Detailed explanation of how to solve the problem that the docker container cannot access the host machine through IP

Origin of the problem

When using docker, I unfortunately need to access port 80 of the host in the docker container, and this port 80 is mapped to port 8080 of another container. When I access the host through the docker bridge 172.17.0.1 in the container, I find:

curl: (7) Failed to connect to 172.17.0.1 port 80: No route to host

Find the cause of the problem

It is certain that the container and the host are connected to the network, because the host can be pinged via 172.17.0.1 from within the container:

root@930d07576eef:/# ping 172.17.0.1
PING 172.17.0.1 (172.17.0.1) 56(84) bytes of data.
64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.130 ms

You can also access other intranets and external networks from within the container.

Iptables also shows that docker containers are allowed to access:

# iptables --list | grep DOCKER
DOCKER-ISOLATION all -- anywhere anywhere      
DOCKER all -- anywhere anywhere      
Chain DOCKER (1 reference)
Chain DOCKER-ISOLATION (1 references)

After searching for some information, I found this problem: NO ROUTE TO HOST network request from container to host-ip:port published from other container.

explain

As mentioned on the Docker Community Forms, this is a known bug where port 80 on the host is accessible from other computers, but not from Docker containers on the local machine. You must set up firewalld rules to allow access from Docker containers on the local machine.

gypark pointed out that this problem can be avoided by adding firewall rules in /etc/firewalld/zones/public.xml:

<rule family="ipv4">
  <source address="172.17.0.0/16" />
  <accept />
</rule>

Note that 172.17.0.0/16 here can match all IPs in the 172.17.xx.xx IP segment.

Then restart the firewall:

systemctl restart firewalld

After that, you can access port 80 of the host machine from inside the Docker container.

Other issues

In fact, when I opened a new VM with VMware hoping to reproduce this problem, I found that there was no similar problem on the new VM. That is to say, the container can directly access the host port 80 through 172.17.0.1 , and I did not see any whitelist for 172.17.xx.xx when I checked the firewall configuration.
The guess is that the Docker installed in the new virtual machine is Docker version 1.12.5, build 047e51b/1.12.5 , which is the version developed by Red Hat from the open source version of Docker. The previous one is Docker version 17.06.2-ce, build cec0b72 belongs to Docker-CE . Maybe there is a difference in the Docker version, and Red Hat fixed the Known Bug by the way.

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.