docker集装箱不能访问互联网,只能ping通
经过几个小时的search和尝试解决scheme,我已经结束了。
当我在Centos7机器上启动Docker容器时,会发生什么情况:
- 不能通过TCP通信(例如运行
apt update)。 ping工作正常。 - 切换networking模式为 – networking
--net=host解决了这个问题,但我想使用默认bridge - 我将
net.ipv4.ip_forward=1添加到/etc/sysctl.conf - 集装箱在通过
docker network inspect bridge看到的桥梁networking中注册 - DNSconfiguration正确,ping主机名以及地址。
更多信息
运行apt update显示消息,如:
Ign http://security.debian.org jessie/updates InRelease Err http://security.debian.org jessie/updates Release.gpg Unable to connect to security.debian.org:http: [IP: 212.211.132.32 80]
iptablesconfiguration:
$ iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere tcp -- anywhere anywhere tcp dpt:http /* HTTP-IN */ tcp -- anywhere anywhere tcp dpt:http flags:FIN,SYN,RST,ACK/SYN /* HTTP-SYN */ tcp -- anywhere anywhere tcp dpt:https /* HTTPS-IN */ tcp -- anywhere anywhere tcp dpt:https flags:FIN,SYN,RST,ACK/SYN /* HTTPS-SYN */ ACCEPT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:ssh match-set avast_internal src ACCEPT udp -- anywhere anywhere udp dpt:snmp match-set avast_internal src ACCEPT tcp -- anywhere anywhere tcp match-set avast_internal src Chain FORWARD (policy DROP) target prot opt source destination DOCKER-ISOLATION all -- anywhere anywhere DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination tcp -- anywhere anywhere tcp spt:http /* HTTP-OUT */ tcp -- anywhere anywhere tcp spt:https /* HTTPS-OUT */ Chain DOCKER (2 references) target prot opt source destination Chain DOCKER-ISOLATION (1 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere
这可能是什么原因?
编辑:
使用这些命令打开防火墙后,我能够从泊坞窗容器连接到互联网:
sudo iptables -P INPUT ACCEPT sudo iptables -P FORWARD ACCEPT sudo iptables -P OUTPUT ACCEPT sudo iptables -t nat -F sudo iptables -t mangle -F sudo iptables -F sudo iptables -X
但是,在重新设置规则以找出导致问题的原因之后,即使在清除所有iptables规则并重新启动docker守护进程后,我也无法恢复到工作状态。
编辑2:
原来在raw表格中也有一些规则,我以前没有看到。 以下规则阻止来自互联网的Docker容器:
Chain PREROUTING (policy ACCEPT) target prot opt source destination CT tcp -- anywhere anywhere NOTRACK
原来在raw表格中也有一些规则,我以前没有看到。 以下规则阻止来自互联网的Docker容器:
Chain PREROUTING (policy ACCEPT) target prot opt source destination CT tcp -- anywhere anywhere NOTRACK
删除这个规则解决了这个问题。
如你所说
Ign http://security.debian.org jessie/updates InRelease Err http://security.debian.org jessie/updates Release.gpg Unable to connect to security.debian.org:http: [IP: 212.211.132.32 80]
这种问题出现在DNS未configuration为Docker容器的时候 [在我的环境中类似的问题]。
以下过程将有助于在使用DOCKER容器时解决DNS问题 。
第一步是检查容器的外部连接:
# docker run busybox ping -c 2 192.203.230.10 PING 192.203.230.10 (192.203.230.10): 56 data bytes 64 bytes from 192.203.230.10: seq=0 ttl=56 time=66.724 ms 64 bytes from 192.203.230.10: seq=1 ttl=56 time=54.786 ms
当您尝试使用容器ping到google.com时,由于DNS问题而无法访问。
# docker run busybox nslookup google.com Server: 8.8.8.8 Address 1: 8.8.8.8 nslookup: can't resolve 'google.com'
找出您的机器中使用的DNS服务器:
# nm-tool |grep DNS DNS: 172.24.100.50 DNS: 10.1.100.50
再次使用DNS解决DNS问题的步骤中的DNS IP运行它:
# docker run --dns 172.24.100.50 busybox nslookup google.com Server: 172.24.100.50 Address 1: 172.24.100.50 indc01.radisys.com Name: google.com Address 1: 2607:f8b0:4009:80c::200e ord36s01-in-x0e.1e100.net Address 2: 172.217.4.110 ord36s04-in-f14.1e100.net
要解决这个问题,请永久将以下内容添加到新文件中:
# cat /etc/docker/daemon.json { "dns" : ["172.24.100.50", "8.8.8.8"] }
有关Docker DNSconfiguration的更多信息: https : //docs.docker.com/engine/userguide/networking/configure-dns/
重新启动Docker服务并再次检查连接:
# docker run busybox nslookup google.com Server: 172.24.100.50 Address 1: 172.24.100.50 indc01.radisys.com Name: google.com Address 1: 2607:f8b0:4009:801::200e ord30s31-in-x0e.1e100.net Address 2: 172.217.4.238 ord30s31-in-f14.1e100.net
通过运行另一个容器来检查它:
# docker run -it e02e811dd08f / # ping google.com PING google.com (172.217.4.238): 56 data bytes 64 bytes from 172.217.4.238: seq=0 ttl=47 time=251.506 ms 64 bytes from 172.217.4.238: seq=1 ttl=47 time=245.621 ms