Docker容器在本地主机上可见,但不能从具有自定义bridge0的其他主机上看到
新的Docker 1.7.0在RHEL 7.1上安装
所以,我安装了最新的Docker 1.7.0,我无法让这个新服务器服务于外部世界。
[root@pppdc9prd8ok eea.docker.jenkins]# uname -a Linux pppdc9prd8ok 3.10.0-229.4.2.el7.x86_64 #1 SMP Fri Apr 24 15:26:38 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux [root@pppdc9prd8ok eea.docker.jenkins]# docker --version Docker version 1.7.0, build 0baf609 [root@pppdc9prd8ok eea.docker.jenkins]# docker info Containers: 10 Images: 110 Storage Driver: devicemapper Pool Name: docker-253:0-4374531-pool Pool Blocksize: 65.54 kB Backing Filesystem: extfs Data file: /dev/loop0 Metadata file: /dev/loop1 Data Space Used: 4.398 GB Data Space Total: 107.4 GB Data Space Available: 99.18 GB Metadata Space Used: 7.029 MB Metadata Space Total: 2.147 GB Metadata Space Available: 2.14 GB Udev Sync Supported: true Deferred Removal Enabled: false Data loop file: /app_local/var-lib-docker/devicemapper/devicemapper/data Metadata loop file: /app_local/var-lib-docker/devicemapper/devicemapper/metadata Library Version: 1.02.93-RHEL7 (2015-01-28) Execution Driver: native-0.2 Logging Driver: json-file Kernel Version: 3.10.0-229.4.2.el7.x86_64 Operating System: Red Hat Enterprise Linux CPUs: 4 Total Memory: 15.52 GiB Name: pppdc9prd8ok ID: 3M2F:QYY7:Z5DI:YTVI:RAV4:SHPM:C3RC:CWIY:FHFA:ZYAS:SNHG:CMTY 使用bridge0而不是docker0来设置Docker
我遵循Docker文档的高级networking主题, 将我的默认docker bridge从docker0更改为bridge0,原因是与我们的内部networking有冲突。
我使用docker-compose.yml启动了一个在端口80上运行的docker容器,如下所示:
[root@pppdc9prd8ok eea.docker.jenkins]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES a9f5637552ba eeacms/jenkins:master "/usr/local/bin/jenk 4 seconds ago Up 4 seconds 0.0.0.0:50000->50000/tcp, 0.0.0.0:80->8080/tcp eeadockerjenkins_master_1 c6fcac33b044 yorkshirekev/postfix "/bin/bash -c '/star 7 seconds ago Up 6 seconds eeadockerjenkins_postfix_1 199ad3d48dfe eeacms/jenkins:slave "/bin/sh -c /bin/jen 5 minutes ago Up 47 seconds eeadockerjenkins_worker_1 3a8057253b7d eeacms/jenkins:slave "/bin/sh -c /bin/jen 5 minutes ago Up 47 seconds eeadockerjenkins_worker_2 fced8be92258 eeacms/jenkins:slave "/bin/sh -c /bin/jen 5 minutes ago Up 46 seconds eeadockerjenkins_worker_3 7cb4cfabd3c2 mongo "/entrypoint.sh mong 2 weeks ago Up 20 seconds 0.0.0.0:27017->27017/tcp mongodb-dotci
端口80上的服务器无法从Internet访问
从“ps”输出的内容来看,端口80上运行的服务是完全正常的,绑定到端口80上的全IP地址0.0.0.0。但是,试图从另一个位置访问本机,我无法访问。
Marcello-New2015:~ mdesales$ curl http://docker.corp.intuit.net/ curl: (7) Failed to connect to docker.corp.intuit.net port 80: Operation timed out
从本地内部有路由
奇怪,因为我已经检查过容器是从里面访问,它正在工作。
[root@pppdc9prd8ok eea.docker.jenkins]# curl localhost | grep html % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 26791 100 26791 0 0 110k 0 --: <!DOCTYPE html><html><head resURL="/static/9ebca566"> --:-- --:--:-- --:--:-- 110k
Netstat也显示它绑定到ipv6。
我猜RHEL 7.1已经configuration了开箱即用的ipv6,因为在安装过程中我没有设置它。 无论如何,这是显示我…我四处挖掘,::: *为ipv6是相同的0.0.0.0为ipv4。
[root@pppdc9prd8ok eea.docker.jenkins]# netstat -tulnp | grep docker tcp6 0 0 :::27017 :::* LISTEN 18271/docker-proxy tcp6 0 0 :::80 :::* LISTEN 18498/docker-proxy tcp6 0 0 :::50000 :::* LISTEN 18490/docker-proxy
iptables显示了将呼叫转发到接口的规则。
ifconfig和iptables的所有接口都正确显示
