Docker – Can’t ping / access docker host on from inside a container


My docker host listens on

I can curl it from the host machine, but when I curl the same ip/port from within the container I get timeout.

I can ping anything from withing the container but I can't access the host.

What am I missing ?

Container is Jenkins image run by this command:

docker run -d --name jenkins -v jenkins_home:/var/jenkins_home -p 8080:8080 -p 50000:50000 jenkins/jenkins:2.222.3

Running curl on the host:

curl {"message":"page not found"}

Running curl from withing the docker will time out.

curl curl: (7) Failed to connect to
port 2375: Connection timed out

Best Answer

That's typically because iptables on the host is blocking access from the docker networks. You can look at iptables -S or iptables -nvL to see your current rules.

That said, if you do open up the docker API, you need to be careful about who can access that API. Using port 2375 typically means you have not configured mTLS, see docker's guide for setting up mTLS. This means anyone with access to the port can submit API calls, which means an unprivileged local user, or any other container, has the ability to get root on your host. In your case, that's as easy as:

docker -H tcp:// run -it --rm --privileged --pid host debian nsenter -t 1 -m -u -n -i bash

The recommended solution is to either use DinD to run the docker engine inside of a container, or to share the docker socket as a file/volume mount with the appropriate UID/GID access to the file. That ensures only that container has access to the docker engine rather than all users and any container running on the host. To handle the UID/GID access issues with files mounted in a volume, I've done this specifically for Jenkins images in my jenkins-docker repo, and there's a more generic solution in my fix-perms script in my docker-base repo.

Related Topic