docker遇到到的问题-1(手动狗头保命)

原创 于 2021-05-19 11:42:18 发布 · 423 阅读 · 0 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#docker #网络

docker遇到到的问题-1

容器ping不通www.baidu.com

基本情况:
容器使用的默认网桥docker0
容器内安装的centos7:2009操作系统
解决思路:

  1. 排除容器内系统网络配置问题
ping 172.17.0.1
[root@035861c11658 /]# ping 172.17.0.1
PING 172.17.0.1 (172.17.0.1) 56(84) bytes of data.
64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.087 ms
64 bytes from 172.17.0.1: icmp_seq=2 ttl=64 time=0.047 ms
##能ping通网关说明本机网络配置应该正常
  1. docker网络连接排查也没有问题

网关

#列出当前网络
[root@localhost zj]# docker network ls		
NETWORK ID     NAME      DRIVER    SCOPE
abce66f51aab   bridge    bridge    local
3b21da9c0b9e   host      host      local
e15a9c3bfd61   none      null      local

#容器是否确实已启动:
[root@localhost zj]# docker container ls
CONTAINER ID   IMAGE                 COMMAND        CREATED        STATUS             PORTS                                       NAMES
035861c11658   centos:7.9.2009       "/bin/bash"    17 hours ago   Up About an hour                                               test1
58ca0c160240   portainer/portainer   "/portainer"   3 weeks ago    Up About an hour   0.0.0.0:9000->9000/tcp, :::9000->9000/tcp   prtainer-test

#检查bridge网络以查看连接了哪些容器。
[root@localhost zj]# docker network inspect bridge
[
    {
        "Name": "bridge",
        "Id": "abce66f51aab4fb65f22a73a74e5a9585e1cafea54a0a00ea03c7308119a630e",
        "Created": "2021-05-19T09:40:54.867201558+08:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",#默认网桥网段
                    "Gateway": "172.17.0.1"#docker0网关地址
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {#docker0网桥正在连接容器的网络信息
            "035861c116580929e33f99fa221a76f93f583263c2269b0f519c58973438f63b": {
                "Name": "test1",
                "EndpointID": "58d7c0bbb4388d4c6f440e585184a333395d273803ef4fb1e3fd66415c7c2939",
                "MacAddress": "02:42:ac:11:00:03",
                "IPv4Address": "172.17.0.3/16",
                "IPv6Address": ""
            },
            "58ca0c160240a4caa0c3804271ecbb857251ab3dd41118a90c196fab9da6ffb4": {
                "Name": "prtainer-test",
                "EndpointID": "f6df211b477244f0a44055af22ffd519174229ee5e6ab43d4101d590942d77ee",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {#docker0网段配置信息
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

通过ip link和ip a可以看到本地有个docker0 link

[root@localhost zj]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether f0:2f:a7:94:dd:c3 brd ff:ff:ff:ff:ff:ff
3: enp2s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether f0:2f:a7:94:dd:c4 brd ff:ff:ff:ff:ff:ff
4: enp2s0f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether f0:2f:a7:94:dd:c5 brd ff:ff:ff:ff:ff:ff
5: enp2s0f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether f0:2f:a7:94:dd:c6 brd ff:ff:ff:ff:ff:ff
6: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
    link/ether 52:54:00:86:69:53 brd ff:ff:ff:ff:ff:ff
7: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT group default qlen 1000
    link/ether 52:54:00:86:69:53 brd ff:ff:ff:ff:ff:ff
8: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 


[root@localhost zj]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp2s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether f0:2f:a7:94:dd:c3 brd ff:ff:ff:ff:ff:ff
    inet 10.100.103.33/24 brd 10.100.103.255 scope global noprefixroute enp2s0f0
       valid_lft forever preferred_lft forever
    inet6 fe80::881b:d316:27c1:2082/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: enp2s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether f0:2f:a7:94:dd:c4 brd ff:ff:ff:ff:ff:ff
4: enp2s0f2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether f0:2f:a7:94:dd:c5 brd ff:ff:ff:ff:ff:ff
5: enp2s0f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether f0:2f:a7:94:dd:c6 brd ff:ff:ff:ff:ff:ff
6: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:86:69:53 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
7: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:86:69:53 brd ff:ff:ff:ff:ff:ff
8: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:95:7e:f3:7b brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:95ff:fe7e:f37b/64 scope link 
       valid_lft forever preferred_lft forever
97: br-8c350fc074a7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default 
    link/ether 02:42:6e:4a:e5:f0 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-8c350fc074a7
       valid_lft forever preferred_lft forever
101: vethe52d186@if100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 52:e5:e1:2e:55:3d brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::50e5:e1ff:fe2e:553d/64 scope link 
       valid_lft forever preferred_lft forever
103: veth6d4c240@if102: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 76:5a:82:a8:4c:5a brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::745a:82ff:fea8:4c5a/64 scope link 
       valid_lft forever preferred_lft forever


