[Jenkins] docker container with bridge network can't reach out to the internet

[c9s]

Platform

Google Cloud Platform

bndiagnostic ID know more about bndiagnostic ID

0624f897-257d-a023-d358-f55c43ee6f74

bndiagnostic output

? Apache: Found possible issues
✓ Processes: No issues found
? Connectivity: Found possible issues
✓ Resources: No issues found

[Apache]

Found recent error or warning messages in the Apache error log.

[Thu Jan 09 06:19:43.697246 2025] [proxy:error] [pid 1201:tid 1334] 
(111)Connection refused: AH00957: http: attempt to connect to 
**ip_address**:8080 (127.0.0.1:8080) failed
 [Thu Jan 09 06:19:43.697345 2025] [proxy_http:error] [pid 1201:tid 1334] 
[client **ip_address**:50711] AH01114: HTTP: failed to make connection to 
backend: 127.0.0.1, referer: 
https://........../blue/organizations/jenkins/project/detail/PR-
100/5/pipeline/
Press [Enter] to continue:
 [Fri Jan 10 08:42:44.468524 2025] [core:error] [pid 1198:tid 1417] [client 
**ip_address**:43868] AH10244: invalid URI path 
(/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh)

Please check the following guide to troubleshoot server issues:

https://docs.bitnami.com/general/apps/wordpress/troubleshooting/debug-erro
rs-apache/

[Connectivity]

Server ports 22, 80 and/or 443 are not publicly accessible. Please check the
following guide to open server ports for remote access:

https://docs.bitnami.com/general/faq/administration/use-firewall/

bndiagnostic was not useful. Could you please tell us why?

The suggested guide is not related to my issue

Describe your issue as much as you can

docker bridge network does not work in the new Bitnami Jenkins instance on GCP

docker run --rm -it alpine ping 8.8.8.8
 
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
1f3e46996e29: Pull complete 
Digest: sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099
Status: Downloaded newer image for alpine:latest
PING 8.8.8.8 (8.8.8.8): 56 data bytes
<--- it hangs here

and I started a Debian instance on GCP to test the default docker installation, it works. (both instances have the same ip route and iptables rules)

however, if I change docker network from "bridge" to "host", it will work.

[c9s]

add: I did "tcpdump" on docker0, and I can see the ICMP packets were actually sent to the ens4 interface

[c9s]

ip route 
default via 12.123.0.1 dev ens4 proto dhcp src 12.123.0.3 metric 100 
12.123.0.1 dev ens4 proto dhcp scope link src 12.123.0.3 metric 100 
169.254.169.254 via 10.174.0.1 dev ens4 proto dhcp src 12.123.0.3 metric 100 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 


ip link 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 42:01:0a:ae:00:03 brd ff:ff:ff:ff:ff:ff
    altname enp0s4
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 02:42:0a:0b:9b:62 brd ff:ff:ff:ff:ff:ff
7: vethc57961e@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue master docker0 state UP mode DEFAULT group default 
    link/ether 06:05:8a:5a:7a:a7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
11: veth89801a0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue master docker0 state UP mode DEFAULT group default 
    link/ether c6:00:3c:96:0b:f7 brd ff:ff:ff:ff:ff:ff link-netnsid 1

[c9s]

iptables POSTROUTING:

sudo iptables -t nat -L POSTROUTING -n -v 
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  0    --  *      !docker0  172.17.0.0/16        0.0.0.0/0        

iptables PREROUTING:

sudo iptables -t nat -L PREROUTING -n -v 
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 9686  577K DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

[jotamartos]

Hi @c9s,

Thank you for using Bitnami. This issue seems to be related to Docker itself. If you can ping 8.8.8.8 from the instance, the container should be able to do the same. Please note that this is out of the scope of this support forum. You will need to investigate this or take a look at similar tickets online (like this one in Stack Overflow)

https://stackoverflow.com/questions/45509604/docker-container-can-not-ping-the-outside-world-iptables

[c9s]

Hi @jotamartos

I can’t ping 8.8.8.8 it will hang there, however if i start up a instance with the same debian distro, the docker will work without any setup or adjustments

[jotamartos]

As I mentioned, this seems to be an issue with Docker and its configuration. I can ping 8.8.8.8 from the VM itself but not from the container

bitnami@jotajenkins-vm:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=1.05 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=0.338 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=115 time=0.247 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2022ms
rtt min/avg/max/mdev = 0.247/0.543/1.045/0.356 ms
bitnami@jotajenkins-vm:~$ docker run --rm -it alpine ping 8.8.8.8
Unable to find image 'alpine:latest' locally
latest: Pulling from library/alpine
1f3e46996e29: Pull complete 
Digest: sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099
Status: Downloaded newer image for alpine:latest
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss

[c9s]

Ok, but the source of the docker package is the same for different instances (bitnami debian and pure debian) . And the iptables rules, routing table all looks the same.