30 3308
Trying 192.168.1.30...
Connected to 192.168.1.30.
Escape character is '^]'.
N
But the service can't be reached from the container.
#33208c18aa61:~# telnet 192.168.1.30 3308
Trying 192.168.1.30...
telnet: Unable to connect to remote host: No route to host
I checked
Make docker use IPv4 for port binding
make sure I didn't have IPv6 set to only bind on IPv6
# sysctl net.ipv6.bindv6only
net.ipv6.bindv6only = 0
From inside of a Docker container, how do I connect to the localhost of the machine?
find my route is a little different.
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default router.asus.com 0.0.0.0 UG 100 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-a54fd3b63acd
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
Does it matter? Or could it be another reason?

Your docker container is on a different network namespace and connected to a different interface than your host machine that's why you can't reach it using the ip 192.168.x.x
What you need to do is to use the docker network gateway instead, in your case 172.17.0.1 but be aware that this IP might no be the same from host to host so to reproduce this everywhere and be completely sure of which is the IP you can create an user-defined network specifying the subnet and gateway and running your container there for example:
docker network create -d bridge --subnet 172.16.0.0/24 --gateway 172.16.0.1 dockernet
docker run --net=dockernet ubuntu
Also whatever service you are trying to connect here must be listening on the docker's bridge interface as well.
Another option is to run the container on the same network namespace as the host with the --net=host flag, and in this case you can access service outside the container using localhost

Inspired by the official document
The Docker bridge driver automatically installs rules in the host
machine so that containers on different bridge networks cannot
communicate directly with each other.
I checked the iptables on the server, for an experiment I stopped the iptables temporary. Then the container can reach that service success. Later I was told, the server has been reboot recently. So guessing some config was lost after that reboot. Not familiar with iptables very much, and when I try
systemctl status iptables.service
It says the service is not installed. After I install and run the service,
iptables -L -n
is almost empty. Now not clue what kind of iptables rules can cause that messy.
But if anyone face the ping success telnet fail situation, iptables could be the place of the root cause.

Docker Container to Container communication with IPv6 only

I am running two VM on OpenStack Mirantis. For Simplicity let's call host-1 and host-2. I am unable to communicate neither from Container to Container on different hosts not Container to Public Internet On each Host I have installed Docker ver 1.12.3 and run the following things --
tee Dockerfile <<-'EOF'
FROM centos
RUN yum -y install net-tools bind-utils iputils*
EOF
Later --
docker build -t crazy:3 .
On host-1 :--
dockerd --ipv6 --fixed-cidr-v6="2001:1b76:2400:e2::2/64" &
run -i -t --entrypoint /bin/bash crazy:3
ping6 -c3 google.com
ifconfig
On host-2 :--
dockerd --ipv6 --fixed-cidr-v6="2001:1b76:2400:e2::2/64" &
run -i -t --entrypoint /bin/bash crazy:3
ping6 -c3 google.com
ifconfig
Host-1 output:--
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 0.0.0.0
inet6 2001:1b76:2400:e2:0:242:ac11:2 prefixlen 64 scopeid 0x0<global>
inet6 fe80::42:acff:fe11:2 prefixlen 64 scopeid 0x20<link>
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 18 bytes 1663 (1.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 53 bytes 4604 (4.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Host-2 output:--
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 0.0.0.0
inet6 2001:1b76:2400:e2:0:242:ac11:3 prefixlen 64 scopeid 0x0<global>
inet6 fe80::42:acff:fe11:2 prefixlen 64 scopeid 0x20<link>
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 8 bytes 808 (808.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6 bytes 508 (508.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Then again
On host-1:--
ping6 2001:1b76:2400:e2:0:242:ac11:3
On host-2:--
ping6 2001:1b76:2400:e2:0:242:ac11:2
All are same output i,e --
PING 2001:1b76:2400:e2:0:242:ac11:3(2001:1b76:2400:e2:0:242:ac11:3) 56 data bytes
From 2001:1b76:2400:e2:0:242:ac11:2 icmp_seq=1 Destination unreachable: Address unreachable
From 2001:1b76:2400:e2:0:242:ac11:2 icmp_seq=2 Destination unreachable: Address unreachable
From 2001:1b76:2400:e2:0:242:ac11:2 icmp_seq=3 Destination unreachable: Address unreachable
From 2001:1b76:2400:e2:0:242:ac11:2 icmp_seq=4 Destination unreachable: Address unreachable
Both hosts ip route are same i,e --
2001:1b76:2400:e2:f816:3eff:fe69:c2f2 dev eth0 metric 0
cache
2001:1b76:2400:e2::/64 dev eth0 proto kernel metric 256 expires 28133sec
2001:1b76:2400:e2::/64 dev docker0 proto kernel metric 256
2001:1b76:2400:e2::/64 dev docker0 metric 1024
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev docker0 proto kernel metric 256
Both containers ip route are same i,e --
2001:1b76:2400:e2::1 dev eth0 metric 0
cache
2001:1b76:2400:e2::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
default via 2001:1b76:2400:e2::1 dev eth0 metric 1024
Both hosts ip forwarding are same i,e --
net.ipv4.conf.all.forwarding = 1
net.ipv6.conf.all.forwarding = 1
Both containers ip forwarding are same i,e --
net.ipv4.conf.all.forwarding = 1
net.ipv6.conf.all.forwarding = 0

