I'm renting a virtualized server running Ubuntu 22.04 and I'm trying to run Docker containers within it. The server is virtualized with qemu-kvm.
Unfortunatly, the containers don't have network access.
host:~# docker run -it ubuntu /bin/bash
container:/# apt-get update
The APT update fails because the repositorys cannot be reached. Checking the repositorys from the host (QEMU VM), the repositorys are totally fine:
host:~# ping archive.ubuntu.com
I've already tried No internet connection inside Docker containers and it didn't work, simply restarting the Docker service isn't the solution neither.
The hardware firewall is deactivated and ufw is disabled.
How do I get internet access in my containers?
Edit 2
Placing this above because that seems more relevant to me.
Relating to the answer here I set up systemd-networkd accordingly. The docker0 interface keeps it's 172.17.0.1 address until I start a container. Then the IP is lost. As long as docker0 has it's IP addess, the following route exists: 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
Edit 1
As far as I understand QEMU, the network interface has to be explicitly connected to the physical host network interface. Since Docker is creating own network interfaces for every network, or at lease docker0, this isn't connected to the internet.
Let's assume I have an eth0 interface as default network interface in my VM. Can I set the iptables to route the docker0's traffic through the eth0 interface?
System information:
ip route
default via 87.106.234.1 dev ens6 proto dhcp src [LOCAL_IP] metric 100
87.106.234.1 dev ens6 proto dhcp scope link src [LOCAL_IP] metric 100
212.227.123.16 via 87.106.234.1 dev ens6 proto dhcp src [LOCAL_IP] metric 100
212.227.123.17 via 87.106.234.1 dev ens6 proto dhcp src [LOCAL_IP] metric 100
ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 02:42:74:19:f6:1a txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet [LOCAL_IP] netmask 255.255.255.255 broadcast 0.0.0.0
inet6 [LOCAL_IP_V6] prefixlen 64 scopeid 0x20<link>
ether 02:01:72:39:35:f9 txqueuelen 1000 (Ethernet)
RX packets 14885 bytes 164716593 (164.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11369 bytes 1415635 (1.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 184 bytes 19073 (19.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 184 bytes 19073 (19.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
nft list ruleset
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 3317 bytes 150836 jump DOCKER
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
}
table ip filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 0 bytes 0 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 0 bytes 0 jump DOCKER-USER
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
chain DOCKER-USER {
counter packets 0 bytes 0 return
}
}
