Docker container not connecting to https endpoints

About

Asked 9/2, 2016 at 19:23 Answered 25/6, 2016 at 12:22

From inside a docker container, I'm running

# openssl s_client -connect rubygems.org:443 -state -nbio 2>&1 | grep "^SSL"     

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A

That's all I get

I can't connect to any https site from within the docker container. The container is running on an openstack vm. The vm can connect via https.

Any advice?

UPDATE

root@ce239554761d:/# curl -vv https://google.com
* Rebuilt URL to: https://google.com/
* Hostname was NOT found in DNS cache
*   Trying 216.58.217.46...
* Connected to google.com (216.58.217.46) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):

and then it hangs.

Also, I'm getting intermittent successes now.

Sanity Checks:

changing the docker ips doesn't fix the problem
The docker containers work on my local machine
The docker containers work on other clouds
Docker 1.10.0 doesn't work in the vms
Docker 1.9.1 works in the vms

Homeric answered 9/2, 2016 at 19:23 Comment(5)

related: help.rubygems.org/discussions/problems/… – Interferometer 9/2, 2016 at 20:11

If you parse through the related link above, something is missing from your docker distro. ca-certificates maybe? – Benge 9/2, 2016 at 22:29

@Interferometer This is not a rubygems-specific problem. None of my containers can access any https sites. @user2105103, I have ca-certificates installed, apt-get update hangs – Homeric 10/2, 2016 at 2:9

If apt-get update hangs, then it could be an issue with the MTU on docker host. Try setting the MTU to lower value. – Antung 12/4, 2016 at 7:9

We're experiencing the same problems and it appears to be a tricky bug in OpenStack. I filed a bug there: bugs.launchpad.net/neutron/+bug/1595762 – Laddy 24/6, 2016 at 1:3

I was given a solution by the Docker community

OpenStack network seems to use lower MTU values and Docker does not infer the MTU settings from the host's network card since 1.10.

To run docker daemon with custom MTU settings, you can follow this blog post, that says:

$ cp /lib/systemd/system/docker.service /etc/systemd/system/docker.service

Edit a line in the new file to look like this:

ExecStart=/usr/bin/docker daemon -H fd:// --mtu=1454

Or (as suggested below by Dionysius), create and edit the file
/etc/systemd/system/docker.service.d/fixmtu.conf as follow:

[Service]
# Reset ExecStart & update mtu (see original command in /lib/systemd/system/docker.service)
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --mtu=1454.

MTU of 1454 is the value that seems to be common with OpenStack. You can look it up in your host using ifconfig.

Finally restart Docker:

$ sudo systemctl daemon-reload
$ sudo service docker restart

Laddy answered 25/6, 2016 at 12:22 Comment(1)

Instead of copying the whole unit file (which could possible be changed by the package author) consider only updating that one line using: /etc/systemd/system/docker.service.d/fixmtu.conf file with the contents: [Service] ExecStart= ExecStart=/usr/bin/dockerd -H fd:// --mtu=1454. Don't forget to systemctl daemon-reload and restart docker – Roentgenograph 18/12, 2019 at 17:30

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags