我是第一次在Centos中使用Docker。
当部署两个容器时,我发现我在Internet上遇到路由问题,然后我发现我什至无法使它们彼此通信(尽管在默认bridge
网络上)。
在一个容器中发生这种情况:
/ # ip a | grep 172
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
/ # ping 172.17.0.3
PING 172.17.0.3 (172.2.0.3): 56 data bytes
^C
--- 172.17.0.3 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
另一方面,相同的行为:
/ # ip a | grep 172
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
/ # ping 172.17.0.2
PING 172.17.0.2 (172.2.0.2): 56 data bytes
^C
--- 172.2.0.2 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
它们在同一个网络中:
$ docker inspect 91767dd3adfa | grep -i networkid
"NetworkID": "d36d28507f9cc3f6c40437330af3778c117d303e106de0b3b43ad7919d2791c7",
$ docker inspect a393490d8d02 | grep -i networkid
"NetworkID": "d36d28507f9cc3f6c40437330af3778c117d303e106de0b3b43ad7919d2791c7",
$ docker network ls
NETWORK ID NAME DRIVER SCOPE
d36d28507f9c bridge bridge local
f32f4c8d6187 host host local
5693790b1713 none null local
为什么会发生?我在Ubuntu和MacOS中使用了Docker,它可以无缝运行。
我找到了解决方案。
启用防火墙以允许连接进出docker0
网络。
这是通过以下命令执行的:
iptables -I INPUT -s <network> -i docker0 -m comment --comment "00015 input on docker0" -j ACCEPT
# accept any package coming from the network to docker0 interface
iptables -I FORWARD -m comment --comment "00010 conntrack on forward" -m state --state RELATED,ESTABLISHED -j ACCEPT
# maintain any 'session' or link to be able to return packages fro meth0 to docker0 (answer). Very tightened to the existance of a 'nat', otherwise this entry does not have any impact
iptables -I FORWARD -s <network> -i docker0 -o eth0 -m comment --comment "00011 forward to eth0 from docker0" -j ACCEPT
#forward packages
iptables -t nat -I POSTROUTING -s <network> -o eth0 -m comment --comment "00013 masquerade on eth0 from docker0"
-j MASQUERADE
# create nat in order for any package that goes out of the host to be able to come back using the ip of the host and after the ip of the container
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句