Docker container unable to clone from github.com
I forgot that I asked this question here. But, for those of you who also encounter this issue.
The solution was discovered by @aaronlehmann on GitHub Issue #1090. This issue was (possibly still is) affecting AWS instances, but also appears to affect some residential connections as well.
There are two possible fixes:
- Turn on conntrack's "be liberal" flag:
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
. This causes conntrack/NAT to treat packets outside the TCP window as part of the flow being tracked, instead of marking them invalid and causing them to be handled by the host. - Add a rule to drop invalid packets instead of allowing them to trigger RSTs:
iptables -I INPUT -m conntrack --ctstate INVALID -j DROP
For me, the ip_conntrack_tcp_be_liberal
would never hold its setting after reboot. This required manually running the above command each time I wanted to use docker, so the best solution for me was saving
iptables -I INPUT -m conntrack --ctstate INVALID -j DROP
into my iptables.
All problems then disappeared!