no internet inside docker-compose service

Question

I cannot reach external network from docker-compose containers.

Consider the following docker-compose file:

version: '2' services:     nginx:       image: nginx 

Using the simple docker run -it nginx bash I manage to reach external IPs or Internet IPs (ping www.google.com).

On the other hand if I use docker-compose and attach to the container, I cannot reach external IP addresses / DNS.

docker info:

Containers: 0  Running: 0  Paused: 0  Stopped: 0 Images: 1 Server Version: 1.12.1 Storage Driver: aufs  Root Dir: /var/lib/docker/aufs  Backing Filesystem: extfs  Dirs: 7  Dirperm1 Supported: true Logging Driver: json-file Cgroup Driver: cgroupfs Plugins:  Volume: local  Network: bridge null host overlay Swarm: inactive Runtimes: runc Default Runtime: runc Security Options: apparmor seccomp Kernel Version: 4.4.0-38-generic Operating System: Ubuntu 16.04.1 LTS OSType: linux Architecture: x86_64 CPUs: 2 Total Memory: 3.859 GiB Name: *** ID: **** Docker Root Dir: /var/lib/docker Debug Mode (client): false Debug Mode (server): false Registry: https://index.docker.io/v1/ WARNING: No swap limit support WARNING: bridge-nf-call-iptables is disabled WARNING: bridge-nf-call-ip6tables is disabled Insecure Registries:  127.0.0.0/8 

docker-compose 1.8.1, build 878cff1

daemon.json file:

{   "iptables" : false,   "dns" : ["8.8.8.8","8.8.4.4"] } 

Answer 1

The last time I had a problem like that, I solved it like this:

https://github.com/docker/docker/issues/866#issuecomment-19218300

pkill docker iptables -t nat -F ifconfig docker0 down brctl delbr docker0 docker -d 

It will force docker to recreate the bridge and reinit all the network rules.

As for reasons why this happens, I don't have good answers. But I did recently trace the problem back to journald. When I restart journald (for example because I changed its config), DNS resolution inside docker-compose containers consistently/reproducibly breaks. I don't know why exactly, I can only say that this is a reliable way for me to reproduce it on RHEL.

EDIT The docker -d command might not work for you based on the version of docker you are using but don't worry about it, you can omit that command.

Answer 2

Check /etc/default/docker to ensure it doesn't have the following line:

DOCKER_OPTS="--iptables=false" 

Also check /etc/docker/daemon.json to ensure it doesn't have the following key:

{ "iptables":false } 

We added this on one server to get UFW working with docker. We then changed to an external firewall. Spent ages looking for the reason external networking wasn't working because it was removed from our deploy guide. Hope this helps someone else.