Networking

docker network 是否以某種方式阻止從某些 IP 訪問其主機?

  • September 5, 2019

我的公司有一個 CentOS 7 伺服器和一些正在執行的 docker 容器。通常我可以從我的個人電腦連接到它。但有時在伺服器上執行docker-compose up命令後,我無法再連接到它(我嘗試通過 ssh ping / 連接它只是永遠掛起)。發生這種情況時,我必須從另一台電腦 ssh 到伺服器,執行docker-compose down,然後一切恢復正常。

我沒有在 docker-compose.yml 文件中定義任何網路,我總是讓 docker 自己處理網路。

我的問題:目前我的團隊中有幾個人無法連接到伺服器。我認為這可能與docker有關,因為它預設操作iptables(我在伺服器上使用iptables而不是firewalld)。一個人甚至曾經能夠連接,但是在他“重置 wifi”(ncpa.cpl–> 禁用–> 啟用,他的 IP 更改)之後,他就無法再連接了。

我只是想問一下這是否是一個常見問題,有沒有人遇到過類似的事情,或者關於如何解決這個問題的任何建議。我真的被困在這裡了。


我不知道這是否有幫助,但這是我的iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
DOCKER-INGRESS  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (9 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             172.17.0.5           tcp dpt:9494
ACCEPT     tcp  --  anywhere             172.25.0.2           tcp dpt:XmlIpcRegSvc
ACCEPT     tcp  --  anywhere             172.25.0.3           tcp dpt:eforward
ACCEPT     tcp  --  anywhere             172.17.0.12          tcp dpt:8484
ACCEPT     tcp  --  anywhere             172.17.0.16          tcp dpt:cslistener
ACCEPT     tcp  --  anywhere             172.17.0.8           tcp dpt:8282
ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:tproxy
ACCEPT     tcp  --  anywhere             172.17.0.10          tcp dpt:xmltec-xmlmail
ACCEPT     tcp  --  anywhere             172.17.0.6           tcp dpt:8282
ACCEPT     tcp  --  anywhere             172.29.0.2           tcp dpt:cslistener
ACCEPT     tcp  --  anywhere             172.31.0.2           tcp dpt:27017
ACCEPT     tcp  --  anywhere             172.31.0.3           tcp dpt:27017
ACCEPT     tcp  --  anywhere             192.168.48.3         tcp dpt:webcache
ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:commplex-main
ACCEPT     tcp  --  anywhere             172.17.0.7           tcp dpt:domaintime
ACCEPT     tcp  --  anywhere             172.17.0.9           tcp dpt:intermapper
ACCEPT     tcp  --  anywhere             172.17.0.11          tcp dpt:8808
ACCEPT     tcp  --  anywhere             172.17.0.14          tcp dpt:8585
ACCEPT     tcp  --  anywhere             172.17.0.4           tcp dpt:sun-as-jpda
ACCEPT     tcp  --  anywhere             172.17.0.13          tcp dpt:pds

Chain DOCKER-INGRESS (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (9 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere  
Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere  

這是我的docker network ls

NETWORK ID          NAME                                DRIVER              SCOPE
ffdf3af963da        bridge                              bridge              local
592d75d9d5b9        coeeventifytestoldversion_default   bridge              local
c4a9765aa44f        docker_gwbridge                     bridge              local
06e4cb827a9c        FE_default                          bridge              local
5fa4ecb69ec6        servicecode_net                     bridge              local
63cbe32ab786        healthcheck_default                 bridge              local
9238d2095aec        host                                host                local
e67bc4a01511        kafka_default                       bridge              local
f2ae14c5c4f6        myApp_default                       bridge              local
724a03d36011        none                                null                local
7e62d26d7c7c        sourcecode_default                  bridge              local

如果您的 docker 守護程序使用的 IP 地址也在您的公司網路中使用,則可能會發生這種情況。假設您的一位隊友的 IP 地址為 192.168.160.2,而您的一個 docker 容器也獲得了相同的 IP 地址 192.168.160.2。當容器嘗試向您的隊友發送響應時,它無法到達他,因為數據包將被發送到容器本身。

您應該確保您的 docker 守護程序使用與本地網路完全不同的子網。您可以使用docker network inspect來查看特定 docker 網路正在使用哪些 IP 地址。

要更改 docker 使用的 IP 地址,請參閱將Docker 配置為不使用 172.17.0.0 範圍

引用自:https://serverfault.com/questions/981665