Iptables

CentOS7 升級後:Docker 服務無法訪問

  • February 10, 2017

昨天對我的 CentOS7 系統進行了相當大的升級後,我的 Docker 服務不再可用。

從本地主機

curl localhost=> curl: (56) Recv failure: Connection reset by peer

(haproxy)服務之前工作正常,所以我認為容器沒有問題。docker ps顯示它被綁定:0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp.

從遠端

firewalld 似乎阻止了連接:

啟用curl: (7) Failed to connect to my.example.com port 80: No route to host firewalld:禁用firewalld:curl: (56) Recv failure: Connection reset by peer

細節

$ docker info

Containers: 11
Running: 8
Paused: 0
Stopped: 3
Images: 37
Server Version: 1.13.1
Storage Driver: devicemapper
Pool Name: docker-252:1-270354-pool
Pool Blocksize: 65.54 kB
Base Device Size: 10.74 GB
Backing Filesystem: xfs
Data file: /dev/vg-root/docker-data
Metadata file: /dev/vg-root/docker-meta
Data Space Used: 20.71 GB
Data Space Total: 96.64 GB
Data Space Available: 75.93 GB
Metadata Space Used: 33.51 MB
Metadata Space Total: 4.295 GB
Metadata Space Available: 4.261 GB
Thin Pool Minimum Free Space: 9.664 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Library Version: 1.02.135-RHEL7 (2016-11-16)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1
runc version: 9df8b306d01f59d3a8029be411de015b7304dd8f
init version: 949e6fa
Security Options:
seccomp
 Profile: default
selinux
Kernel Version: 3.10.0-327.10.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 11.58 GiB
Name: my.example.com
ID: TXXX:TXNO:X22W:4SMX:NEEE:DBZE:BYX3:XGAN:4UST:6TMM:3LBG:IICW
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false

# netstat -tulpen

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
tcp6       0      0 :::587                  :::*                    LISTEN      0          29958267   23921/docker-proxy
tcp6       0      0 :::80                   :::*                    LISTEN      0          29956605   23743/docker-proxy
tcp6       0      0 :::25                   :::*                    LISTEN      0          15146      2495/master
tcp6       0      0 :::26                   :::*                    LISTEN      0          29956768   23932/docker-proxy
tcp6       0      0 :::443                  :::*                    LISTEN      0          29956581   23725/docker-proxy

# firewall-cmd --permanent --zone=trusted --change-interface=docker0

The interface is under control of NetworkManager, setting zone to 'trusted'.
success

# systemctl status firewalld -l

● firewalld.service - firewalld - dynamic firewall daemon
  Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
  Active: active (running) since Fr 2017-02-10 01:54:59 CET; 6h ago
    Docs: man:firewalld(1)
Main PID: 4843 (firewalld)
  Memory: 24.0M
  CGroup: /system.slice/firewalld.service
          └─4843 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.28.0.222 -d 172.28.0.222 --dport 993 -j MASQUERADE' failed:
Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 27389 -j DNAT --to-destination 172.28.0.222:389 ! -i br-56cc7d2b4e29' failed:
Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i br-56cc7d2b4e29 -o br-56cc7d2b4e29 -p tcp -d 172.28.0.222 --dport 389 -j ACCEPT' failed:
Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.28.0.222 -d 172.28.0.222 --dport 389 -j MASQUERADE' failed:
Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 587 -j DNAT --to-destination 172.28.0.222:587 ! -i br-56cc7d2b4e29' failed:
Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i br-56cc7d2b4e29 -o br-56cc7d2b4e29 -p tcp -d 172.28.0.222 --dport 587 -j ACCEPT' failed:
Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.28.0.222 -d 172.28.0.222 --dport 587 -j MASQUERADE' failed:
Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 26 -j DNAT --to-destination 172.28.0.222:25 ! -i br-56cc7d2b4e29' failed:
Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i br-56cc7d2b4e29 -o br-56cc7d2b4e29 -p tcp -d 172.28.0.222 --dport 25 -j ACCEPT' failed:
Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.28.0.222 -d 172.28.0.222 --dport 25 -j MASQUERADE' failed:

