Can't ping specific subnet from within a Docker container

Question

After creating a container (doesn't really matter which one) I enter the container using:

docker exec -it <container_name> /bin/bash

From with the container I can ping google.com, as well as almost every server on my workplace network. However, for some reason I cannot ping servers with IP starting with 172.20.*.*.

For example, I tried multiple servers with IPs such as 10.0.*.*, 10.50.*.* and everything worked fine. Servers starting with 172.20 are unreachable. From the Mac host I can ping all these servers without an issue. I tried the same thing on a Linux machine and a Windows machine and could not reproduce the issue.

I'm assuming it's something to do with the way Docker routes the connection through the host. It might have something to do with the fact that the docker network is usually on 172.18.*.*. However, I could not figure it out.

Here's the routing table from within the container:

$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.18.0.1      0.0.0.0         UG    0      0        0 eth0
172.18.0.0      *               255.255.0.0     U     0      0        0 eth0

Running macOS High Sierra with Docker CE 17.09.1-ce-mac42 (21090).

Any idea what's going on?

Answer 1

There must be a router or firewall blocking somewhere. If you want a good start, from your mac, make a traceroute 172.20. . to see the path it is taking to contact those servers. Since it is different networks, it must be a routing issue. Docker is using its gateway 172.18.0.1 for anything behind it, therefore it is also necessary to check the internal firewall of the machine hosting it. Been there last week.

Answer 2

Another shortcut approach, although not adviseable in certain situations due to security concerns, would be to grant your docker container the same network permissions as your host computer. Per the docker documentation on network settings , it allows the container to share the network stack of the host:

docker run -it --network="host" /bin/bash

**Again, be very careful about the security implications of doing this.

Otherwise, you will have to figure out the routing issue as Michael Manuel Vandycke points out, or potentially create a new network bridge similar to the default docker0 bridge (like you would see if you type 'ifconfig' on the host machine). Then you can ensure that network bridge has a route to the subnet you are looking for.

https://docs.docker.com/engine/reference/commandline/network_create/

Answer 3

Several possibilities I can think of:

The easiest is if you changed the networking on the host after docker was started. You'll need to restart docker to pickup changes in the wifi connections, VPN's, etc.

The more common issue is if docker networks overlap with your actual networks. When this happens, requests from the container get routed to the docker network instead of the external network. In your situation, if the route to 172.20.*.* goes through a gateway on 172.18.xx , you won't be able to reach your target. Other docker networks on 172.20.xx that you can't directly see may also be causing issues. Debug this with:

docker network inspect $(docker network ls -q) \
  --format '{{.Name}}: {{if .IPAM.Config}}{{(index .IPAM.Config 0).Subnet}}{{end}}' 

Compare that to the routes on your host ( ip r ). If you see an overlap for the route to 172.20.*.* , that's your issue. To solve this, as of 18.06, you can tell docker to generate bridge networks from a pool with the following in the daemon.json file (also available in desktop from the daemon -> advanced menu):

{
    "bip": "10.16.100.1/24",
    "default-address-pools":[
      {"base":"10.17.0.0/16","size":24},
      {"base":"10.20.0.0/16","size":24}
    ]
}

Pick subnets that you will not otherwise encounter, eg make sure the home, office, coffee shop, hotel, VPN, etc, all use different networks from these if you're on a laptop. For swarm mode, it has similar settings when you create the swarm as of 18.09:

$ docker swarm init \
  --default-addr-pool 10.20.0.0/16 \
  --default-addr-pool 10.40.0.0/16 \
  --default-addr-pool-mask-length 24

I describe these commands along with other common issues in my tips and tricks talk: https://sudo-bmitch.github.io/presentations/dc2019/tips-and-tricks-of-the-captains.html#address-pools

Answer 4

For me also exactly same issue was coming tried many solution related to "no internet access from docker container"

After debugging finally find out that my container is able to access any other ip apart from my own server(172.19.3.22) this was due to one of the docker user define network was using subnet ip series like 172.19.0.0/16

due to that from my container i was not able to route/ping any internet ip which is start with 172.19. . .

Finally configured different subnet in my docker compose and it's worked. like below

networks: : name: ipam: config: - subnet: 172.30.0.0/16 gateway: 172.30.0.1