HTTPS request fails in Docker >= 1.10 with virtualized network

docker https

I experience a problem that a HTTPS connections cannot be established from inside a Docker container with version 1.10.3 or 1.11.2.

I tried with apt-get, curl and wget and all fail as soon as a HTTPS connection should be established.

E.g., the following command fails:

$ docker run -it ubuntu-curl curl -v https://www.google.com
[...]
* gnutls_handshake() failed: Error in the pull function.
* Closing connection 0

The Docker image ubuntu-curl is based on ubuntu:latest, the only change was apt-get update ; apt-get install curl.

If I use HTTP instead of HTTPs, it works. If I issue the same command from the host, it works. If I start the container without network virtualization (docker run --net="host"), it works. If I downgrade Docker (I tried 1.6.2 and 1.9.1), it works as well.

Any hints what could be wrong? I tried with two hosts, Ubuntu 14 LTS and CoreOS stable without relevant customization - both run inside a OpenStack cluster.

Iptables of the host (although I would not understand why iptables should only block HTTPs traffic):

$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-ISOLATION  all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:12345

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

I was given a solution by the Docker community

OpenStack network seems to use lower MTU values and Docker does not infer the MTU settings from the host's network card since 1.10.

To run docker daemon with custom MTU settings, you can follow this blog post, that says:

$ cp /lib/systemd/system/docker.service /etc/systemd/system/docker.service

Edit a line in the new file to look like this:

ExecStart=/usr/bin/docker daemon -H fd:// –mtu=1454

MTU of 1454 is the value that seems to be common with OpenStack. You can look it up in your host using ifconfig.

Finally restart Docker:

$ sudo systemctl daemon-reload
$ sudo service docker restart

Related

Best way to synchronise the time on a Windows 2008 Server
Is there a way to get PowerShell 2's remoting features to work between Windows XP machines?
HyperV on Domain Controller or DC on HyperV?
What could cause Apache's time/timezone to change intermittently?
Fedora 21 pam_sss authentication failure - permission denied
How to obtain an Earth Crystal in Stardew Valley?
Why does it take so long to get an item?
Which Fallout 3 items are sought-after by NPCs?
How do I manage my money effectively?
How do I get a mohawk or a different hairstyle in Terraria?
How do you get a ship?
Which legendary items are more useful than a well-itemized Rare at max level/in Inferno?