Iptables
CentOS7 升級後:Docker 服務無法訪問
昨天對我的 CentOS7 系統進行了相當大的升級後,我的 Docker 服務不再可用。
從本地主機
curl localhost=>curl: (56) Recv failure: Connection reset by peer。(haproxy)服務之前工作正常,所以我認為容器沒有問題。
docker ps顯示它被綁定:0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp.從遠端
firewalld 似乎阻止了連接:
啟用
curl: (7) Failed to connect to my.example.com port 80: No route to hostfirewalld:禁用firewalld:curl: (56) Recv failure: Connection reset by peer細節
$ docker infoContainers: 11 Running: 8 Paused: 0 Stopped: 3 Images: 37 Server Version: 1.13.1 Storage Driver: devicemapper Pool Name: docker-252:1-270354-pool Pool Blocksize: 65.54 kB Base Device Size: 10.74 GB Backing Filesystem: xfs Data file: /dev/vg-root/docker-data Metadata file: /dev/vg-root/docker-meta Data Space Used: 20.71 GB Data Space Total: 96.64 GB Data Space Available: 75.93 GB Metadata Space Used: 33.51 MB Metadata Space Total: 4.295 GB Metadata Space Available: 4.261 GB Thin Pool Minimum Free Space: 9.664 GB Udev Sync Supported: true Deferred Removal Enabled: false Deferred Deletion Enabled: false Deferred Deleted Device Count: 0 Library Version: 1.02.135-RHEL7 (2016-11-16) Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host macvlan null overlay Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1 runc version: 9df8b306d01f59d3a8029be411de015b7304dd8f init version: 949e6fa Security Options: seccomp Profile: default selinux Kernel Version: 3.10.0-327.10.1.el7.x86_64 Operating System: CentOS Linux 7 (Core) OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 11.58 GiB Name: my.example.com ID: TXXX:TXNO:X22W:4SMX:NEEE:DBZE:BYX3:XGAN:4UST:6TMM:3LBG:IICW Docker Root Dir: /var/lib/docker Debug Mode (client): false Debug Mode (server): false Registry: https://index.docker.io/v1/ Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false
# netstat -tulpenActive Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp6 0 0 :::587 :::* LISTEN 0 29958267 23921/docker-proxy tcp6 0 0 :::80 :::* LISTEN 0 29956605 23743/docker-proxy tcp6 0 0 :::25 :::* LISTEN 0 15146 2495/master tcp6 0 0 :::26 :::* LISTEN 0 29956768 23932/docker-proxy tcp6 0 0 :::443 :::* LISTEN 0 29956581 23725/docker-proxy
# firewall-cmd --permanent --zone=trusted --change-interface=docker0The interface is under control of NetworkManager, setting zone to 'trusted'. success
# systemctl status firewalld -l● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Fr 2017-02-10 01:54:59 CET; 6h ago Docs: man:firewalld(1) Main PID: 4843 (firewalld) Memory: 24.0M CGroup: /system.slice/firewalld.service └─4843 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.28.0.222 -d 172.28.0.222 --dport 993 -j MASQUERADE' failed: Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 27389 -j DNAT --to-destination 172.28.0.222:389 ! -i br-56cc7d2b4e29' failed: Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i br-56cc7d2b4e29 -o br-56cc7d2b4e29 -p tcp -d 172.28.0.222 --dport 389 -j ACCEPT' failed: Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.28.0.222 -d 172.28.0.222 --dport 389 -j MASQUERADE' failed: Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 587 -j DNAT --to-destination 172.28.0.222:587 ! -i br-56cc7d2b4e29' failed: Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i br-56cc7d2b4e29 -o br-56cc7d2b4e29 -p tcp -d 172.28.0.222 --dport 587 -j ACCEPT' failed: Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.28.0.222 -d 172.28.0.222 --dport 587 -j MASQUERADE' failed: Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 26 -j DNAT --to-destination 172.28.0.222:25 ! -i br-56cc7d2b4e29' failed: Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i br-56cc7d2b4e29 -o br-56cc7d2b4e29 -p tcp -d 172.28.0.222 --dport 25 -j ACCEPT' failed: Feb 10 02:37:05 my.example.com firewalld[4843]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.28.0.222 -d 172.28.0.222 --dport 25 -j MASQUERADE' failed:
# systemctl status docker -l● docker.service - Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled) Active: active (running) since Fr 2017-02-10 02:37:08 CET; 6h ago Docs: https://docs.docker.com