Docker - No route to host

Question

When i try and connect to a port from within my container to another container, i am unsuccessful and get,

root@ac1590a59fe5:/opt/f5massupgrade# curl -v https://172.17.0.1:6379 * Rebuilt URL to: https://172.17.0.1:6379/ * Hostname was NOT found in DNS cache *   Trying 172.17.0.1... * connect to 172.17.0.1 port 6379 failed: No route to host * Failed to connect to 172.17.0.1 port 6379: No route to host * Closing connection 0 

From the docker host I am successful,

[root@docker-host ~]# curl -v https://172.17.0.1:6379/0 * About to connect() to 172.17.0.1 port 6379 (#0) *   Trying 172.17.0.1... * Connected to 172.17.0.1 (172.17.0.1) port 6379 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb *   CAfile: /etc/pki/tls/certs/ca-bundle.crt   CApath: none 

If i check the iptables I can see the issue,

[root@docker-host ~]#  iptables -S INPUT -P INPUT ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i docker0 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited 

So I add the following and it all works well,

iptables -I INPUT 4 -i docker0 -j ACCEPT 

Am i missing something here?

[root@docker-host ~]# docker version Client:  Version:         1.9.1  API version:     1.21  Package version: docker-common-1.9.1-40.el7.centos.x86_64  Go version:      go1.4.2  Git commit:      ab77bde/1.9.1  Built:  OS/Arch:         linux/amd64  Server:  Version:         1.9.1  API version:     1.21  Package version: docker-common-1.9.1-40.el7.centos.x86_64  Go version:      go1.4.2  Git commit:      ab77bde/1.9.1  Built:  OS/Arch:         linux/amd64 

Thanks,

Answer 1

We hit this issue on a RHEL box which was running firewalld. The firewall was preventing container to host access (other than icmp traffic).

We needed to configure the firewall to allow traffic from the docker containers through to the host. In our case, the containers were in a bridge network on subnet 172.27.0.0/16 (determined via docker network ls and docker inspect <network-name>). Firewall rules for firewalld can be updated via:

firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=172.27.0.0/16 accept' firewall-cmd --reload 

This was a useful reference in resolving the issue.

Answer 2

If anyone is still stuck with this problem on CentOS 8 or any system using firewalld

try the following settings for firewalld

# Allows container to container communication, the solution to the problem firewall-cmd --zone=public --add-masquerade --permanent  # standard http & https stuff firewall-cmd --zone=public --add-port=80/tcp --permanent firewall-cmd --zone=public --add-port=443/tcp --permanent # + any other port you may need  # reload the firewall firewall-cmd --reload 

you may also need to restart the docker service if it does not work immediately, there's no need to add the docker0 interface onto the trusted zone as many of the guides I've gone through stated

I was struggling with setting up a Traefik reverse proxy for my docker containers, I only got 502 responses with a no route error to my container from Traefik logs. At first I thought it was my Traefik setup but it turned out it was the firewall restrictions as @al. mentioned. It pointed me in the right direction and I got my answer from https://serverfault.com/questions/987686/no-network-connectivity-to-from-docker-ce-container-on-centos-8