Collabora docker cannot ping the internet

Dis · April 24, 2021, 1:57pm

My YunoHost server

Hardware: VPS
YunoHost version:

$ sudo yunohost -v
yunohost: 
  repo: stable
  version: 4.1.7.4
yunohost-admin: 
  repo: stable
  version: 4.1.4
moulinette: 
  repo: stable
  version: 4.1.4
ssowat: 
  repo: stable
  version: 4.1.3
$ uname -a
Linux nry.pw 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64 GNU/Linux

I have access to my server : Through SSH
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

After upgrading to Yunohost v4, Collabora online (3.7.19) for Nextcloud (18.0.4) stopped working. The Collabora server is on the same host, run with a docker container (collabora/code:6.4.8.1).

When trying to open an open format document (odt, ods,…) on Nextcloud, it fails with the following pop up : Fail to read document from storage

I looked at Collabora docker logs and found the following :

wsd-00008-00008 2021-04-24 12:41:01.236480 [ loolwsd ] INF  WSD initialization complete: setting log-level to [warning] as configured.| wsd/LOOLWSD.cpp:4058
Ready to accept connections on port 9980.

wsd-00008-00056 2021-04-24 12:43:16.140715 [ websrv_poll ] ERR  Socket #23 SSL BIO error: closed unexpectedly (-1). (0: Success)| ./net/SslSocket.hpp:276
wsd-00008-00056 2021-04-24 12:43:16.141107 [ websrv_poll ] ERR  Error while handling poll for socket #23 in websrv_poll: SSL Socket closed unexpectedly.| net/Socket.cpp:314
wsd-00008-00056 2021-04-24 12:43:16.280416 [ websrv_poll ] ERR  Socket #23 SSL BIO error: closed unexpectedly (-1). (0: Success)| ./net/SslSocket.hpp:276
wsd-00008-00056 2021-04-24 12:43:16.280603 [ websrv_poll ] ERR  Error while handling poll for socket #23 in websrv_poll: SSL Socket closed unexpectedly.| net/Socket.cpp:314
wsd-00008-00056 2021-04-24 12:43:16.286858 [ websrv_poll ] ERR  Socket #23 SSL BIO error: closed unexpectedly (-1). (0: Success)| ./net/SslSocket.hpp:276
wsd-00008-00056 2021-04-24 12:43:16.287044 [ websrv_poll ] ERR  Error while handling poll for socket #23 in websrv_poll: SSL Socket closed unexpectedly.| net/Socket.cpp:314
wsd-00008-00056 2021-04-24 12:43:16.399120 [ websrv_poll ] ERR  Socket #26 SSL BIO error: closed unexpectedly (-1). (0: Success)| ./net/SslSocket.hpp:276
wsd-00008-00056 2021-04-24 12:43:16.399292 [ websrv_poll ] ERR  Error while handling poll for socket #26 in websrv_poll: SSL Socket closed unexpectedly.| net/Socket.cpp:314
wsd-00008-00056 2021-04-24 12:43:16.418850 [ websrv_poll ] ERR  Socket #27 SSL BIO error: closed unexpectedly (-1). (0: Success)| ./net/SslSocket.hpp:276
wsd-00008-00056 2021-04-24 12:43:16.419003 [ websrv_poll ] ERR  Error while handling poll for socket #27 in websrv_poll: SSL Socket closed unexpectedly.| net/Socket.cpp:314
wsd-00008-00056 2021-04-24 12:43:16.444592 [ websrv_poll ] ERR  Socket #27 SSL BIO error: closed unexpectedly (-1). (0: Success)| ./net/SslSocket.hpp:276
wsd-00008-00056 2021-04-24 12:43:16.444748 [ websrv_poll ] ERR  Error while handling poll for socket #27 in websrv_poll: SSL Socket closed unexpectedly.| net/Socket.cpp:314


