ping inside container does not ping actual host ip but seems to ping localhost

[nimmis]

Expected behavior

ping
ping times in normal range > 10 ms

Actual behavior

ping
ping times < 1 ms

Information

Event if you ping nonexisting host ip you got the fast ping responses

Diagnostic ID: AFCD161D-F711-4A50-9075-976DD5FE0ACC
Docker for Mac: 1.12.0-beta21 (Build 10868)
macOS: Version 10.11.6 (Build 15G31)
[OK] docker-cli
[OK] app
[OK] moby-syslog
[OK] disk
[OK] virtualization
[OK] system
[OK] menubar
[OK] osxfs
[OK] db
[OK] slirp
[OK] moby-console
[OK] logs
[OK] vmnetd
[OK] env
[OK] moby
[OK] driver.amd64-linux

Steps to reproduce

1. docker run -ti --rm alpine /bin/sh
2. / # ping 192.30.253.112
   PING 192.30.253.112 (192.30.253.112): 56 data bytes
   64 bytes from 192.30.253.112: seq=0 ttl=37 time=0.563 ms
   64 bytes from 192.30.253.112: seq=1 ttl=37 time=0.602 ms
   64 bytes from 192.30.253.112: seq=2 ttl=37 time=0.627 ms
3. same ping on host os Mac os
   $ ping github.com
   PING github.com (192.30.253.112): 56 data bytes
   64 bytes from 192.30.253.112: icmp_seq=0 ttl=48 time=170.933 ms
   64 bytes from 192.30.253.112: icmp_seq=1 ttl=48 time=178.581 ms
   64 bytes from 192.30.253.112: icmp_seq=2 ttl=48 time=165.428 ms
   64 bytes from 192.30.253.112: icmp_seq=3 ttl=48 time=139.794 ms
   64 bytes from 192.30.253.112: icmp_seq=4 ttl=48 time=355.255 ms
4. ping to non-existen host on docker (started pkt 1)
   / # ping 130.240.1.4
   PING 130.240.1.4 (130.240.1.4): 56 data bytes
   64 bytes from 130.240.1.4: seq=0 ttl=37 time=25.597 ms
   64 bytes from 130.240.1.4: seq=1 ttl=37 time=0.604 ms
   64 bytes from 130.240.1.4: seq=2 ttl=37 time=0.563 ms
   64 bytes from 130.240.1.4: seq=3 ttl=37 time=0.652 ms
5. same done on host os Mac os
   $ ping 130.240.1.4 (non existent)
   PING 130.240.1.4 (130.240.1.4): 56 data bytes
   Request timeout for icmp_seq 0
   Request timeout for icmp_seq 1
   Request timeout for icmp_seq 2
   Request timeout for icmp_seq 3
   Request timeout for icmp_seq 4
   Request timeout for icmp_seq 5

[djs55]

Sorry for the delay on this -- it is on our radar and we still hope to be able to fix it.

[spuyet]

What's the news about that issue ? 😅

[cidrblock]

This is nasty one for those of us doing telemetry dev work in docker. Any target fix date or version available?

[kyleobrien91]

@djs55 - where are we on this issue? It seems like a major bug to have open for such a long time. Even if the feedback relates to potential release dates, please indicate when this will be rolled out.

[kyleobrien91]

@djs55 - I see you added the label version/beta21. On rc5-beta35 this is still an issue.

[nimmis]

Can confirm that it still there in beta38,

[scara]

Just to mention that the same issue affects Docker for Windows too: found it using 1.13.1 under W10Pro while playing with smokeping.
See also https://forums.docker.com/t/ping-from-within-a-container-does-not-actually-ping/11787/8.

[tmuka]

like @scara I can confirm this affects Docker for Windows... very confusing! found it trying to track down why i can't talk to a 192.168.2.17 ip with docker bridge network mode.

[veetow]

Any updates on this?

[dimitertodorov]

Is this being addressed in any upcoming versions.
If not, I might just set up an plain Ubuntu VM for testing.

[tkeeler33]

This one is killing me too. Does anyone have workarounds? I can't believe this issue has been around since Aug 1, 2016...

[jannemann]

I can confirm tat this problem is present on docker for mac and for windows. Pretty annoying though.

[djs55]

Sorry for the delay in addressing this. There is an experimental fix in the master branch of Docker for Desktop, but it has not been publicly released yet.