#yum -y install iproute
[root@localhost zj]# docker exec test1 ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
102: eth0@if103: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff link-netnsid 0

[root@localhost zj]# docker exec test1 ip route show
default via 172.17.0.1 dev eth0 
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.3 
#网络没有问题

百度上说可能没有配置路由转发没有将172.17.0.0网段转发到正常能够连接到外网的ip网段上。docker通过docker0网段需要通过NAT转发。
查看一下docker host iptables的规则

[root@localhost zj]# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-8c350fc074a7 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9000 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 9000 -j DNAT --to-destination 172.17.0.2:9000

可以看到iptables对docker0这个bridge做了策略:当网桥docker0收到外出的包,把他交给MASQUERADE处理。而MASQUERADE的处理方式是将包的源地址替换成host地址发送出去,即做了一次网络地址转换(NAT)

通过tcpdump查看地址如何转换。先查看docker host的路由表:

[root@localhost zj]# ip r
default via 10.100.103.1 dev enp2s0f0 proto static metric 100 #默认通过enp2s0f0网卡发出
10.100.103.0/24 dev enp2s0f0 proto kernel scope link src 10.100.103.33 metric 100 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1

容器内虚拟机pingwww.baidu.com

[root@035861c11658 /]# ping  www.baidu.com
PING www.a.shifen.com (39.156.66.18) 56(84) bytes of data.
64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=1 ttl=51 time=15.0 ms
64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=2 ttl=51 time=14.9 ms
64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=3 ttl=51 time=14.9 ms
64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=4 ttl=51 time=14.8 ms
64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=5 ttl=51 time=14.9 ms
64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=6 ttl=51 time=14.8 ms
64 bytes from 39.156.66.18 (39.156.66.18): icmp_seq=7 ttl=51 time=14.8 ms

镜像发送ICMP请求,docker0收到镜像请求后交给MASQURADE进行处理


[root@localhost zj]# tcpdump -i docker0 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:23:45.058505 IP 172.17.0.3 > 39.156.66.18: ICMP echo request, id 173, seq 1, length 64
11:23:45.073530 IP 39.156.66.18 > 172.17.0.3: ICMP echo reply, id 173, seq 1, length 64
11:23:46.059508 IP 172.17.0.3 > 39.156.66.18: ICMP echo request, id 173, seq 2, length 64
11:23:46.074424 IP 39.156.66.18 > 172.17.0.3: ICMP echo reply, id 173, seq 2, length 64
11:23:47.061475 IP 172.17.0.3 > 39.156.66.18: ICMP echo request, id 173, seq 3, length 64
11:23:47.076384 IP 39.156.66.18 > 172.17.0.3: ICMP echo reply, id 173, seq 3, length 64
11:23:48.063439 IP 172.17.0.3 > 39.156.66.18: ICMP echo request, id 173, seq 4, length 64
11:23:48.078316 IP 39.156.66.18 > 172.17.0.3: ICMP echo reply, id 173, seq 4, length 64
11:23:49.065366 IP 172.17.0.3 > 39.156.66.18: ICMP echo request, id 173, seq 5, length 64
11:23:49.080305 IP 39.156.66.18 > 172.17.0.3: ICMP echo reply, id 173, seq 5, length 64
11:23:50.067358 IP 172.17.0.3 > 39.156.66.18: ICMP echo request, id 173, seq 6, length 64
11:23:50.082217 IP 39.156.66.18 > 172.17.0.3: ICMP echo reply, id 173, seq 6, length 64
11:23:51.069273 IP 172.17.0.3 > 39.156.66.18: ICMP echo request, id 173, seq 7, length 64
11:23:51.084146 IP 39.156.66.18 > 172.17.0.3: ICMP echo reply, id 173, seq 7, length 64

处理过程:1.容器发送ping包:172.17.0.3>www.baidu.com

              2.docker0收到包后,发现是发送到外网的。交给NAT处理

             3.NAT将源地址转换成enp2s0f0的IP:10.100.103.33>www.baidu.com

             4.ping包从enp2s0f0发出去。到达www.baidu.com

经过一番骚操作,还是没有ping通网络(上述演示是连接外网后的正常显示)。重启一下docker服务试试。emm…能ping通了。

systemctl 方式
守护进程重启
sudo systemctl daemon-reload
重启docker服务
sudo systemctl restart docker
关闭docker
sudo systemctl stop docker

service 方式
重启docker服务
sudo service docker restart
关闭docker
sudo service docker stop
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值