[root@pppdc9prd8ok eea.docker.jenkins]# ifconfig bridge0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.5.1 netmask 255.255.252.0 broadcast 192.168.7.255 ether 1e:dd:74:96:b1:c5 txqueuelen 0 (Ethernet) RX packets 10551 bytes 10704512 (10.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 9986 bytes 10375991 (9.8 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 172.17.42.1 netmask 255.255.0.0 broadcast 0.0.0.0 ether 00:00:00:00:00:00 txqueuelen 0 (Ethernet) RX packets 54772 bytes 61032436 (58.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 53436 bytes 61653718 (58.7 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.132.52.146 netmask 255.255.252.0 broadcast 10.132.55.255 ether 00:50:56:01:0e:ba txqueuelen 1000 (Ethernet) RX packets 117543 bytes 12322742 (11.7 MiB) RX errors 0 dropped 626 overruns 0 frame 0 TX packets 21044 bytes 3662343 (3.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
IP表的规则是:
[root@pppdc9prd8ok eea.docker.jenkins]# iptables -t nat -nxvL Chain PREROUTING (policy ACCEPT 82 packets, 10381 bytes) pkts bytes target prot opt in out source destination 23 1412 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT 52 packets, 6951 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 330 packets, 29005 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT 330 packets, 29005 bytes) pkts bytes target prot opt in out source destination 21 1548 MASQUERADE all -- * !bridge0 192.168.4.0/22 0.0.0.0/0 15 1028 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0 0 0 MASQUERADE tcp -- * * 192.168.4.5 192.168.4.5 tcp dpt:27017 0 0 MASQUERADE tcp -- * * 192.168.4.8 192.168.4.8 tcp dpt:50000 0 0 MASQUERADE tcp -- * * 192.168.4.8 192.168.4.8 tcp dpt:8080 Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- !bridge0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:27017 to:192.168.4.5:27017 0 0 DNAT tcp -- !bridge0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:50000 to:192.168.4.8:50000 8 512 DNAT tcp -- !bridge0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.4.8:8080
不知道去哪里:(帮助…
简短的回答:安装“bridge0”时删除“docker0”桥!
OK,所以越来越多的挖掘,我发现docker0的存在以某种方式干扰networking…
长答案:一步一步的validation
我首先证实了bridge0实际上正在被使用。 而且它不是!
[root@pppdc9prd8ok eea.docker.jenkins]# systemctl status docker docker.service - Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled) Drop-In: /etc/systemd/system/docker.service.d └─http-proxy.conf Active: active (running) since Fri 2015-07-10 07:23:14 UTC; 30min ago Docs: https://docs.docker.com Main PID: 18034 (docker) CGroup: /system.slice/docker.service ├─18034 /usr/bin/docker -d -H fd:// ├─18271 docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 27017 -container-ip 192.168.4.5 -container-port 27017 ├─18490 docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 50000 -container-ip 192.168.4.8 -container-port 50000 └─18498 docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 192.168.4.8 -container-port 8080 Jul 10 07:23:57 pppdc9prd8ok docker[18034]: time="2015-07-10T07:23:57.124143415Z" level=info msg="GET /v1.18/containers/json?all=0&limit=-1&trunc_cmd=0&filters=%7B%22label%22%3A+%5...5D%7D&size=0" Jul 10 07:23:57 pppdc9prd8ok docker[18034]: time="2015-07-10T07:23:57.126520912Z" level=info msg="GET /v1.18/containers/c6fcac33b04480970aa3606f86e5ed9571a320b6ff5cdc8ecdf81edfb416720a/json" Jul 10 07:23:57 pppdc9prd8ok docker[18034]: time="2015-07-10T07:23:57.128362232Z" level=info msg="GET /v1.18/containers/json?all=1&limit=-1&trunc_cmd=0&filters=%7B%22label%22%3A+%5...5D%7D&size=0" Jul 10 07:23:57 pppdc9prd8ok docker[18034]: time="2015-07-10T07:23:57.130940471Z" level=info msg="POST /v1.18/containers/create?name=eeadockerjenkins_master_1" Jul 10 07:23:57 pppdc9prd8ok docker[18034]: time="2015-07-10T07:23:57.299140678Z" level=info msg="GET /v1.18/containers/a9f5637552bad2d608f838cdb2a263452f5e98962c45ebe759ed0904211d6962/json" Jul 