Main PID: 23358 (dockerd) Memory: 137.6M CGroup: /system.slice/docker.service ├─23358 /usr/bin/dockerd ├─23365 docker-containerd -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libco$tainerd/containerd --shim docker-containerd-shim --runtime docker-runc ├─23653 docker-containerd-shim 57eeade86f9eb659887b59812c95666e7ee97d7dc987e066c597c45cf960271e /var/run/docker/libcontainerd/57eeade86f9eb659887b59812c95666e7ee9$d7dc987e066c597c45cf960271e docker-runc ├─23725 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 443 -container-ip 172.28.0.99 -container-port 443 ├─23743 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-ip 172.28.0.99 -container-port 80 ├─23753 docker-containerd-shim c737be17ff53005fd2933a2b7cc5042175d03588ec7c1b2cd06b6be46147c832 /var/run/docker/libcontainerd/c737be17ff53005fd2933a2b7cc5042175d0$588ec7c1b2cd06b6be46147c832 docker-runc ├─23844 docker-containerd-shim e0fa228730474373a80129ce5326854cc4f464da89d334776ddb1e69e8e89403 /var/run/docker/libcontainerd/e0fa228730474373a80129ce5326854cc4f4$4da89d334776ddb1e69e8e89403 docker-runc ├─23864 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 27007 -container-ip 172.28.0.222 -container-port 4190 ├─23880 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 27005 -container-ip 172.28.0.222 -container-port 993 ├─23900 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 27389 -container-ip 172.28.0.222 -container-port 389 ├─23921 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 587 -container-ip 172.28.0.222 -container-port 587 ├─23932 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 26 -container-ip 172.28.0.222 -container-port 25 ├─23993 docker-containerd-shim 29b5f9559d4d2406b81e8bf0c53cd639c5fd1ca7cb1cd21fa8f263ea33d3ab05 /var/run/docker/libcontainerd/29b5f9559d4d2406b81e8bf0c53cd639c5fd$ca7cb1cd21fa8f263ea33d3ab05 docker-runc ├─24021 docker-containerd-shim 28aab4f737f97547fad4a094d85e1e038c126432a269b55f59ba984d4c09e20d /var/run/docker/libcontainerd/28aab4f737f97547fad4a094d85e1e038c126432a269b55f59ba984d4c09e20d docker-runc ├─24086 docker-containerd-shim 854cba88b26b492cd6cf86d39779940d1f4a15c57c67a82cb5fd00a49dcd1513 /var/run/docker/libcontainerd/854cba88b26b492cd6cf86d39779940d1f4a15c57c67a82cb5fd00a49dcd1513 docker-runc ├─24202 docker-containerd-shim b5a376fa0b0ed84c384f6c417fb7dd1e88642fcd45a59b1b4b5b54bb4bbd3316 /var/run/docker/libcontainerd/b5a376fa0b0ed84c384f6c417fb7dd1e88642fcd45a59b1b4b5b54bb4bbd3316 docker-runc └─24276 docker-containerd-shim 15260ed80b685a369a5da640da09ec79c88b1844a5957d1fcfbe7d25356b6b40 /var/run/docker/libcontainerd/15260ed80b685a369a5da640da09ec79c88b1844a5957d1fcfbe7d25356b6b40 docker-runc Feb 10 02:37:08 my.example.com dockerd[23358]: time="2017-02-10T02:37:08+01:00" level=info msg="Firewalld running: true" Feb 10 02:37:08 my.example.com dockerd[23358]: time="2017-02-10T02:37:08.617724084+01:00" level=info msg="Loading containers: done." Feb 10 02:37:08 my.example.com dockerd[23358]: time="2017-02-10T02:37:08.654889203+01:00" level=info msg="Daemon has completed initialization" Feb 10 02:37:08 my.example.com dockerd[23358]: time="2017-02-10T02:37:08.654964541+01:00" level=info msg="Docker daemon" commit=092cba3 graphdriver=devicemapper version=1.13.1 Feb 10 02:37:08 my.example.com dockerd[23358]: time="2017-02-10T02:37:08.663899035+01:00" level=info msg="API listen on /var/run/docker.sock" Feb 10 02:37:08 my.example.com systemd[1]: Started Docker Application Container Engine.
# cat /etc/firewalld/zones/trusted.xml<?xml version="1.0" encoding="utf-8"?> <zone target="ACCEPT"> <short>Trusted</short> <description>All network connections are accepted.</description> <interface name="docker0"/> </zone>
# cat /etc/sysconfig/network-scripts/ifcfg-docker0DEVICE=docker0 STP=no TYPE=Bridge BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=no IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no NAME=docker0 UUID=e4aeffc1-cc87-4fad-ac6c-37cdfaf72369 ONBOOT=no ZONE=trusted IPADDR=172.17.0.1 PREFIX=16
原來問題出
network在我的 docker-compose 文件中的配置——刪除它時一切正常。