You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have a strange behaviour when running containers on company-managed laptops.
It's most probably not a problem on container's side, but on the company side but nobody understands why.
When we start a container on a company managed laptop, we can't connect from the container to the outside world.
DNS resolution works, but attempting to connect to anything else fails (no apt-get, no git clone etc...)
Containers started on the same machine with finch or docker work however.
Containers started with Apple's container on our personal laptops work too.
It's something that our company's client engineering org blocks on laptops but we don't understand what because 1/ finch and docker works, and 2/ disabling the firewall (pfctl -d) doesn't solve the problem.
Example
➜ ~ container run --rm alpine:latest /bin/sh -c "nslookup www.amazon.fr"
Server: 192.168.65.1
Address: 192.168.65.1:53
Non-authoritative answer:
www.amazon.fr canonical name = tp.f0c2e5164-frontier.amazon.fr
tp.f0c2e5164-frontier.amazon.fr canonical name = d20wn17thngkfa.cloudfront.net
Name: d20wn17thngkfa.cloudfront.net
Address: 143.204.189.5
Non-authoritative answer:
www.amazon.fr canonical name = tp.f0c2e5164-frontier.amazon.fr
tp.f0c2e5164-frontier.amazon.fr canonical name = d20wn17thngkfa.cloudfront.net
Name: d20wn17thngkfa.cloudfront.net
Address: 2600:9000:203b:7c00:6:f4ed:9995:9901
➜ ~ container run --rm alpine:latest /bin/sh -c "wget www.amazon.fr"
Connecting to www.amazon.fr (104.116.97.226:80)
^C
➜ ~ sudo pfctl -d
No ALTQ support in kernel
ALTQ related functions disabled
pf disabled
➜ ~ container run --rm alpine:latest /bin/sh -c "wget www.amazon.fr"
Connecting to www.amazon.fr (104.116.97.226:80)
^C
But this works
➜ ~ finch run --rm alpine:latest /bin/sh -c "wget www.amazon.fr"
Connecting to www.amazon.fr (104.116.97.226:80)
Connecting to www.amazon.fr (143.204.189.5:443)
saving to 'index.html'
index.html 100% |********************************| 117k 0:00:00 ETA
'index.html' saved
Tested on macOS 26.0.1 and container CLI 0.6.0
Do you have any idea how to debug this? What can we do to help our client engineering team to understand what's going on?
Another way to ask the question: because network connectivity works from finch and docker: what Apple container is doing differently that could cause this ?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
We have a strange behaviour when running containers on company-managed laptops.
It's most probably not a problem on container's side, but on the company side but nobody understands why.
When we start a container on a company managed laptop, we can't connect from the container to the outside world.
DNS resolution works, but attempting to connect to anything else fails (no
apt-get, nogit cloneetc...)Containers started on the same machine with
finchordockerwork however.Containers started with Apple's container on our personal laptops work too.
It's something that our company's client engineering org blocks on laptops but we don't understand what because 1/
finchanddockerworks, and 2/ disabling the firewall (pfctl -d) doesn't solve the problem.Example
But this works
Tested on macOS 26.0.1 and container CLI 0.6.0
Do you have any idea how to debug this? What can we do to help our client engineering team to understand what's going on?
Another way to ask the question: because network connectivity works from
finchanddocker: what Apple container is doing differently that could cause this ?Beta Was this translation helpful? Give feedback.
All reactions