Docker container internet access

I'm trying to run some containers, on an OpenWrt device, via Docker. I have disabled iptables in /etc/config/dockerd, because I don't want it messing with my rules and I (briefly) read something about it not playing nicely with OpenWrt. However, containers don't seem to have any internet access.

I see that dockerd creates a docker0 interface, with an IP of 172.17.0.1. This belongs to the zone below.

config zone 'docker'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'docker'
	list network 'docker'

When I run a container, it is given a 172.17.0.x address and the default gateway is set to 172.17.0.1. I figured that I just need to enable masquerading and forwarding, as shown below. Note that my defaults are to drop everything.

config zone
	option masq '1'
	option name 'lan'
	option output 'ACCEPT'
	list network 'lan'

config forwarding
	option dest 'lan'
	option src 'docker'

config rule
	option dest 'lan'
	option src 'docker'
	option target 'ACCEPT'

However, the containers still don't have internet access. Does anyone have any idea what I am missing here?

I still use the current stable version of OpenWrt (21.02) and with that, I have enabled the iptables option.
So I'm not really familiar with using docker with it off. That said, newer versions of OpenWrt don't work very well with the iptables option anyway.

If I were to guess why you weren't getting internet connectivity to your containers though I'd say you'd have to configure the forwarding from the wan zone to the docker zone too. But be careful not to accidentally open access from the internet to your docker images though.

This device doesn't have a WAN interface; it's just a server. Is there anything else you can think of? I tried enabling masq on the docker zone, but that didn't seem to do anything. Could it be related to the VETH?

Masq is enabled on the zone that you are forwarding to (generally wan), not the one you are forwarding from.

This requires having a config interface with the matching name defined within /etc/config/network. Or nothing will be added to the zone.

For interfaces that are instantiated and managed by processes other than UCI (such as OpenVPN or Docker), refer to them in the firewall zone with a list device instead. The name must be exact (docker0 instead of docker), or you can use docker* to match docker0.

Manually relaunching the firewall by running /etc/init.d/firewall restart can help find errors in firewall configuration.

I figured that was the case, regarding masquerading, but I will try anything at this point!

docker0 is already added to docker, in /etc/network/config, by the dockerd init script.

My firewall config doesn't seem to have any errors.

Is there any chance this could somehow be a namespacing issue? I'm not well versed in how all of that works.

I found a random image (nicolaka/netshoot) that has all the typical network packages installed, already. It would seem that I can't even ping 172.17.0.1, so the forwarding rules are irrelevant at this point. I also tried creating two containers and pinging from one to the other, which also doesn't work. See below for the ARP table on the first container (172.17.0.2).

# arp -a
? (172.17.0.3) at 02:42:ac:11:00:03 [ether]  on eth0
? (172.17.0.1) at 02:42:2a:7d:86:a5 [ether]  on eth0

Below is the ARP table on the second container (`172.17.0.31).

# arp -a
? (172.17.0.1) at 02:42:2a:7d:86:a5 [ether]  on eth0
? (172.17.0.2) at 02:42:ac:11:00:02 [ether]  on eth0

It seems that my firewall defaults, dropping all traffic, affect the container namespace(s).

config defaults
	option drop_invalid '1'
	option forward 'DROP'
	option input 'DROP'
	option output 'DROP'
	option syn_flood '1'
	option synflood_protect '1'

However, I am at a loss as to how I make rules for the containers themselves. If someone can help me with that, I think I can figure out the rest and get this all working. Entering the namespace and running ip addr gives me eth0@if19, if that helps at all. I'm guessing that the only sensible solution is to allow all traffic, by default, and only firewall the LAN zone. However, I would prefer to not do that, if possible.

If your OpenWrt device is just a server and doesn’t act as an upstream router I think there is no real benefit in disabling iptables for docker.

If you want to disable iptables anyway and you have issues you could just use the --net=host option
or
If you use (or have to use) the -p option it should be enough to allow forwarding from docker zone to lan zone to get internet access in your containers -> I just tried this in my testlab and when I allowed forwarding from docker to wan I instantly got internet in my container.

I ended up deciding to just use host networking and get on with my life. Thank you all for the input.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.