If you'd like to try it on the Mac then here's what I just did:

• Install the latest Docker edge 17.07.0-ce-rc2-mac22

In the Whale menu -> About Docker I see:

Version 17.07.0-ce-rc2-mac22 (18909)
Channel: edge
d9a9cf3b45

Download the attached vpnkit.zip and check the sha1sum:

$ sha1sum vpnkit.zip
4928fe070f5b83d8bb341e1e5cabdb93c6739839  vpnkit.zip

Then unzip the archive and replace the vpnkit binary:

$ unzip vpnkit.zip
Archive:  vpnkit.zip
  inflating: Contents/MacOS/vpnkit   
$ cp /Applications/Docker.app/Contents/Resources/bin/vpnkit /Applications/Docker.app/Contents/Resources/bin/vpnkit.backup
$ cp Contents/MacOS/vpnkit /Applications/Docker.app/Contents/Resources/bin/vpnkit                                           

Then restart Docker for Mac and run some tests. Inside an alpine container I see:

/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=37 time=10.520 ms
64 bytes from 8.8.8.8: seq=1 ttl=37 time=10.715 ms
64 bytes from 8.8.8.8: seq=2 ttl=37 time=11.461 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 10.520/10.898/11.461 ms

/ # ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
^C
--- 10.0.0.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

Note this code is still experimental so please don't rely too much on it. Feedback would be welcome though!

For reference the component PR was moby/vpnkit#271

Thanks again for your patience.

[djs55]

It should be possible to ping from a container to the Internet on both edge and stable channels, e.g.:

$ docker run -it alpine sh
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
ff3a5c916c92: Pull complete 
Digest: sha256:7df6db5aa61ae9480f52f0b3a06a140ab98d427f86d8d5de0bedab9b8df6b1c0
Status: Downloaded newer image for alpine:latest
/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=37 time=10.144 ms
64 bytes from 8.8.8.8: seq=1 ttl=37 time=10.984 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 10.144/10.564/10.984 ms

Thanks again for your report!

[nicksnyder]

@djs55

I am still unable to ping after following your steps

docker run -it alpine sh
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
Digest: sha256:7df6db5aa61ae9480f52f0b3a06a140ab98d427f86d8d5de0bedab9b8df6b1c0
Status: Downloaded newer image for alpine:latest
/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes

It just hangs after this.

[tkeeler33]

@nicksnyder - I get that regularly. Can you try restarting Docker and see if that resolves your issue?

[nicksnyder]

Restarting Docker did not help.

[tkeeler33]

@nicksnyder - My team experiences that behavior regularly, although intermittent. Generally a docker restart resolves the issue, but in cases I have had to rebuild the Docker VM through Reset -> Remove All Data.

When I originally experienced the issue (starting in 17.12.0-ce-mac49 (21995) I opened #2513 but wasn't able to reliably reproduce the issue. My team regularly experiences this through the current version (18.03.1-ce-mac65 (24312)).

Knowing others are experiences the same, perhaps it's worth investigating further...

[xyNNN]

Any progress on this issue? I've the same issues and I'm not able to ping from inside a container.
Also a factory reset still not helps to solve this issue.

[mgunter-pivotal]

I was able to get past this by restarting docker and recreating my containers in Version 2.0.0.0-beta1-mac75 (27117)

[jamshid]

I see this issue is closed but @djs55 you sure Docker for Mac should be able to ping?
It's not working on two Catalina macs I tested, latest Docker for Mac. I'm not sure if it's a new problem with Catalina. I have the same problem @nicksnyder describes, it just hangs:

$ docker run -ti alpine
/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
(hangs here)

$ docker info
Client:
 Debug Mode: false

Server:
 Containers: 52
  Running: 49
  Paused: 0
  Stopped: 3
 Images: 2059
 Server Version: 19.03.2
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: active
  NodeID: taoh0epf56es4baxmy8pbnffy
  Is Manager: true
  ClusterID: kwvw3eg2nqq5r818beocgstza
  Managers: 1
  Nodes: 1
  Default Address Pool: 10.0.0.0/8  
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 192.168.65.3
  Manager Addresses:
   192.168.65.3:2377
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb
 runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 4.9.184-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 6
 Total Memory: 31.38GiB
 Name: docker-desktop
 ID: HHGK:GJJL:XQ3I:PMX7:QSXC:NL6R:37DY:XFES:OVWM:YTH4:QNAA:7J65
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 446
  Goroutines: 519
  System Time: 2019-10-11T18:31:31.278559724Z
  EventsListeners: 3
 HTTP Proxy: gateway.docker.internal:3128
 HTTPS Proxy: gateway.docker.internal:3129
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked