Docker fails external connectivity for Redis

nix asked:

I have tried all the possible solutions available on either StackOverflow or other forums, that I could find. I begin installing redis with docker by actual instructions available on Hub Docker. But I was not able to connect to Redis outside container.

My initial command:

docker run --name c-redis -d redis

After further searching I found that I needed to execute it as:

docker run --name mag-redis -d redis -p 6379:6379 

But this failed as well, as I got the following error.

$ docker run --name c-redis -d redis -p 6379:6379 
c2dbf68f52b46e90671a7efaafbe46898368bb"
Unable to find image 'redis:latest' locally
latest: Pulling from library/redis
8559a31e96f4: Already exists
85a6a5c53ff0: Already exists
b69876b7abed: Already exists
a72d84b9df6a: Already exists
5ce7b314b19c: Already exists
04c4bfb0b023: Already exists
Digest: sha256:800f2587bf3376cb01e6307afe599ddce9439deafbd4fb8562829da96085c9c5
Status: Downloaded newer image for redis:latest
075d68ec71abf3752050c947e44a4b1c52305fb6153febe815e31659284612cf
docker: Error response from daemon: driver failed programming external connectivity on endpoint c-redis (f251e744aeacbd1a084f11b0e01731b1e1a36454ca8ad634889dd38dae66314d):  (iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 6379 -j DNAT --to-destination 172.17.0.3:6379 ! -i docker0: iptables: No chain/target/match by that name.
 (exit status 1)).

I then restarted iptables as one of the solutions available online was this. But this did not help, and same error again. I then found another query on Stackoverflow i.e.

docker run --name c-redis -p 6379:6379 -d redis --restart unless-stopped -v /etc/redis/:/data --appendonly yes --requirepass "password"

However, same error of iptables… I then removed the image/container, and executed with first command (docker run --name c-redis -d redis), it redis was installed but again I was not able to access to externally (by the same host, outside container).

I again removed the container/image, and tried those other 2 commands, but each time I was having same iptables error, I even tried to reboot the docker. Still no use.

I am using Centos 7. Please let me know if anyone else faced such issue. I am totally stuck here for the past several hour(s).

docker: Error response from daemon: driver failed programming external
connectivity on endpoint c-redis
(f251e744aeacbd1a084f11b0e01731b1e1a36454ca8ad634889dd38dae66314d):
(iptables failed: iptables –wait -t nat -A DOCKER -p tcp -d 0/0
–dport 6379 -j DNAT –to-destination 172.17.0.3:6379 ! -i docker0: iptables: No chain/target/match by that name. (exit status 1)).

EDIT:

Docker version:

Client: Docker Engine - Community
 Version:           19.03.12
 API version:       1.40
 Go version:        go1.13.10
 Git commit:        48a66213fe
 Built:             Mon Jun 22 15:46:54 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.12
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.10
  Git commit:       48a66213fe
  Built:            Mon Jun 22 15:45:28 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.13
  GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

UPDATE: (Iptables -S; iptables -t nat -S)

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-N f2b-postfix
-N f2b-postfix-sasl
-A INPUT -p tcp -m multiport --dports 25,587 -j f2b-postfix
-A INPUT -p tcp -m multiport --dports 25,587,953 -j f2b-postfix-sasl
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 31337 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443,587,25,53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A f2b-postfix -s 212.70.149.18/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-postfix -j RETURN
-A f2b-postfix-sasl -s 212.70.149.18/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-postfix-sasl -j RETURN
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT

Thank you!

My answer:


You probably should just have used firewalld instead of trying to write a manual firewall. It looks like you deleted the DOCKER chain from the nat table, that Docker creates when it starts up. You can re-create this chain and Docker should be able to start writing rules to it again.

iptables -t nat -N DOCKER

But there are probably other rules missing, and so you should just restart Docker and let it fix everything.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.