What should I do if docker cannot ping the host?

Solutions to the problem that docker cannot ping the host: 1. Modify daemon.json; 2. Turn off the firewall; 3. Modify sysctl.conf; 4. Reset the network bridge.

The operating environment of this article: ubuntu16.04 system, Docker 20.10.11, Dell G3 computer.

What should I do if docker cannot ping the host?

Docker bridge mode cannot ping the host

Problem description:

　DockerThe network mode is divided into four types. Generally, when we do not set it, the default is bridgesingle bridge mode, the container uses an independent network Namespace and is connected to the docker0 virtual network card. Communicate with the host through the docker0 bridge and Iptables nat table configuration.
  At this time, test on the bastion machine and use busybox to test:

# 拉取镜像
docker pull busybox
# 运行容器
docker run -itd --name busy_bridge busybox

  Instruction docker network inspect bridge Check the network:

## The network configuration is successful. Go inside the container and check

ip. You can see that ip has been allocated, but ping fails when pinging the external network and cannot Connect to the external network:

 But when you conduct the same test locally or on Alibaba Cloud, you find that you can connect to the network. What is the problem?

Problem Analysis:

After finding information on the Internet, many people restart

docker, and then they can connect. Usually it is because a certain configuration is modified and then Restarting works, it has no effect here. Generally, there are several types of modifications. Try them one by one below:

1. Modifydaemon.json

The container cannot access the host because the network segment allocated by the bridge conflicts with the host. You need to modify

daemon.json to specify the allocation. Use the command vim /etc/docker/daemon.jsonAdd after entering:

{"bip":"172.16.10.1/24"}

 Although you can access it by restarting

docker and creating a container, there is no conflict at all between the ip assigned by the original bastion host and the container. The method doesn’t work.

2. Turn off the firewall

The container cannot access the host through the bridge, and therefore cannot access the external network. The firewall may be blocking access, so you can turn it off Firewall or open a certain port. Tested on the server, turned on the firewall, and found that the container was indeed unable to access the Baidu homepage and the host. After closing the firewall and restarting

docker, the container could be accessed normally.  However, the firewall on the bastion machine is originally turned off, so this method is useless.

3. Modifysysctl.conf
## 　

docker

The internal network of the host is normal, and the network with other hosts is normal. The connection fails. Other hosts cannot connect to the port mapped on the docker host, and docker cannot connect to external hosts internally. Use the docker info command to check the information and find the following error: <div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false">WARNING: IPv4 forwarding is disabled WARNING: bridge-nf-call-iptables is disabled WARNING: bridge-nf-call-ip6tables is disabled</pre><div class="contentsignin">Copy after login</div></div>  Use the command

vim /etc/sysctl.conf

Edit the configuration file and add the following code to the file: <div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false">net.bridge.bridge-nf-call-ip6tables=1 net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-arptables=1 net.ipv4.ip_forward=1</pre><div class="contentsignin">Copy after login</div></div>  Then use the command

systemctl restart network

Restart the network and check docker info again, the warning disappears. But it's still useless. The container on the bastion machine still cannot access the host machine through the bridge and cannot access the external network.

Reset the bridge
After using the command

yum install bridge-utils

to install the tool, use brctl show Check the network bridge and you can find:
Use the docker network create [bridge name]
command to create a new network bridge and find the generated bridge id is still 8000.0000000000, create a container on the new bridge, and check again and there is no change, indicating that it is probably a problem with the bridge.  Test again. At this time, the bridge ip
is 172.17.0.1 and the container ip is 172.0.0.2. The host function is found. ping The network bridge is connected, but the container cannot be connected. The container cannot connect to the network bridge and cannot connect to the host, let alone the external network, so there must be a problem with the network bridge. <h3 id="问题解决">问题解决</h3> <p>  这里<code>docker network生成新的网桥不行，说明docker的network存在问题，我们利用刚才下载的bridge-utils来创建网桥。
  首先暂停docker服务，利用指令：

service docker stop

  添加网桥：

brctl addbr br0

  添加ip字段：

ip addr add 172.16.0.1/24 dev br0

  启用网桥br0：

ip link set dev br0 up

  查看网络br0：

  修改docker默认网桥：

vim /etc/docker/daemon.json

  添加字段：

"bridge":"br0"

  重启docker：

service docker start

  此时查看网桥：

  在没有挂载容器前，依旧是8000.000000000000。运行测试容器：

docker run -itd --name busy_test busybox

  查看What should I do if docker cannot ping the host?：

  此时容器挂载在网桥上了，再次查看网桥id：

  说明已经其作用，进入测试容器内部，What should I do if docker cannot ping the host?：

  成功！
  补充：这里使用docker network新建网桥，没有用，发现新建网桥挂载容器后，其bridge id依旧不变，没有起作用，说明堡垒机上的docker network可能存在问题。

问题补充：

  上面的问题是创建自定义网桥，然后在自定义网桥上连接容器a和b，结果宿主机无法ping通a、b，且进入容器内部后，两个容器无法ping通自定义网络，但能彼此相通。
  查了很多资料，发现了这篇文章。博主说问题原因是系统内核的网桥模块bridge.ko加载失败导致，解决问题的方案是升级内核或升级系统。
  升级centos内核参考这篇。
  升级完成后，重装Docker，自定义网桥和容器，成功！不再有网络问题。

推荐学习：《docker视频教程》

The above is the detailed content of What should I do if docker cannot ping the host?. For more information, please follow other related articles on the PHP Chinese website!