Docker starts, but there is no connection until docker.socket restarts

AlexanderZhirov commented 2 years ago

[x] This is not a bug report
[x] I searched existing issues before opening this one

I made an assembly based on Thinstation. Added package docker. I run the distribution, everything loads without problems. Docker starts after downloading the distribution. I download nginx:alpine and run it with port 80 forwarding. The container starts, there are no problems:

ts_0800273e9027:~# docker run --restart always --name mynginx -p 80:80 -d nginx:alpine
4fc242d58285: Loading layer [==================================================>]  5.855MB/5.855MB
4721bfafc708: Loading layer [==================================================>]  19.05MB/19.05MB
45b275e8a06d: Loading layer [==================================================>]  3.072kB/3.072kB
a43749efe4ec: Loading layer [==================================================>]  4.096kB/4.096kB
d6dd885da0bb: Loading layer [==================================================>]  3.584kB/3.584kB
c0e7c94aefd8: Loading layer [==================================================>]  7.168kB/7.168kB
Loaded image: nginx:alpine
a22e21817fbd4040e6cbf0d590180117ee88cecb1259080e7af4016b0931b5ce
ts_0800273e9027:~# docker container ls
CONTAINER ID   IMAGE          COMMAND                  CREATED          STATUS         PORTS                               NAMES
a22e21817fbd   nginx:alpine   "/docker-entrypoint.…"   10 seconds ago   Up 9 seconds   0.0.0.0:80->80/tcp, :::80->80/tcp   mynginx
ts_0800273e9027:~# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3678/docker-proxy
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2321/dropbear
tcp        0      0 :::80                   :::*                    LISTEN      3685/docker-proxy
tcp        0      0 :::22                   :::*                    LISTEN      2321/dropbear

Rules table:

ts_0800273e9027:~# iptables -L -v -n
Chain INPUT (policy ACCEPT 1064 packets, 77952 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 963 packets, 651K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

The problem is that I can't connect even locally to the lifted container at the localhost address. Telnet also does not connect to port 80. The remote connection doesn't work either.

If I restart docker.socket - access to the container from the outside is provided, I open the page in the browser.

My question is this: how to understand and why the initial launch of Docker after downloading the distribution does not provide access to running containers? Why does it start working only after restarting docker.socket?

I also attach the full distribution download log and the Docker startup log.

docker.gz load.gz

I also provide an infographic of the distribution download:

boot

AlexanderZhirov commented 2 years ago

UPD. I have reassembled the assembly with the ability to debug (/usr/bin/dockerd --debug -H fd://). I attach the FULL docker download docker.log.

I have extracted the log BEFORE and AFTER restarting docker.socket. I share a comparison of two logs. As you can see, after restarting docker.socket adds new rules via iptables.

clpacheco90 commented 2 years ago

I'm getting a similar issue. In my case the container runs well but if I reboot my VM my container is show by docker ps and the logs show that is alright but when I tried to access on browsers it's fails. I can only resolve restarting my container.

docker / for-linux

Docker starts, but there is no connection until docker.socket restarts #1405