wsd-00008-00058 2021-04-24 12:43:36.432939 [ docbroker_001 ] ERR  Cannot get file info from WOPI storage uri [https://my.server/index.php/apps/richdocuments/wopi/files/11218_ocuchk93xkxx?access_token=[redacted]&access_token_ttl=0&reuse_cookies=WSDWelcomeVersion%3D4.2.4]. Error: DNS error: Temporary DNS error while resolving: my.server| wsd/Storage.cpp:647
wsd-00008-00058 2021-04-24 12:43:36.433335 [ docbroker_001 ] ERR  loading document exception: DNS error| wsd/DocumentBroker.cpp:1445
wsd-00008-00058 2021-04-24 12:43:36.433435 [ docbroker_001 ] ERR  Failed to add session to [/index.php/apps/richdocuments/wopi/files/11218_ocuchk93xkxx] with URI [https://my.server/index.php/apps/richdocuments/wopi/files/11218_ocuchk93xkxx?access_token=[redacted]&access_token_ttl=0&reuse_cookies=WSDWelcomeVersion%3D4.2.4]: DNS error| wsd/DocumentBroker.cpp:1407
wsd-00008-00058 2021-04-24 12:43:36.433525 [ docbroker_001 ] ERR  Error while loading : DNS error| wsd/LOOLWSD.cpp:3465
wsd-00008-00058 2021-04-24 12:43:36.433771 [ docbroker_001 ] ERR  No DocBroker found, or DocBroker marked to be destroyed. Terminating session ToClient-006| wsd/ClientSession.cpp:332
wsd-00008-00058 2021-04-24 12:43:36.434385 [ docbroker_001 ] ERR  No DocBroker found, or DocBroker marked to be destroyed. Terminating session ToClient-006| wsd/ClientSession.cpp:332
wsd-00008-00058 2021-04-24 12:43:36.500245 [ docbroker_001 ] ERR  Invalid or unknown session [006] to remove.| wsd/DocumentBroker.cpp:1484
wsd-00008-00041 2021-04-24 12:43:38.434241 [ prisoner_poll ] WRN  Prisoner connection disconnected but without valid socket.| wsd/LOOLWSD.cpp:2130

From this log I found Error: DNS error: Temporary DNS error while resolving: my.server and suspected a DNS resolution problem in docker containers.

Upon testing with $ docker run --rm -it alpine ping -c 1 8.8.8.8 with no success, I tried to ping host from container and it worked.

I thus suspect some firewall getting in the way of docker, and preventing it to access the Internet, but I fail to diagnose precisely where.

Thanks a lot for any input on this issue, and thanks to the Yunohost team for the good work

Aleks · April 24, 2021, 2:21pm

Probably related to the migration of iptables rules to nftables rules, maybe restarting the docker daemon would work … You can investigate by checking out the output of “iptables-save”, but that’s pretty technical …

Dis · April 24, 2021, 3:22pm

Thanks for the swift reply, I already tried restarting the docker daemon but with no luck so far.

The output of “iptables-save” is as follow :

