Of Stack

How to solve the problem that the docker container cannot access the host through IP

  • 2020-12-26 06:05:31
  • OfStack

Question origin

In using docker, I unfortunately needed to access the host's port 80 in the docker container, which was mapped out by another container, port 8080. When I accessed the host in the container over docker's bridge 172.17.0.1, I found that:

[

curl: (7) Failed to connect to 172.17.0.1 port 80: No route to host

]

Find the cause of the problem

What is certain is that the container and the host are network-based, since the container can be hosted internally by the 172.17.0.1 Ping host: 


root@930d07576eef:/# ping 172.17.0.1
PING 172.17.0.1 (172.17.0.1) 56(84) bytes of data.
64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.130 ms

Other inner and outer networks can also be accessed from within the container.

iptables displays also allow docker containers to access: 


# iptables --list | grep DOCKER
DOCKER-ISOLATION all -- anywhere       anywhere      
DOCKER   all -- anywhere       anywhere      
Chain DOCKER (1 references)
Chain DOCKER-ISOLATION (1 references)

Later, after looking up some information, I found the problem :NO ROUTE TO HOST request container to ES38en-ES39en :port published from other container.

explain

As stated by Docker Community Forms, this is known as Bug, and port 80 of the host allows access to other computers, but not to Docker containers from the native. The native Docker container must be allowed access by setting the firewalld rule.

gypark pointed out by in/etc/firewalld/zones/public xml add firewall rules to avoid this problem: 


<rule family="ipv4">
  <source address="172.17.0.0/16" />
  <accept />
</rule>

Notice that the 172.17.0.0/16 Can match 172.17.xx.xx All IP of IP.

Then restart the firewall: 


systemctl restart firewalld

You can then access port 80 of the host inside the docker container.

Other problems

In fact, when I opened a new virtual machine with vmware hoping to recreate this problem, I found that there was no similar problem on the new virtual machine. That means the container can go straight through 172.17.0.1 Accessing port 80 of the host and looking at the firewall configuration did not show any 172.17.xx.xx Whitelist.
The guess is due to the new virtual machine installation of docker is Docker version 1.12.5, build 047e51b/1.12.5 Red Hat moved from the open source version of docker to the developed version of docker Docker version 17.06.2-ce, build cec0b72 Belong to Docker-CE , maybe there is a difference in docker version, Red Hat by the way fixed that Known Bug.

Related articles: