Collabora docker cannot ping the internet

My YunoHost server

Hardware: VPS
YunoHost version:

$ sudo yunohost -v
yunohost: 
  repo: stable
  version: 4.1.7.4
yunohost-admin: 
  repo: stable
  version: 4.1.4
moulinette: 
  repo: stable
  version: 4.1.4
ssowat: 
  repo: stable
  version: 4.1.3
$ uname -a
Linux nry.pw 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64 GNU/Linux

I have access to my server : Through SSH
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

After upgrading to Yunohost v4, Collabora online (3.7.19) for Nextcloud (18.0.4) stopped working. The Collabora server is on the same host, run with a docker container (collabora/code:6.4.8.1).

When trying to open an open format document (odt, ods,…) on Nextcloud, it fails with the following pop up : Fail to read document from storage

I looked at Collabora docker logs and found the following :

wsd-00008-00008 2021-04-24 12:41:01.236480 [ loolwsd ] INF  WSD initialization complete: setting log-level to [warning] as configured.| wsd/LOOLWSD.cpp:4058
Ready to accept connections on port 9980.

wsd-00008-00056 2021-04-24 12:43:16.140715 [ websrv_poll ] ERR  Socket #23 SSL BIO error: closed unexpectedly (-1). (0: Success)| ./net/SslSocket.hpp:276
wsd-00008-00056 2021-04-24 12:43:16.141107 [ websrv_poll ] ERR  Error while handling poll for socket #23 in websrv_poll: SSL Socket closed unexpectedly.| net/Socket.cpp:314
wsd-00008-00056 2021-04-24 12:43:16.280416 [ websrv_poll ] ERR  Socket #23 SSL BIO error: closed unexpectedly (-1). (0: Success)| ./net/SslSocket.hpp:276
wsd-00008-00056 2021-04-24 12:43:16.280603 [ websrv_poll ] ERR  Error while handling poll for socket #23 in websrv_poll: SSL Socket closed unexpectedly.| net/Socket.cpp:314
wsd-00008-00056 2021-04-24 12:43:16.286858 [ websrv_poll ] ERR  Socket #23 SSL BIO error: closed unexpectedly (-1). (0: Success)| ./net/SslSocket.hpp:276
wsd-00008-00056 2021-04-24 12:43:16.287044 [ websrv_poll ] ERR  Error while handling poll for socket #23 in websrv_poll: SSL Socket closed unexpectedly.| net/Socket.cpp:314
wsd-00008-00056 2021-04-24 12:43:16.399120 [ websrv_poll ] ERR  Socket #26 SSL BIO error: closed unexpectedly (-1). (0: Success)| ./net/SslSocket.hpp:276
wsd-00008-00056 2021-04-24 12:43:16.399292 [ websrv_poll ] ERR  Error while handling poll for socket #26 in websrv_poll: SSL Socket closed unexpectedly.| net/Socket.cpp:314
wsd-00008-00056 2021-04-24 12:43:16.418850 [ websrv_poll ] ERR  Socket #27 SSL BIO error: closed unexpectedly (-1). (0: Success)| ./net/SslSocket.hpp:276
wsd-00008-00056 2021-04-24 12:43:16.419003 [ websrv_poll ] ERR  Error while handling poll for socket #27 in websrv_poll: SSL Socket closed unexpectedly.| net/Socket.cpp:314
wsd-00008-00056 2021-04-24 12:43:16.444592 [ websrv_poll ] ERR  Socket #27 SSL BIO error: closed unexpectedly (-1). (0: Success)| ./net/SslSocket.hpp:276
wsd-00008-00056 2021-04-24 12:43:16.444748 [ websrv_poll ] ERR  Error while handling poll for socket #27 in websrv_poll: SSL Socket closed unexpectedly.| net/Socket.cpp:314


wsd-00008-00058 2021-04-24 12:43:36.432939 [ docbroker_001 ] ERR  Cannot get file info from WOPI storage uri [https://my.server/index.php/apps/richdocuments/wopi/files/11218_ocuchk93xkxx?access_token=[redacted]&access_token_ttl=0&reuse_cookies=WSDWelcomeVersion%3D4.2.4]. Error: DNS error: Temporary DNS error while resolving: my.server| wsd/Storage.cpp:647
wsd-00008-00058 2021-04-24 12:43:36.433335 [ docbroker_001 ] ERR  loading document exception: DNS error| wsd/DocumentBroker.cpp:1445
wsd-00008-00058 2021-04-24 12:43:36.433435 [ docbroker_001 ] ERR  Failed to add session to [/index.php/apps/richdocuments/wopi/files/11218_ocuchk93xkxx] with URI [https://my.server/index.php/apps/richdocuments/wopi/files/11218_ocuchk93xkxx?access_token=[redacted]&access_token_ttl=0&reuse_cookies=WSDWelcomeVersion%3D4.2.4]: DNS error| wsd/DocumentBroker.cpp:1407
wsd-00008-00058 2021-04-24 12:43:36.433525 [ docbroker_001 ] ERR  Error while loading : DNS error| wsd/LOOLWSD.cpp:3465
wsd-00008-00058 2021-04-24 12:43:36.433771 [ docbroker_001 ] ERR  No DocBroker found, or DocBroker marked to be destroyed. Terminating session ToClient-006| wsd/ClientSession.cpp:332
wsd-00008-00058 2021-04-24 12:43:36.434385 [ docbroker_001 ] ERR  No DocBroker found, or DocBroker marked to be destroyed. Terminating session ToClient-006| wsd/ClientSession.cpp:332
wsd-00008-00058 2021-04-24 12:43:36.500245 [ docbroker_001 ] ERR  Invalid or unknown session [006] to remove.| wsd/DocumentBroker.cpp:1484
wsd-00008-00041 2021-04-24 12:43:38.434241 [ prisoner_poll ] WRN  Prisoner connection disconnected but without valid socket.| wsd/LOOLWSD.cpp:2130

From this log I found Error: DNS error: Temporary DNS error while resolving: my.server and suspected a DNS resolution problem in docker containers.

Upon testing with $ docker run --rm -it alpine ping -c 1 8.8.8.8 with no success, I tried to ping host from container and it worked.

I thus suspect some firewall getting in the way of docker, and preventing it to access the Internet, but I fail to diagnose precisely where.

Thanks a lot for any input on this issue, and thanks to the Yunohost team for the good work

Probably related to the migration of iptables rules to nftables rules, maybe restarting the docker daemon would work … You can investigate by checking out the output of “iptables-save”, but that’s pretty technical …

Thanks for the swift reply, I already tried restarting the docker daemon but with no luck so far.

The output of “iptables-save” is as follow :

# Generated by xtables-save v1.8.2 on Sat Apr 24 17:21:00 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.20.0.0/16 ! -o br-6b5f21b79d6d -j MASQUERADE
-A POSTROUTING -s 172.22.0.0/16 ! -o br-862f7a203104 -j MASQUERADE
-A POSTROUTING -s 172.21.0.0/16 ! -o br-e580a8d5e0ff -j MASQUERADE
-A POSTROUTING -s 172.20.0.0/16 ! -o br-42cabe343fab -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-f3ee4513c7aa -j MASQUERADE
-A POSTROUTING -s 172.19.0.0/16 ! -o br-e2913a9362c9 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.19.0.2/32 -d 172.19.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.19.0.4/32 -d 172.19.0.4/32 -p tcp -m tcp --dport 5000 -j MASQUERADE
-A POSTROUTING -s 172.18.0.6/32 -d 172.18.0.6/32 -p tcp -m tcp --dport 5000 -j MASQUERADE
-A POSTROUTING -s 172.18.0.7/32 -d 172.18.0.7/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9980 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-f3ee4513c7aa -j RETURN
-A DOCKER -i br-e2913a9362c9 -j RETURN
-A DOCKER -d 127.0.0.1/32 ! -i br-e2913a9362c9 -p tcp -m tcp --dport 5001 -j DNAT --to-destination 172.19.0.2:80
-A DOCKER ! -i br-e2913a9362c9 -p tcp -m tcp --dport 49153 -j DNAT --to-destination 172.19.0.4:5000
-A DOCKER ! -i br-f3ee4513c7aa -p tcp -m tcp --dport 49155 -j DNAT --to-destination 172.18.0.6:5000
-A DOCKER -d 127.0.0.1/32 ! -i br-f3ee4513c7aa -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.18.0.7:80
-A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 9980 -j DNAT --to-destination 172.17.0.2:9980
COMMIT
# Completed on Sat Apr 24 17:21:00 2021
# Generated by xtables-save v1.8.2 on Sat Apr 24 17:21:00 2021
*filter
:INPUT DROP [5466412:557228533]
:FORWARD DROP [2158:189322]
:OUTPUT ACCEPT [18809065:45329852126]
:monitorix_IN_0 - [0:0]
:monitorix_IN_1 - [0:0]
:monitorix_IN_2 - [0:0]
:monitorix_IN_3 - [0:0]
:monitorix_IN_4 - [0:0]
:monitorix_IN_5 - [0:0]
:monitorix_IN_6 - [0:0]
:monitorix_IN_7 - [0:0]
:monitorix_IN_8 - [0:0]
:monitorix_nginx_IN - [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-USER - [0:0]
:f2b-sshd - [0:0]
:f2b-pam-generic - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:f2b-recidive - [0:0]
:f2b-postfix - [0:0]
-A INPUT -p tcp -m multiport --dports 25,587 -j f2b-postfix
-A INPUT -p tcp -j f2b-recidive
-A INPUT -p tcp -j f2b-pam-generic
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 8081 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_nginx_IN
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 143 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_8
-A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_7
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 3306 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_6
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 139 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_5
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 110 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_4
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_3
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_2
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_1
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 25 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_0
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9980 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m udp --dport 3000 -j ACCEPT
-A INPUT -p udp -m udp --dport 30000 -j ACCEPT
-A INPUT -p udp -m udp --dport 9980 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i br-6b5f21b79d6d ! -o br-6b5f21b79d6d -j ACCEPT
-A FORWARD -i br-6b5f21b79d6d -o br-6b5f21b79d6d -j ACCEPT
-A FORWARD -o br-f3ee4513c7aa -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-f3ee4513c7aa -j DOCKER
-A FORWARD -i br-f3ee4513c7aa ! -o br-f3ee4513c7aa -j ACCEPT
-A FORWARD -i br-f3ee4513c7aa -o br-f3ee4513c7aa -j ACCEPT
-A FORWARD -o br-e2913a9362c9 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e2913a9362c9 -j DOCKER
-A FORWARD -i br-e2913a9362c9 ! -o br-e2913a9362c9 -j ACCEPT
-A FORWARD -i br-e2913a9362c9 -o br-e2913a9362c9 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 8081 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_nginx_IN
-A OUTPUT -p tcp -m tcp --sport 143 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_8
-A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_7
-A OUTPUT -p tcp -m tcp --sport 3306 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_6
-A OUTPUT -p tcp -m tcp --sport 139 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_5
-A OUTPUT -p tcp -m tcp --sport 110 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_4
-A OUTPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_3
-A OUTPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_2
-A OUTPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_1
-A OUTPUT -p tcp -m tcp --sport 25 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_0
-A DOCKER -d 172.19.0.2/32 ! -i br-e2913a9362c9 -o br-e2913a9362c9 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.19.0.4/32 ! -i br-e2913a9362c9 -o br-e2913a9362c9 -p tcp -m tcp --dport 5000 -j ACCEPT
-A DOCKER -d 172.18.0.6/32 ! -i br-f3ee4513c7aa -o br-f3ee4513c7aa -p tcp -m tcp --dport 5000 -j ACCEPT
-A DOCKER -d 172.18.0.7/32 ! -i br-f3ee4513c7aa -o br-f3ee4513c7aa -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9980 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-f3ee4513c7aa ! -o br-f3ee4513c7aa -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-e2913a9362c9 ! -o br-e2913a9362c9 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-USER -j RETURN
-A f2b-sshd -j RETURN
-A f2b-pam-generic -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-f3ee4513c7aa -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-e2913a9362c9 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A f2b-recidive -s 221.181.185.151/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 221.181.185.19/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 221.181.185.135/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 112.85.42.17/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 221.181.185.198/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 222.187.239.109/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 221.131.165.56/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 222.187.239.107/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -s 221.181.185.153/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-recidive -j RETURN
-A f2b-postfix -j RETURN
COMMIT
# Completed on Sat Apr 24 17:21:00 2021
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

Given that I could ping the host server and that the nextcloud server is on this very host, I tried to add the nextcloud domain with this IP in the hosts file of the container, as follow :

docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=my\\.server' --add-host my.server:172.17.0.1 collabora/code:6.4.8.1

(and 172.17.0.1 being the host IP in the docker container)

I can now access documents and collaborate, but not sure this tweak will hold for long.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.