Linux

LXC 容器無法 ping 外部

  • July 18, 2019

我目前正在新伺服器上創建一個新容器,並且面臨網路問題。基本上,容器無法訪問 Internet 上的任何內容,即每次請求超時。

以下是與主機和 lxc 配置相關的資訊:

  • uname -r伺服器上的輸出:4.9.185-xxxx-std-ipv6-64.
  • lxc-ls --version:3.0.3
  • cat /proc/sys/net/ipv4/ip_forward:1
  • cat /etc/lxc/lxc.conf:
lxc.lxcpath = /home/lxc
  • cat /etc/default/lxc-net:
USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxc-bridge-nat"
LXC_ADDR="192.168.100.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="192.168.100.0/24"
LXC_DHCP_RANGE="192.168.100.2,192.168.100.254"
LXC_DHCP_MAX="253"
LXC_DHCP_CONFILE=""
LXC_DOMAIN="lxc"

LXC_IPV6_ADDR="fc27::216:3eff:fe00:1"
LXC_IPV6_MASK="64"
LXC_IPV6_NETWORK="fc27::/64"
LXC_IPV6_NAT="true"
  • cat /home/lxc/test/config
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d debian -r buster -a amd64
# Template script checksum (SHA-1): 273c51343604eb85f7e294c8da0a5eb769d648f3
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)

# Auto start configuration
# Mount shared folder so the container can access letsencrypt certificates
# into its own /share folder

# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = linux64

# Container specific configuration
lxc.start.auto = 1
lxc.rootfs.path = dir:/home/lxc/test/rootfs
lxc.uts.name = test

# Network configuration
lxc.net.0.type  = veth
lxc.net.0.flags = up
lxc.net.0.link  = lxc-bridge-nat

通過這個設置,我可以通過介面成功地從容器中 ping 容器或主機lxc-bridge-nat。但在容器內,該命令ping 8.8.8.8沒有給出任何結果:

PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C--- 8.8.8.8 ping statistics ---
18 packets transmitted, 0 packets received, 100% packet loss

這是主機上的 iptables 配置:

Generated by xtables-save v1.8.3 on Wed Jul 17 11:10:37 2019
*filter
:INPUT ACCEPT [245428:1063335794]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [228241:18791314]
:f2b-sshd - [0:0]
:f2b-recidive - [0:0]
-A INPUT -i lxc-bridge-nat -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxc-bridge-nat -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxc-bridge-nat -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxc-bridge-nat -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p tcp -j f2b-recidive
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A FORWARD -o lxc-bridge-nat -j ACCEPT
-A FORWARD -i lxc-bridge-nat -j ACCEPT
-A FORWARD -p tcp -j f2b-recidive
-A f2b-sshd -j RETURN
-A f2b-recidive -j RETURN
COMMIT
# Completed on Wed Jul 17 11:10:37 2019
# Generated by xtables-save v1.8.3 on Wed Jul 17 11:10:37 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Jul 17 11:10:37 2019
# Generated by xtables-save v1.8.3 on Wed Jul 17 11:10:37 2019
*mangle
:PREROUTING ACCEPT [248302:1063534761]
:INPUT ACCEPT [247677:1063489218]
:FORWARD ACCEPT [538:39768]
:OUTPUT ACCEPT [228241:18791314]
:POSTROUTING ACCEPT [228779:18831082]
-A POSTROUTING -o lxc-bridge-nat -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Jul 17 11:10:37 2019
# Generated by xtables-save v1.8.3 on Wed Jul 17 11:10:37 2019
*raw
:PREROUTING ACCEPT [3012:193211]
:OUTPUT ACCEPT [2048:239550]
COMMIT
# Completed on Wed Jul 17 11:10:37 2019
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

我還嘗試了該tcpdump -i eno1 -n icmp命令以查看是否存在與 IP 數據包相關的任何問題,這是輸出(在容器端 ping 到 8.8.8.8 期間它已在主機端執行):

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes
11:12:38.938243 IP 192.168.100.78 > 8.8.8.8: ICMP echo request, id 1137, seq 0, length 64
11:12:39.939343 IP 192.168.100.78 > 8.8.8.8: ICMP echo request, id 1137, seq 1, length 64
11:12:40.940554 IP 192.168.100.78 > 8.8.8.8: ICMP echo request, id 1137, seq 2, length 64
11:12:41.941748 IP 192.168.100.78 > 8.8.8.8: ICMP echo request, id 1137, seq 3, length 64
11:12:42.942939 IP 192.168.100.78 > 8.8.8.8: ICMP echo request, id 1137, seq 4, length 64

您是否可以看到數據包通過公共介面在 Internet 上傳輸,但它使用的是容器的 IP 地址而不是主機。

所以我認為我的問題與此有關,但我不知道它為什麼這樣做以及如何解決它。

如果您需要更多資訊來解決我的問題,請隨時提問。

——- 編輯:添加 iptables 原始輸出 iptables -nvL

Chain INPUT (policy ACCEPT 251K packets, 1064M bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 ACCEPT     tcp  --  lxc-bridge-nat *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
   6   430 ACCEPT     udp  --  lxc-bridge-nat *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
   0     0 ACCEPT     tcp  --  lxc-bridge-nat *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
  16  5295 ACCEPT     udp  --  lxc-bridge-nat *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
219K 1062M f2b-recidive  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
215K 1046M f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 ACCEPT     all  --  *      lxc-bridge-nat  0.0.0.0/0            0.0.0.0/0           
 131 10860 ACCEPT     all  --  lxc-bridge-nat *       0.0.0.0/0            0.0.0.0/0           
   0     0 f2b-recidive  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 233K packets, 19M bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain f2b-sshd (1 references)
pkts bytes target     prot opt in     out     source               destination         
214K 1046M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain f2b-recidive (2 references)
pkts bytes target     prot opt in     out     source               destination         
 874 52624 REJECT     all  --  *      *       106.75.71.124        0.0.0.0/0            reject-with icmp-port-unreachable
 246 14760 REJECT     all  --  *      *       51.75.23.87          0.0.0.0/0            reject-with icmp-port-unreachable
218K 1062M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
# Warning: iptables-legacy tables present, use iptables-legacy to see them

iptables -nvL -t nat

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 MASQUERADE  all  --  *      *       192.168.100.0/24    !192.168.100.0/24    

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
# Warning: iptables-legacy tables present, use iptables-legacy to see them

好的,我發現了問題(感謝 tomp on https://discuss.linuxcontainers.org)。預設情況下 lxc-net 使用 iptables 創建規則,這很好,但在我的系統上不起作用,因為 #Warning: iptables-legacy 表存在,使用 iptables-legacy 來查看它們。

所以在執行命令 iptables-legacy -t nat -A POSTROUTING -s 192.168.100.0/24 之後!-d 192.168.100.0/24 -j MASQUERADE 系統現在工作正常。

我現在對這個問題還有兩個小問題:為什麼會這樣?以及如何使用非傳統系統完成這項工作?

引用自:https://serverfault.com/questions/975562