10 07:23:57 pppdc9prd8ok docker[18034]: time="2015-07-10T07:23:57.301413002Z" level=info msg="POST /v1.18/containers/a9f5637552bad2d608f838cdb2a263452f5e98962c45ebe759ed0904211d6962/start" Jul 10 07:23:57 pppdc9prd8ok docker[18034]: time="2015-07-10T07:23:57.504799799Z" level=info msg="DELETE /v1.18/containers/0665b35b4f1df8e8d098a429ae4a057a91c36cc341d33f710b00cc3c4...alse&v=False" Jul 10 07:23:58 pppdc9prd8ok docker[18034]: time="2015-07-10T07:23:58.657884948Z" level=info msg="GET /v1.18/containers/json?all=0&limit=-1&trunc_cmd=0&filters=%7B%22label%22%3A+%5...5D%7D&size=0" Jul 10 07:24:01 pppdc9prd8ok docker[18034]: time="2015-07-10T07:24:01.793020916Z" level=info msg="GET /v1.19/containers/json" Jul 10 07:43:25 pppdc9prd8ok docker[18034]: time="2015-07-10T07:43:25.850272360Z" level=info msg="GET /v1.19/info" Hint: Some lines were ellipsized, use -l to show in full.
事实certificate,RHEL 7.1安装Docker的服务并没有指向环境variables。
[root@pppdc9prd8ok eea.docker.jenkins]# cat /etc/sysconfig/docker # /etc/sysconfig/docker # # Other arguments to pass to the docker daemon process # These will be parsed by the sysv initscript and appended # to the arguments list passed to docker -d other_args="-b=bridge0"
我必须在以下文件中添加EnvironmentFile = – / etc / sysconfig / docker行 ,并将环境variables添加到“docker -d”命令中:
[root@pppdc9prd8ok eea.docker.jenkins]# cat /usr/lib/systemd/system/docker.service [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com After=network.target docker.socket Requires=docker.socket [Service] EnvironmentFile=-/etc/sysconfig/docker ExecStart=/usr/bin/docker -d $other_args -H fd:// MountFlags=slave LimitNOFILE=1048576 LimitNPROC=1048576 LimitCORE=infinity [Install] WantedBy=multi-user.target
重新启动docker服务现在显示系统中的docker0参数。
[root@pppdc9prd8ok eea.docker.jenkins]# systemctl status docker docker.service - Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled) Drop-In: /etc/systemd/system/docker.service.d └─http-proxy.conf Active: active (running) since Fri 2015-07-10 07:23:14 UTC; 30min ago Docs: https://docs.docker.com Main PID: 18034 (docker) CGroup: /system.slice/docker.service ├─18034 /usr/bin/docker -d -b=bridge0 -H fd:// ├─18271 docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 27017 -container-ip 192.168.4.5 -container-port 27017 ├─18490 docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 50000 -container-ip 192.168.4.8 -container-port 50000 └─18498 docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 192.168.4.8 -container-port 8080
然而,该服务仍然无法正常工作…我检查的最后一件事,我得到它的工作是删除桥“docker0”。 和它工作!
[root@pppdc9prd8ok eea.docker.jenkins]# ip link set docker0 down [root@pppdc9prd8ok eea.docker.jenkins]# brctl delbr docker0 [root@pppdc9prd8ok eea.docker.jenkins]# ifconfig bridge0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.5.1 netmask 255.255.252.0 broadcast 192.168.7.255 ether 16:1b:b8:42:5c:9e txqueuelen 0 (Ethernet) RX packets 6550 bytes 6542448 (6.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6133 bytes 6585941 (6.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.132.52.146 netmask 255.255.252.0 broadcast 10.132.55.255 ether 00:50:56:01:0e:ba txqueuelen 1000 (Ethernet) RX packets 114644 bytes 11944039 (11.3 MiB) RX errors 0 dropped 626 overruns 0 frame 0 TX packets 19671 bytes 2808015 (2.6 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
从其他主机testing它现在工作正常!
Marcello-New2015:~ mdesales$ curl http://docker.corp.intuit.net/ % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 26804 100 26804 0 0 60458 0 --:--:-- --:--:-- --:--:-- 60505