Networking
docker network 是否以某種方式阻止從某些 IP 訪問其主機?
我的公司有一個 CentOS 7 伺服器和一些正在執行的 docker 容器。通常我可以從我的個人電腦連接到它。但有時在伺服器上執行
docker-compose up命令後,我無法再連接到它(我嘗試通過 ssh ping / 連接它只是永遠掛起)。發生這種情況時,我必須從另一台電腦 ssh 到伺服器,執行docker-compose down,然後一切恢復正常。我沒有在 docker-compose.yml 文件中定義任何網路,我總是讓 docker 自己處理網路。
我的問題:目前我的團隊中有幾個人無法連接到伺服器。我認為這可能與docker有關,因為它預設操作iptables(我在伺服器上使用iptables而不是firewalld)。一個人甚至曾經能夠連接,但是在他“重置 wifi”(
ncpa.cpl–> 禁用–> 啟用,他的 IP 更改)之後,他就無法再連接了。我只是想問一下這是否是一個常見問題,有沒有人遇到過類似的事情,或者關於如何解決這個問題的任何建議。我真的被困在這裡了。
我不知道這是否有幫助,但這是我的
iptables -LChain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere DOCKER-INGRESS all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (9 references) target prot opt source destination ACCEPT tcp -- anywhere 172.17.0.5 tcp dpt:9494 ACCEPT tcp -- anywhere 172.25.0.2 tcp dpt:XmlIpcRegSvc ACCEPT tcp -- anywhere 172.25.0.3 tcp dpt:eforward ACCEPT tcp -- anywhere 172.17.0.12 tcp dpt:8484 ACCEPT tcp -- anywhere 172.17.0.16 tcp dpt:cslistener ACCEPT tcp -- anywhere 172.17.0.8 tcp dpt:8282 ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:tproxy ACCEPT tcp -- anywhere 172.17.0.10 tcp dpt:xmltec-xmlmail ACCEPT tcp -- anywhere 172.17.0.6 tcp dpt:8282 ACCEPT tcp -- anywhere 172.29.0.2 tcp dpt:cslistener ACCEPT tcp -- anywhere 172.31.0.2 tcp dpt:27017 ACCEPT tcp -- anywhere 172.31.0.3 tcp dpt:27017 ACCEPT tcp -- anywhere 192.168.48.3 tcp dpt:webcache ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:commplex-main ACCEPT tcp -- anywhere 172.17.0.7 tcp dpt:domaintime ACCEPT tcp -- anywhere 172.17.0.9 tcp dpt:intermapper ACCEPT tcp -- anywhere 172.17.0.11 tcp dpt:8808 ACCEPT tcp -- anywhere 172.17.0.14 tcp dpt:8585 ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:sun-as-jpda ACCEPT tcp -- anywhere 172.17.0.13 tcp dpt:pds Chain DOCKER-INGRESS (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (9 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere這是我的
docker network lsNETWORK ID NAME DRIVER SCOPE ffdf3af963da bridge bridge local 592d75d9d5b9 coeeventifytestoldversion_default bridge local c4a9765aa44f docker_gwbridge bridge local 06e4cb827a9c FE_default bridge local 5fa4ecb69ec6 servicecode_net bridge local 63cbe32ab786 healthcheck_default bridge local 9238d2095aec host host local e67bc4a01511 kafka_default bridge local f2ae14c5c4f6 myApp_default bridge local 724a03d36011 none null local 7e62d26d7c7c sourcecode_default bridge local
如果您的 docker 守護程序使用的 IP 地址也在您的公司網路中使用,則可能會發生這種情況。假設您的一位隊友的 IP 地址為 192.168.160.2,而您的一個 docker 容器也獲得了相同的 IP 地址 192.168.160.2。當容器嘗試向您的隊友發送響應時,它無法到達他,因為數據包將被發送到容器本身。
您應該確保您的 docker 守護程序使用與本地網路完全不同的子網。您可以使用
docker network inspect來查看特定 docker 網路正在使用哪些 IP 地址。要更改 docker 使用的 IP 地址,請參閱將Docker 配置為不使用 172.17.0.0 範圍