Q: how to set docker0 interface as externally available IP in a gcloud compute instance?

I'm have eclipse che running natively on a CentOS 7 instance at google cloud platform.
I'm able to get che interface on my browser, but cannot start a project.
from my che.properties file
machine.docker.local_node_host=172.17.0.1
api.endpoint=http://_my instance external IP_:${SERVER_PORT}/ide/api
from my /etc/hosts (putted manualy):
172.17.0.1 che-host
installed Docker as pre-requirement
Docker version 1.10.3, build 20f81dd
from my ~/.bash_profile file
export JAVA_HOME=/usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.77-0.b03.el7_2.x86_64
export CHE_HOME=/opt/eclipse-che-4.1.0
export CHE_LOCAL_CONF_DIR=$CHE_HOME/conf
export CHE_DOCKER_MACHINE_HOST=172.17.0.1
ifconfig output
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0
inet6 fe80::42:68ff:fe05:66b1 prefixlen 64 scopeid 0x20<link>
ether 02:42:68:05:66:b1 txqueuelen 0 (Ethernet)
RX packets 3025 bytes 334688 (326.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2563 bytes 390278 (381.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1460
inet <google internal network IP for instance> netmask 255.255.255.255 broadcast 10.132.0.2
inet6 fe80::4001:aff:fe84:2 prefixlen 64 scopeid 0x20<link>
ether 42:01:0a:84:00:02 txqueuelen 1000 (Ethernet)
RX packets 402499 bytes 1381254390 (1.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 292323 bytes 58381431 (55.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 1061 bytes 57399 (56.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1061 bytes 57399 (56.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth53e0def: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::1005:77ff:fe1d:83a4 prefixlen 64 scopeid 0x20<link>
ether 12:05:77:1d:83:a4 txqueuelen 0 (Ethernet)
RX packets 42 bytes 6574 (6.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 40 bytes 7991 (7.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
firewalld rules for trusted zone
instance-1 ~]$ sudo firewall-cmd --permanent --zone=trusted --list-all
trusted (default, active)
interfaces: docker0
sources:
services:
ports: 32768-65535/tcp 32768-65535/udp 4243/tcp 4401/tcp 4411/tcp 4403/tcp 22/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
output from che console in browser
[STDOUT] 2016-04-05 19:40:39,511[main] [INFO] [o.a.c.http11.Http11NioProtocol 470] - Starting ProtocolHandler ["http-nio-4401"]
[STDOUT] 2016-04-05 19:40:39,515[main] [INFO] [o.a.catalina.startup.Catalina 642] - Server startup in 4795 ms
[STDOUT] 2016-04-05 19:40:39,515[main] [INFO] [o.a.catalina.startup.Catalina 642] - Server startup in 4795 ms
[STDOUT] 2016-04-05 19:40:39,712[nio-4401-exec-1] [WARN ] [i.ContainerResponse$BodyWriter 90] - Client has aborted connection. Response writing omitted.
[STDOUT] 2016-04-05 19:40:39,712[nio-4401-exec-1] [WARN ] [i.ContainerResponse$BodyWriter 90] - Client has aborted connection. Response writing omitted.
this happens in Starting workspace agent stage, after below stages
Initializing workspace ... completed
Starting workspace runtime ... completed
```
the answer I got from the guys at che github repo is that :
The problem here is that browser tries to connect to a workspace agent and it uses CHE_DOCKER_MACHINE_HOST which is also used by the server to ping ws-agent.
So, CHE_DOCKER_MACHINE_HOST should be an externally available IP.
So, I understand from that that docker0 needs to have an external IP as well,
Any idea how to switch IP from the default 172.17.0.1 IP to an external IP for docker0 interface?