Docker - No route to host

2020-07-06 02:54发布

When i try and connect to a port from within my container to another container, i am unsuccessful and get,

root@ac1590a59fe5:/opt/f5massupgrade# curl -v https://172.17.0.1:6379
* Rebuilt URL to: https://172.17.0.1:6379/
* Hostname was NOT found in DNS cache
*   Trying 172.17.0.1...
* connect to 172.17.0.1 port 6379 failed: No route to host
* Failed to connect to 172.17.0.1 port 6379: No route to host
* Closing connection 0

From the docker host I am successful,

[root@docker-host ~]# curl -v https://172.17.0.1:6379/0
* About to connect() to 172.17.0.1 port 6379 (#0)
*   Trying 172.17.0.1...
* Connected to 172.17.0.1 (172.17.0.1) port 6379 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none

If i check the iptables I can see the issue,

[root@docker-host ~]#  iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i docker0 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

So I add the following and it all works well,

iptables -I INPUT 4 -i docker0 -j ACCEPT

Am i missing something here?

[root@docker-host ~]# docker version
Client:
 Version:         1.9.1
 API version:     1.21
 Package version: docker-common-1.9.1-40.el7.centos.x86_64
 Go version:      go1.4.2
 Git commit:      ab77bde/1.9.1
 Built:
 OS/Arch:         linux/amd64

Server:
 Version:         1.9.1
 API version:     1.21
 Package version: docker-common-1.9.1-40.el7.centos.x86_64
 Go version:      go1.4.2
 Git commit:      ab77bde/1.9.1
 Built:
 OS/Arch:         linux/amd64

Thanks,

标签: docker
5条回答
Evening l夕情丶
2楼-- · 2020-07-06 03:00

For me the problem was conflicting MAC addresses... don't know how this could happen...

查看更多
Evening l夕情丶
3楼-- · 2020-07-06 03:06

Try running the container with the flag --net set to host.

docker run --net host image 
查看更多
三岁会撩人
4楼-- · 2020-07-06 03:07

We hit this issue on a RHEL box which was running firewalld. The firewall was preventing container to host access (other than icmp traffic).

We needed to configure the firewall to allow traffic from the docker containers through to the host. In our case, the containers were in a bridge network on subnet 172.27.0.0/16 (determined via docker network ls and docker inspect <network-name>). Firewall rules for firewalld can be updated via:

firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=172.27.0.0/16 accept'
firewall-cmd --reload

This was a useful reference in resolving the issue.

查看更多
小情绪 Triste *
5楼-- · 2020-07-06 03:19

Customizing of Kernel tunables below is solving issue "no route to host" between docker containers:

sysctl net.bridge.bridge-nf-call-iptables=0
sysctl net.bridge.bridge-nf-call-arptables=0
sysctl net.bridge.bridge-nf-call-ip6tables=0

These control whether or not packets traversing the bridge are sent to iptables for processing.

Note if you'll add it to sysctl.conf it may not automatically apply during reboot as known bug depending on your linux distribution.

查看更多
我只想做你的唯一
6楼-- · 2020-07-06 03:26

In know this is an old question but I just had this issue an was able to resolve it with the help of this thread.

Thanks to Samuel, I checked whether any of my containers in my network had conflicting MAC addresses. That was the case and the cause of the issue.

Now the reason for the conflict was the usage of multiple networks in my compose file. I used the default network that gets created by every docker-compose as well joined an existing network.

The way docker chooses a MAC address is by starting at 02:42:ac:12:00:00 and just using the next address for each subsequent container. Apparently, this is done for every network individually. Docker choose the MAC address of my container based on the default network that was created with the compose. The resulting MAC was unique on the compose network, but already in use in the existing network it joined.

This issue has been described here and got resolved recently by introducing network priority.

查看更多
登录 后发表回答