linux - 无法从 Docker 容器访问网络
问题描述
问题的要点是,如果我创建并运行一个 docker 容器(从任何图像,我尝试了很多) ,该容器除了 Docker 创建的默认网桥之外没有网络访问权限;即使使用 IP 地址(不是 URL/名称)。
IE
docker run --rm -it busybox ping 8.8.8.8
由于没有访问网络而挂起/失败docker run --rm -it busybox ping 172.17.0.1
也失败了(注意172.17.0.1
是docker0
主机上的 IP 也是容器中 docker 设置的网关)- 如果我创建两个容器,我可以从另一个容器 ping 任何一个
注意:
我有两个运行 Docker 19.03.6 的 Ubuntu 主机(相同版本)。在其中一个(开发机器)上我没有问题(它工作得很好),在另一个我有。这意味着它很可能不是操作系统和/或 Docker 版本问题,而是某种错误配置。
在我能找到的大多数问题中,这不是DNS 问题。事实上,这根本不是 DNS 问题。当我使用直接 IP 地址以及 URL 时,它就会出现。
我iptables
在主机上使用;这些是它不起作用的规则(它们在网络工作正常的开发机器上是不同的,但我不能在这里设置相同):
Chain INPUT (policy DROP)
target prot opt source destination
f2b-postfix-sasl tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap3,imaps,pop3,pop3s
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:ntp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:urd state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:urd state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:submission state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:ntp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:imap2 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:imaps state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:urd state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:smtp state ESTABLISHED
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-postfix-sasl (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-ssh (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
我不知道还有什么要澄清的。
我应该怎么办?
解决方案
推荐阅读
- javascript - 简单的快速 API 错误
- c - 实现了一个 infixToPostfix 方法,但不知道为什么我第一次推送 '('
- mongodb - Can .aggregate() return me a events grouped by day of the month?
- haskell - Can anyone explain the second reduction rule for ZF-expressions?
- python - How to concatenate sine waves without phase jumps
- go - 为什么顺序循环比 Go 中的并发方法运行得更快?
- express - FeathersJS 加载静态内容很慢
- javascript - 有没有人真正能够加载从 three.js 编辑器导出的模型?
- clojure - Clojure Java 互操作 JavaClass.class
- java - 匹配中间有逗号的字符串和正则表达式