Installation can't reach GitHub or DNS servers


(Cosmin) #1

Hi,

I have a problem with the docker installation.

  • got docker 1.5
  • cloned discourse_docker
  • copied samples/standalone.yml to containers/app.yml
  • set the dev’s email, hostname and smtp settings (made an account on mandrill for that)
  • hit ./launcher bootstrap app --> says it can’t find github.com

I want to mention that I have read the topics about DNS problems with docker but my problem is that I cannot ping 8.8.8.8 from inside docker or any IP from the Internet. I can ping all IPs from the host machine, even IPs from different subnets than the subnet of the docker0 interface.

Maybe I should also mention that I tried a few other docker containers unrelated to discourse and the internet worked with those.

Did anyone encountered anything similar? I would appreciate any hints.

My host OS is Ubuntu 14.04. Internet is working fine on the host.

(please delete my other post about the dev setup, I apologize for the false start)


(Sam Saffron) #2

Sounds most likely you have some bad iptables rule, you running stock iptables?


(Cosmin) #3

Sounds most likely you have some bad iptables rule, you running stock
iptables?

iptables 1.4.21

Docker doesn’t leave anything behind after it fails (except empty chains
called DOCKER), so I’m not sure what is it that it messes up on the host,
because everything else works on the host, and even other docker containers
unrelated to discourse work from inside (i.e. I can ping external IPs).

If no one else had this problem then it must be something with my host, I
dunno.


(Jens Maier) #4

The version of iptables is… less than helpful. :grin: If you suspect that the firewall is the problem and would like people here to have a look over your settings, run the command below and post the contents of ~/iptables-dump.txt

for t in filter mangle nat; do echo "--- ${t}" && sudo iptables -t $t -S; done > ~/iptables-dump.txt

(Cosmin) #5

Hi Jens, thanks for responding.

Here’s the output (this is while the docker container was not running, only the docker server was running, I could try and get it while it is running if you want me to, it fails rather quickly).

Docker’s subnet is 172.17.0.0/16

--- filter
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N fail2ban-apache
-N fail2ban-apache-dos
-N fail2ban-ehcp
-N fail2ban-postfix
-N fail2ban-ssh
-N fail2ban-vsftpd
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-ehcp
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-dos
-A INPUT -p tcp -m multiport --dports 25,465 -j fail2ban-postfix
-A INPUT -p tcp -m multiport --dports 21,20,990,989 -j fail2ban-vsftpd
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A FORWARD -o eth0 -j DOCKER
-A FORWARD -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 ! -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth0 -j ACCEPT
-A FORWARD -o dummy0 -j DOCKER
-A FORWARD -o dummy0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i dummy0 ! -o dummy0 -j ACCEPT
-A FORWARD -i dummy0 -o dummy0 -j ACCEPT
-A FORWARD -o vmnet1 -j DOCKER
-A FORWARD -o vmnet1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i vmnet1 ! -o vmnet1 -j ACCEPT
-A FORWARD -i vmnet1 -o vmnet1 -j ACCEPT
-A FORWARD -o vmnet8 -j DOCKER
-A FORWARD -o vmnet8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i vmnet8 ! -o vmnet8 -j ACCEPT
-A FORWARD -i vmnet8 -o vmnet8 -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A fail2ban-apache -j RETURN
-A fail2ban-apache-dos -j RETURN
-A fail2ban-ehcp -j RETURN
-A fail2ban-postfix -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-vsftpd -j RETURN
--- mangle
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
--- nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE
-A POSTROUTING -s 11.11.11.0/24 ! -o eth0 -j MASQUERADE
-A POSTROUTING -s 86.102.82.0/27 ! -o dummy0 -j MASQUERADE
-A POSTROUTING -s 172.16.136.0/24 ! -o vmnet1 -j MASQUERADE
-A POSTROUTING -s 172.16.134.0/24 ! -o vmnet8 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 11.11.11.133/32 ! -d 11.11.11.252/32 -j SNAT --to-source 86.102.82.1

(Jens Maier) #6

That SNAT line seems a bit suspicious to me. What’s going on there? :confused: