Mysql docker container refuses connection

Mysql container not accepting connection from another container

docker network create -d bridge mysql

Db container

docker run --name mysql_db -d \
    --network mysql \
    -e MYSQL_ROOT_PASSWORD=pass \
    -e MYSQL_USER=user \
    -e MYSQL_PASSWORD=pass \
    -e MYSQL_DATABASE=database \
    -e MYSQL_ROOT_HOST=% \
    mariadb 

$ docker logs mysql_db
2022-11-06 21:46:01 0 [Note] mariadbd: ready for connections.
Version: '10.9.3-MariaDB-1:10.9.3+maria~ubu2204'  socket: '/run/mysqld/mysqld.sock'  port: 3306  mariadb.org binary distribution

the second container is in the same network

$ php -r "new mysqli('mysql_db','root', 'pass','database');"

$ PHP Warning:  mysqli::__construct(): (HY000/2002): Connection refused in Command line code on line 1

from the second container

# ping mysql_db
PING mysql_db (172.18.0.2): 56 data bytes
....
--- mysql_db ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss

got same results when using mysql:5.7

I’m not sure but something you can try:

By default, docker enables bridge firewalling so you could try disabling it.
What is the output of:

cat /etc/sysctl.d/12-br-netfilter-ip.conf

root@OpenWrt:~# cat /etc/sysctl.d/12-br-netfilter-ip.conf
# Do not edit, changes to this file will be lost on upgrades
# /etc/sysctl.conf can be used to customize sysctl settings

# enable bridge firewalling for docker
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1

Try disabling it. Just add the following lines under:
/etc/sysctl.conf

net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0

then reboot and try again…

after commenting the lines and rebooting ping between containers works.
thank you very much!!! you saved my life!!!

this configuration applies only for containers in the same bridge ?
is there anything else I need to know about this ?

docker run -dit --name test --network my_bridge -p 3001:80 busybox

for some reason the port 3001 is accessible from the wan interface without any firewall rule to allow that

is this a side effect of setting net.bridge.bridge-nf-call-iptables=0 ??

These parameters determine whether packets crossing a bridge are sent to iptables for processing. What this could break is (at least to my understanding):

When you have two docker containers in different docker networks and you want them to communicate between each other you could set up iptables rules for that. For this to work you would need:

net.bridge.bridge-nf-call-iptables=1

But other than that with net.bridge.bridge-nf-call-iptables disabled you can still have:

2 or more docker containers on the same network communicating with each other

This should not expose any ports to the internet. What’s the output of:

/etc/config/dockerd

root@OpenWrt:~# cat /etc/config/dockerd 
# The following settings require a restart of docker to take full effect, A reload will only have partial or no effect:
# log_driver
# bip
# blocked_interfaces
# extra_iptables_args
# device

config globals 'globals'
#	option alt_config_file '/etc/docker/daemon.json'
	option data_root '/opt/docker/'
#	option log_driver 'local'
	option log_level 'warn'
	option iptables '1'
#	list hosts 'unix:///var/run/docker.sock'
#	option bip '172.18.0.1/24'
#	option fixed_cidr '172.17.0.0/16'
#	option fixed_cidr_v6 'fc00:1::/80'
#	option ipv6 '1'
#	option ip '::ffff:0.0.0.0'
#	list dns '172.17.0.1'
#	list registry_mirrors 'https://<my-docker-mirror-host>'
#	list registry_mirrors 'https://hub.docker.com'

# Docker doesn't work well out of the box with fw4. This is because Docker relies on a compatibility layer that
# naively translates iptables rules. For the best compatibility replace the following dependencies:
# `firewall4` -> `firewall`
# `iptables-nft` -> `iptables-legacy`
# `ip6tables-nft` -> `ip6tables-legacy`

# Docker undermines the fw3 rules. By default all external source IPs are allowed to connect to the Docker host.
# See https://docs.docker.com/network/iptables/ for more details.

# firewall config changes are only additive i.e firewall will need to be restarted first to clear old changes,
# then docker restarted to load in new changes.
config firewall 'firewall'
	option device 'docker0'
	list blocked_interfaces 'wan'
#	option extra_iptables_args '--match conntrack ! --ctstate RELATED,ESTABLISHED' # allow outbound connections

Looks normal to me… are you using iptables or nftables?

What is the output of:

ubus call system board; uci export network; uci export firewall;

are you using iptables or nftables?

how do I check ?

root@OpenWrt:~# ubus call system board; uci export network; uci export firewall;
{
	"kernel": "5.10.138",
	"hostname": "OpenWrt",
	"system": "AMD A8-3820 APU with Radeon(tm) HD Graphics",
	"model": "VMware, Inc. VMware Virtual Platform",
	"board_name": "vmware-inc-vmware-virtual-platform",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.0",
		"revision": "r19685-512e76967f",
		"target": "x86/64",
		"description": "OpenWrt 22.03.0 r19685-512e76967f"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd17:5726:3a19::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.1.1.1'

config interface 'wan'
	option device 'eth1'
	option proto 'pppoe'
	option username ''
	option password ''
	option ipv6 'auto'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow Node-Red From LAN'
	list proto 'tcp'
	option src 'lan'
	option dest_port '1880'
	option target 'ACCEPT'

config rule
	option name 'Accept Unique Image Request'
	list proto 'tcp'
	option src 'wan'
	option src_port '80'
	option dest 'lan'
	list dest_ip '10.1.1.1'
	option dest_port '3000'
	option target 'ACCEPT'

config zone 'docker'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'docker'
	list network 'docker'

You are on version 22.03 so you probably are using firewall4 with nftables.
You could verify running:
fw4 check

Your config looks good to me. Maybe someone else will spot any issues. So, is your service still accessible through your public ip?

Have you tried restarting your firewall + docker or rebooting your router?

The only thing I noticed is your current version. You are still on 22.03.0 and the latest stable version is 22.03.02. I would advice you to update to latest stable version and try again. Maybe there was a bug.
Also, docker natively runs on iptables, so I think there were some issues in the past with firewall4, nftables and docker. I don’t know what the current status of using docker with nftables is (I’m using a fw3 build with iptables).

root@OpenWrt:~/docker/node-red/data# fw4 check
Ruleset passes nftables check.

currently the port is no longer avaiable from the public ip address
the router was restarted a couple of times since I last checked for open ports

If you are concerned you can also expose your ports only to your loopback. Should look like this:

    ports:
      - "127.0.0.1:6379:6379"

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.