# Generated by xtables-save v1.8.2 on Sat Apr 24 17:21:00 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.20.0.0/16 ! -o br-6b5f21b79d6d -j MASQUERADE
-A POSTROUTING -s 172.22.0.0/16 ! -o br-862f7a203104 -j MASQUERADE
-A POSTROUTING -s 172.21.0.0/16 ! -o br-e580a8d5e0ff -j MASQUERADE
-A POSTROUTING -s 172.20.0.0/16 ! -o br-42cabe343fab -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-f3ee4513c7aa -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-e2913a9362c9 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.19.0.4/32 -d 172.19.0.4/32 -p tcp -m tcp --dport 5000 -j MASQUERADE
-A POSTROUTING -s 172.18.0.6/32 -d 172.18.0.6/32 -p tcp -m tcp --dport 5000 -j MASQUERADE
-A POSTROUTING -s 172.18.0.7/32 -d 172.18.0.7/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9980 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-f3ee4513c7aa -j RETURN
-A DOCKER -i br-e2913a9362c9 -j RETURN
-A DOCKER -d 127.0.0.1/32 ! -i br-e2913a9362c9 -p tcp -m tcp --dport 5001 -j DNAT --to-destination 172.19.0.2:80
-A DOCKER ! -i br-e2913a9362c9 -p tcp -m tcp --dport 49153 -j DNAT --to-destination 172.19.0.4:5000
-A DOCKER ! -i br-f3ee4513c7aa -p tcp -m tcp --dport 49155 -j DNAT --to-destination 172.18.0.6:5000
-A DOCKER -d 127.0.0.1/32 ! -i br-f3ee4513c7aa -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.18.0.7:80
-A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 9980 -j DNAT --to-destination 172.17.0.2:9980
COMMIT
# Completed on Sat Apr 24 17:21:00 2021
# Generated by xtables-save v1.8.2 on Sat Apr 24 17:21:00 2021
*filter
:INPUT DROP [5466412:557228533]
:FORWARD DROP [2158:189322]
:OUTPUT ACCEPT [18809065:45329852126]
:monitorix_IN_0 - [0:0]
:monitorix_IN_1 - [0:0]
:monitorix_IN_2 - [0:0]
:monitorix_IN_3 - [0:0]
:monitorix_IN_4 - [0:0]
:monitorix_IN_5 - [0:0]
:monitorix_IN_6 - [0:0]
:monitorix_IN_7 - [0:0]
:monitorix_IN_8 - [0:0]
:monitorix_nginx_IN - [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-USER - [0:0]
:f2b-sshd - [0:0]
:f2b-pam-generic - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:f2b-recidive - [0:0]
:f2b-postfix - [0:0]
-A INPUT -p tcp -m multiport --dports 25,587 -j f2b-postfix
-A INPUT -p tcp -j f2b-recidive
-A INPUT -p tcp -j f2b-pam-generic
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 8081 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_nginx_IN
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 143 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_8
-A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_7
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 3306 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_6
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 139 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_5
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 110 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_4
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_3
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_2
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_1
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 25 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_0
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9980 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m udp --dport 3000 -j ACCEPT
-A INPUT -p udp -m udp --dport 30000 -j ACCEPT
-A INPUT -p udp -m udp --dport 9980 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i br-6b5f21b79d6d ! -o br-6b5f21b79d6d -j ACCEPT
-A FORWARD -i br-6b5f21b79d6d -o br-6b5f21b79d6d -j ACCEPT
-A FORWARD -o br-f3ee4513c7aa -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-f3ee4513c7aa -j DOCKER
-A FORWARD -i br-f3ee4513c7aa ! -o br-f3ee4513c7aa -j ACCEPT
-A FORWARD -i br-f3ee4513c7aa -o br-f3ee4513c7aa -j ACCEPT
-A FORWARD -o br-e2913a9362c9 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e2913a9362c9 -j DOCKER
-A FORWARD -i br-e2913a9362c9 ! -o br-e2913a9362c9 -j ACCEPT
-A FORWARD -i br-e2913a9362c9 -o br-e2913a9362c9 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 8081 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_nginx_IN
-A OUTPUT -p tcp -m tcp --sport 143 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_8
-A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_7
-A OUTPUT -p tcp -m tcp --sport 3306 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_6
-A OUTPUT -p tcp -m tcp --sport 139 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_5
-A OUTPUT -p tcp -m tcp --sport 110 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_4
-A OUTPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_3
-A OUTPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_2
-A OUTPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_1
-A OUTPUT -p tcp -m tcp --sport 25 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_0
-A DOCKER -d 172.19.0.2/32 ! -i br-e2913a9362c9 -o br-e2913a9362c9 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.19.0.4/32 ! -i br-e2913a9362c9 -o br-e2913a9362c9 -p tcp -m tcp --dport 5000 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-f3ee4513c7aa -o br-f3ee4513c7aa -p tcp -m tcp --dport 5000 -j ACCEPT
-A DOCKER -d 172.18.0.7/32 ! -i br-f3ee4513c7aa -o br-f3ee4513c7aa -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9980 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-f3ee4513c7aa ! -o br-f3ee4513c7aa -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-e2913a9362c9 ! -o br-e2913a9362c9 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-USER -j RETURN
-A f2b-sshd -j RETURN
-A f2b-pam-generic -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-f3ee4513c7aa -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-e2913a9362c9 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A f2b-recidive -s 221.181.185.151/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 221.181.185.19/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 221.181.185.135/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 112.85.42.17/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 221.181.185.198/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 222.187.239.109/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 221.131.165.56/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 222.187.239.107/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 221.181.185.153/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -j RETURN
-A f2b-postfix -j RETURN
COMMIT
# Completed on Sat Apr 24 17:21:00 2021
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

Dis · April 24, 2021, 8:19pm

Given that I could ping the host server and that the nextcloud server is on this very host, I tried to add the nextcloud domain with this IP in the hosts file of the container, as follow :

docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=my\\.server' --add-host my.server:172.17.0.1 collabora/code:6.4.8.1

(and 172.17.0.1 being the host IP in the docker container)

I can now access documents and collaborate, but not sure this tweak will hold for long.

system · May 9, 2021, 8:20pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.