Docker - No route to host

Question

When i try and connect to a port from within my container to another container, i am unsuccessful and get,

root@ac1590a59fe5:/opt/f5massupgrade#         


        

Answer 1

Try running the container with the flag --net set to host.

docker run --net host image 

Answer 2

These worked for me on Fedora 32

$ sudo firewall-cmd --zone=public --add-masquerade --permanent
$ sudo firewall-cmd --reload
$ sudo systemctl restart docker

Answer 3

In know this is an old question but I just had this issue an was able to resolve it with the help of this thread.

Thanks to Samuel, I checked whether any of my containers in my network had conflicting MAC addresses. That was the case and the cause of the issue.

Now the reason for the conflict was the usage of multiple networks in my compose file. I used the default network that gets created by every docker-compose as well joined an existing network.

The way docker chooses a MAC address is by starting at 02:42:ac:12:00:00 and just using the next address for each subsequent container. Apparently, this is done for every network individually. Docker choose the MAC address of my container based on the default network that was created with the compose. The resulting MAC was unique on the compose network, but already in use in the existing network it joined.

This issue has been described here and got resolved recently by introducing network priority.

Answer 4

Customizing of Kernel tunables below is solving issue "no route to host" between docker containers:

sysctl net.bridge.bridge-nf-call-iptables=0
sysctl net.bridge.bridge-nf-call-arptables=0
sysctl net.bridge.bridge-nf-call-ip6tables=0

These control whether or not packets traversing the bridge are sent to iptables for processing.

Note if you'll add it to sysctl.conf it may not automatically apply during reboot as known bug depending on your linux distribution.

Answer 5

Since docker will create a couple of networks, I would prefer to open all the related IPs.

# open all IPs starts with "172" so that all the containers may communicate each other
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=172.0.0.0/8 accept'
# make our container able to visit the network outside
sudo firewall-cmd --permanent --zone=public --add-masquerade
# apply the change
sudo firewall-cmd --reload

You may visit /etc/firewalld/zones/public.xml for your final result.

Here is my example:

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <masquerade/>
  <rule family="ipv4">
    <source address="172.0.0.0/8"/>
    <accept/>
  </rule>
</zone>

Hoping it helps.

Answer 6

If anyone is still stuck with this problem on CentOS 8 or any system using firewalld

try the following settings for firewalld

# Allows container to container communication, the solution to the problem
firewall-cmd --zone=public --add-masquerade --permanent

# standard http & https stuff
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
# + any other port you may need

# reload the firewall
firewall-cmd --reload

you may also need to restart the docker service if it does not work immediately, there's no need to add the docker0 interface onto the trusted zone as many of the guides I've gone through stated

I was struggling with setting up a Traefik reverse proxy for my docker containers, I only got 502 responses with a no route error to my container from Traefik logs. At first I thought it was my Traefik setup but it turned out it was the firewall restrictions as @al. mentioned. It pointed me in the right direction and I got my answer from https://serverfault.com/questions/987686/no-network-connectivity-to-from-docker-ce-container-on-centos-8