When i try and connect to a port from within my container to another container, i am unsuccessful and get,
root@ac1590a59fe5:/opt/f5massupgrade# curl -v https://172.17.0.1:6379
* Rebuilt URL to: https://172.17.0.1:6379/
* Hostname was NOT found in DNS cache
* Trying 172.17.0.1...
* connect to 172.17.0.1 port 6379 failed: No route to host
* Failed to connect to 172.17.0.1 port 6379: No route to host
* Closing connection 0
From the docker host I am successful,
[root@docker-host ~]# curl -v https://172.17.0.1:6379/0
* About to connect() to 172.17.0.1 port 6379 (#0)
* Trying 172.17.0.1...
* Connected to 172.17.0.1 (172.17.0.1) port 6379 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
If i check the iptables I can see the issue,
[root@docker-host ~]# iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i docker0 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
So I add the following and it all works well,
iptables -I INPUT 4 -i docker0 -j ACCEPT
Am i missing something here?
[root@docker-host ~]# docker version
Client:
Version: 1.9.1
API version: 1.21
Package version: docker-common-1.9.1-40.el7.centos.x86_64
Go version: go1.4.2
Git commit: ab77bde/1.9.1
Built:
OS/Arch: linux/amd64
Server:
Version: 1.9.1
API version: 1.21
Package version: docker-common-1.9.1-40.el7.centos.x86_64
Go version: go1.4.2
Git commit: ab77bde/1.9.1
Built:
OS/Arch: linux/amd64
Thanks,
For me the problem was conflicting MAC addresses... don't know how this could happen...
Try running the container with the flag --net set to host.
We hit this issue on a RHEL box which was running
firewalld
. The firewall was preventing container to host access (other thanicmp
traffic).We needed to configure the firewall to allow traffic from the docker containers through to the host. In our case, the containers were in a bridge network on subnet
172.27.0.0/16
(determined viadocker network ls
anddocker inspect <network-name>
). Firewall rules forfirewalld
can be updated via:This was a useful reference in resolving the issue.
Customizing of Kernel tunables below is solving issue "no route to host" between docker containers:
These control whether or not packets traversing the bridge are sent to iptables for processing.
Note if you'll add it to sysctl.conf it may not automatically apply during reboot as known bug depending on your linux distribution.
In know this is an old question but I just had this issue an was able to resolve it with the help of this thread.
Thanks to Samuel, I checked whether any of my containers in my network had conflicting MAC addresses. That was the case and the cause of the issue.
Now the reason for the conflict was the usage of multiple networks in my compose file. I used the default network that gets created by every docker-compose as well joined an existing network.
The way docker chooses a MAC address is by starting at 02:42:ac:12:00:00 and just using the next address for each subsequent container. Apparently, this is done for every network individually. Docker choose the MAC address of my container based on the default network that was created with the compose. The resulting MAC was unique on the compose network, but already in use in the existing network it joined.
This issue has been described here and got resolved recently by introducing network priority.