# systemctl status docker -l

● docker.service - Docker Application Container Engine
  Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
  Active: active (running) since Fr 2017-02-10 02:37:08 CET; 6h ago
    Docs: https://docs.docker.com
Main PID: 23358 (dockerd)
  Memory: 137.6M
  CGroup: /system.slice/docker.service
          ├─23358 /usr/bin/dockerd
          ├─23365 docker-containerd -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libco$tainerd/containerd --shim docker-containerd-shim --runtime docker-runc
          ├─23653 docker-containerd-shim 57eeade86f9eb659887b59812c95666e7ee97d7dc987e066c597c45cf960271e /var/run/docker/libcontainerd/57eeade86f9eb659887b59812c95666e7ee9$d7dc987e066c597c45cf960271e docker-runc
          ├─23725 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 443 -container-ip 172.28.0.99 -container-port 443
          ├─23743 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 172.28.0.99 -container-port 80
          ├─23753 docker-containerd-shim c737be17ff53005fd2933a2b7cc5042175d03588ec7c1b2cd06b6be46147c832 /var/run/docker/libcontainerd/c737be17ff53005fd2933a2b7cc5042175d0$588ec7c1b2cd06b6be46147c832 docker-runc
          ├─23844 docker-containerd-shim e0fa228730474373a80129ce5326854cc4f464da89d334776ddb1e69e8e89403 /var/run/docker/libcontainerd/e0fa228730474373a80129ce5326854cc4f4$4da89d334776ddb1e69e8e89403 docker-runc
          ├─23864 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 27007 -container-ip 172.28.0.222 -container-port 4190
          ├─23880 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 27005 -container-ip 172.28.0.222 -container-port 993
          ├─23900 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 27389 -container-ip 172.28.0.222 -container-port 389
          ├─23921 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 587 -container-ip 172.28.0.222 -container-port 587
          ├─23932 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 26 -container-ip 172.28.0.222 -container-port 25
          ├─23993 docker-containerd-shim 29b5f9559d4d2406b81e8bf0c53cd639c5fd1ca7cb1cd21fa8f263ea33d3ab05 /var/run/docker/libcontainerd/29b5f9559d4d2406b81e8bf0c53cd639c5fd$ca7cb1cd21fa8f263ea33d3ab05 docker-runc
          ├─24021 docker-containerd-shim 28aab4f737f97547fad4a094d85e1e038c126432a269b55f59ba984d4c09e20d /var/run/docker/libcontainerd/28aab4f737f97547fad4a094d85e1e038c126432a269b55f59ba984d4c09e20d docker-runc
          ├─24086 docker-containerd-shim 854cba88b26b492cd6cf86d39779940d1f4a15c57c67a82cb5fd00a49dcd1513 /var/run/docker/libcontainerd/854cba88b26b492cd6cf86d39779940d1f4a15c57c67a82cb5fd00a49dcd1513 docker-runc
          ├─24202 docker-containerd-shim b5a376fa0b0ed84c384f6c417fb7dd1e88642fcd45a59b1b4b5b54bb4bbd3316 /var/run/docker/libcontainerd/b5a376fa0b0ed84c384f6c417fb7dd1e88642fcd45a59b1b4b5b54bb4bbd3316 docker-runc
          └─24276 docker-containerd-shim 15260ed80b685a369a5da640da09ec79c88b1844a5957d1fcfbe7d25356b6b40 /var/run/docker/libcontainerd/15260ed80b685a369a5da640da09ec79c88b1844a5957d1fcfbe7d25356b6b40 docker-runc

Feb 10 02:37:08 my.example.com dockerd[23358]: time="2017-02-10T02:37:08+01:00" level=info msg="Firewalld running: true"
Feb 10 02:37:08 my.example.com dockerd[23358]: time="2017-02-10T02:37:08.617724084+01:00" level=info msg="Loading containers: done."
Feb 10 02:37:08 my.example.com dockerd[23358]: time="2017-02-10T02:37:08.654889203+01:00" level=info msg="Daemon has completed initialization"
Feb 10 02:37:08 my.example.com dockerd[23358]: time="2017-02-10T02:37:08.654964541+01:00" level=info msg="Docker daemon" commit=092cba3 graphdriver=devicemapper version=1.13.1
Feb 10 02:37:08 my.example.com dockerd[23358]: time="2017-02-10T02:37:08.663899035+01:00" level=info msg="API listen on /var/run/docker.sock"
Feb 10 02:37:08 my.example.com systemd[1]: Started Docker Application Container Engine.

# cat /etc/firewalld/zones/trusted.xml

<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
 <short>Trusted</short>
 <description>All network connections are accepted.</description>
 <interface name="docker0"/>
</zone>

# cat /etc/sysconfig/network-scripts/ifcfg-docker0

DEVICE=docker0
STP=no
TYPE=Bridge
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=docker0
UUID=e4aeffc1-cc87-4fad-ac6c-37cdfaf72369
ONBOOT=no
ZONE=trusted
IPADDR=172.17.0.1
PREFIX=16

原來問題出network在我的 docker-compose 文件中的配置——刪除它時一切正常。

引用自:https://serverfault.com/questions/831770