If you happen to use CentOS 8 you have already discovered that Red Hat (i.e. CentOS) switch to podman, which is a fork of docker. So probably the following fix might help to someone, which does not use CentOS 8 or podman. For now, podman and docker are 99.99% the same.
So creating and starting a container is easy and in most cases one command only, but you may stumble on the error your container could not resolve or could not connect to an IP even there is a ping to the IP!
The service in the container may live a happy life without Internet access but just the mapped ports from the outside world. Still, it may happen to need Internet access, let’s say if an update should be performed.
Here is how to fix podman (docker) missing the Internet access in the container:
- No ping to the outside world. The chances you are missing
sysctl -w net.ipv4.ip_forward=1
And do not forget to make it permanent by adding the “net.ipv4.ip_forward=1” to /etc/sysctl.conf (or a file “.conf” in /etc/sysctl.d/).
- ping to the outside IP of the container is available, but no connection to any service is available! Probably the NAT is not enabled in your podman docker configuration. In the case with firewalld, at least, you must enable the masquerade option of the public zone
firewall-cmd --zone=public --add-masquerade firewall-cmd --permanent --zone=public --add-masquerade
The second command with “–permanent” is to make the option permanent over reboots.
The error – Could not resolve host (Name or service not known) despite having servers in /etc/resolv.conf and ping to them!
One may think having IPs in /etc/resolv.conf and ping to them in the container should give the container access to the Internet. But the following error occurs:
[root@srv /]# yum install telnet Loaded plugins: fastestmirror, ovl Determining fastest mirrors * base: artfiles.org * extras: centos.mirror.net-d-sign.de * updates: centos.bio.lmu.de http://mirror.fra10.de.leaseweb.net/centos/7.7.1908/os/x86_64/repodata/repomd.xml: [Errno 14] curl#6 - "Could not resolve host: mirror.fra10.de.leaseweb.net; Unknown error" Trying other mirror. http://artfiles.org/centos.org/7.7.1908/os/x86_64/repodata/repomd.xml: [Errno 14] curl#6 - "Could not resolve host: artfiles.org; Unknown error" Trying other mirror. ^C Exiting on user cancel [root@srv /]# ^C [root@srv /]# ping 184.108.40.206 PING 220.127.116.11 (18.104.22.168) 56(84) bytes of data. 64 bytes from 22.214.171.124: icmp_seq=1 ttl=56 time=5.05 ms 64 bytes from 126.96.36.199: icmp_seq=2 ttl=56 time=5.06 ms ^C --- 188.8.131.52 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 5.050/5.055/5.061/0.071 ms [root@srv ~]# cat /etc/resolv.conf nameserver 184.108.40.206 nameserver 220.127.116.11 [root@srv /]# ping google.com ping: google.com: Name or service not known
The error 2 – Can’t connect to despite having ping to the IP!
[root@srv /]# ping 18.104.22.168 PING 22.214.171.124 (126.96.36.199) 56(84) bytes of data. 64 bytes from 188.8.131.52: icmp_seq=1 ttl=56 time=9.15 ms 64 bytes from 184.108.40.206: icmp_seq=2 ttl=56 time=9.16 ms ^C [root@srv2 /]# mysql -h220.127.116.11 -uroot -p Enter password: ERROR 2003 (HY000): Can't connect to MySQL server on '18.104.22.168' (113) [root@srv2 /]#
Despite having ping the MySQL server on 22.214.171.124 and despite the firewall on 126.96.36.199 allows outside connections the container could not connect to it. And testing other services like HTTP, HTTPS, FTP and so on resulted in “unable to connect“, too. Simply because the NAT (aka masquerade is not enabled in the firewall).
2 thoughts on “firewalld and podman (or docker) – no internet in the container and could not resolve host”
Thank you for posting this solution! I was trying to figure out what went was wrong but couldn’t for the life of me figure it out. It’s been an uphill climb to get Podman to work properly… I feel like Red Hat made the switch a little too early.
I am using CentOS8.
firewall-cmd –zone = trusted –add-masquerade
If I use the method, it works fine,
When masquerade: yes, IP is not normally delivered to the container using proxy, such as nginx or traefik. (x-real-ip) The docker network ip 172.19.0.1 is displayed unconditionally.
In the above masquerade: yes, I don’t know if client ip is not displayed properly or is it a problem with nginx, traefik?
The criterion is that if the container is turned on, masquerade: no, client ip is normally received.
If masquerade: yes, the client ip is fixed to docker network ip (172.19.0.1).
So … when you turn on, turn on masquerade: no, turn it on and change to masquerade: yes … it works without problems, but it is not a solution.
FirewallBackend = nftables
FirewallBackend = iptables
firewall-cmd –permanent –zone = trusted –add-interface = docker0
firewall-cmd –permanent –zone = trusted –add-interface = br-d193b7e58cd8
firewall-cmd –permanent –zone = trusted –add-interface = br-e34899da24a1
Solved in the way of.