The server’s network itself works normally,
but only inside Docker containers, ping, curl, and all external communication fail.

In this case, the problem is not the server network,
but the Docker network stack.

---

Symptoms

See: Host Works Fine

ping 8.8.8.8
curl https://google.com

Normal response.

No DNS or routing issues.

But: Containers Fail

docker exec -it <container> ping 8.8.8.8
docker exec -it <container> curl https://google.com

• Network is unreachable
• Temporary failure in name resolution
• No response

👉 Host OK / Container FAIL

---

Root Cause Summary (Most Cases End Here)

In most cases, the cause is one of the following:

• Docker bridge network state is broken
• iptables / nftables rule mismatch
• Docker DNS configuration is corrupted
• Kernel network state and Docker network state are out of sync

In short, only the Docker network layer is broken.

---

The Most Reliable Fix

systemctl restart docker

• Reinitializes the Docker network stack
• Resets bridge / iptables / DNS

👉 In most cases, this resolves the issue immediately.

---

But…

If restarting Docker is not possible:

• Production traffic is live
• Dozens of containers would be affected
• Restarting Docker itself is an outage

In that case, only the fallback options below are worth trying.

---

Option 1: Reattach Network for the Affected Container Only

Check the current network:

docker inspect <container> | grep -i network

Reconnect the network:

docker network disconnect bridge <container>
docker network connect bridge <container>

• Container stays running
• Only the network interface is recreated

👉 Effective when the issue is DNS or routing-related.

---

Option 2: Force DNS Bypass Inside Docker

Docker’s internal DNS is often the real problem.

Temporary check:

docker exec -it <container> cat /etc/resolv.conf

If the nameserver looks wrong or doesn’t respond:

Specify DNS explicitly when starting the container:

docker run --dns 8.8.8.8 --dns 1.1.1.1 ...

Or in docker-compose.yml:

dns:
  - 8.8.8.8
  - 1.1.1.1

👉 Extremely effective when only DNS is broken.

---

Option 3: Check iptables / FORWARD Policy

Docker depends on the kernel’s FORWARD chain.

iptables -L FORWARD

This is a problem state:

Chain FORWARD (policy DROP)

Temporary workaround:

iptables -P FORWARD ACCEPT

⚠️ Affects security policy
Use only for temporary verification.

---

Option 4: Check docker0 Interface State

ip addr show docker0
ip route

• docker0 is DOWN
• Docker subnet is missing from routing table

→ Docker network itself is collapsed
→ At this point, restart is the only solution

---

When You Should Stop and Restart Docker

If any of the following apply, restarting Docker is the only real fix:

• docker0 interface is DOWN
• Multiple containers fail networking at the same time
• iptables rules keep breaking repeatedly
• DNS failures occur repeatedly with no clear cause

👉 Trying to endure this state is riskier than restarting.

---

Key Takeaways

• If the host network works, it’s not a server issue
• If only containers can’t communicate, it’s a Docker network issue
• The most reliable fix is restarting Docker

Only when restart is not possible:

• Reconnect the container network
• Bypass DNS
• Check FORWARD policy

Following this order avoids unnecessary server reboots
and pointless application-level debugging.

🛠 마지막 수정일: 2025.12.24