Docker 容器只能通过 --net=host 访问互联网
Docker container can only access internet with --net=host
今天使用他们的安装指南安装了 docker 1.10.1。但是,除非我在 docker run 命令中使用 --net=host,否则我的 none 个容器可以访问互联网。我尝试了这些帖子中的各种解决方法:
- http://odino.org/cannot-connect-to-the-internet-from-your-docker-containers/
- My docker container has no internet
- I can't get Docker containers to access the internet?
- Docker container cannot access internet
到目前为止,除了将 --net=host 添加到 运行 命令外,没有任何效果,但我无法从 Dockerfile 构建图像,因为我无法将 --net=host 与build 命令。
我 运行 docker network inspect bridge 检查 docker 网桥的设置,发现它使用(几乎)与我的工作 VPN 相同的子网和网关。这会导致问题吗?这也可以解释为什么当我连接到我的工作 VPN 时,有些网站没有加载。
这是 docker network inspect bridge 的结果:
[
{
"Name": "bridge",
"Id": "6d603ebd1c437d0d1f02be8406cf362f7f36d33168e42b9883891bae99834fa9",
"Scope": "local",
"Driver": "bridge",
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Containers": {},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
}
}
]
这是 ifconfig:
docker0 Link encap:Ethernet HWaddr 02:42:9a:29:4a:c2
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:9aff:fe29:4ac2/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:36 errors:0 dropped:0 overruns:0 frame:0
TX packets:55 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2080 (2.0 KB) TX bytes:8498 (8.4 KB)
enx00e09f0004bd Link encap:Ethernet HWaddr 00:e0:9f:00:04:bd
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:70948 errors:0 dropped:1 overruns:0 frame:0
TX packets:14839 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14270948 (14.2 MB) TX bytes:3460691 (3.4 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:3407 errors:0 dropped:0 overruns:0 frame:0
TX packets:3407 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:326405 (326.4 KB) TX bytes:326405 (326.4 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.17.62.55 P-t-P:172.17.62.55 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1406 Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:1773 (1.7 KB) TX bytes:1466 (1.4 KB)
wlp6s0 Link encap:Ethernet HWaddr cc:3d:82:1a:1e:1d
inet addr:10.250.9.73 Bcast:10.250.9.255 Mask:255.255.254.0
inet6 addr: fe80::ce3d:82ff:fe1a:1e1d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4381 errors:0 dropped:0 overruns:0 frame:0
TX packets:4398 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2246805 (2.2 MB) TX bytes:835572 (835.5 KB)
I can't build images from a Dockerfile because I can't use --net=host with the build command
这是 docker 守护程序的工作,以便在构建时能够访问 Internet。
您可以通过传递构建时参数来帮助它
docker build --build-arg HTTP_PROXY=http://...
也就是说,如果您在代理后面。
如果你不是,check your DNS settings(这个问题在 boot2docker 的上下文中,这可能与你无关,但它仍然可以提供一些关于要检查的内容的线索)。
这里是 another example of DNS issue.
OP wheeler confirms a dns-related issue :
I had to disable dnsmasq in NetworkManager, not quite sure why it was affecting docker, but DNS resolution started working inside containers when I disabled dnsmasq.
这是一个解决方法seen before here:
- Disable dnsmasq by commenting it out the "
dns=dnsmasq" line in /etc/NetworkManager/NetworkManager.conf and restarting the network-manager and docker.io services (sudo service network-manager restart && sudo service docker.io restart).
- Alternatively enable the commented out
DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4" line in /etc/default/docker.io (and also restart the docker.io service).
后一种解决方法当然需要 8.8.8.8 / 8.8.4.4 服务器可以从您的网络访问。
OP 添加:
This solution worked to some extent until I used my VPN to work from home, and the subnet of the docker bridge was colliding with my VPN subnet.
他推荐“Set the ip of the Docker bridge with Systemd”
/etc/systemd/system/docker.service.d/docker.conf should contain this:
[Service]
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// --bip=192.168.169.1/24
并且:
systemctl stop docker
# We need a program called brctl to, well, control the bridge, which is part of the bridge-utils package.
sudo apt-get install bridge-utils
#Bring down the docker0 interface:
sudo ip link set docker0 down
# And delete the bridge.
sudo brctl delbr docker0
# Finally, start the Docker daemon
systemctl start docker
我在 Ubuntu 16.04 遇到了这个问题
Here is the fix for this by editing the NetworkManager.conf
sudo nano /etc/NetworkManager/NetworkManager.conf
注释掉 dns=dnsmasq 然后重启 NetworkManager
sudo service network-manager restart
完成!
在 RHEL、CentOS 或 Fedora 上,在 Docker 主机(例如:/usr/lib/systemd/network/80-container-host0.network)的 /usr/lib/systemd/network/ 中编辑 <interface>.network 文件,并在其中添加以下块[网络] 部分。
[Network]
...
IPForward=true
在我的例子中,我将 IPForward=ipv4 添加到 /etc/systemd/network/XX-eth0.network 并解决了问题
注意
sysctl -w net.ipv4.ip_forward=1
没有为我解决这个问题,只有更改主机上的网络接口才有结果
https://docs.docker.com/engine/install/linux-postinstall/#ip-forwarding-problems
对我来说,问题是 QEMU 安装扰乱了到主机的桥接,这可能与 this issue。
为了解决这个问题,我删除了 QEMU 和 libvirt:
sudo apt-get purge qemu qemu-block-extra qemu-slof qemu-system qemu-system-arm qemu-system-common qemu-system-mips qemu-system-misc qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-binfmt qemu-utils libvirt-bin libvirt-daemon libvirt0:amd64.
今天使用他们的安装指南安装了 docker 1.10.1。但是,除非我在 docker run 命令中使用 --net=host,否则我的 none 个容器可以访问互联网。我尝试了这些帖子中的各种解决方法:
- http://odino.org/cannot-connect-to-the-internet-from-your-docker-containers/
- My docker container has no internet
- I can't get Docker containers to access the internet?
- Docker container cannot access internet
到目前为止,除了将 --net=host 添加到 运行 命令外,没有任何效果,但我无法从 Dockerfile 构建图像,因为我无法将 --net=host 与build 命令。
我 运行 docker network inspect bridge 检查 docker 网桥的设置,发现它使用(几乎)与我的工作 VPN 相同的子网和网关。这会导致问题吗?这也可以解释为什么当我连接到我的工作 VPN 时,有些网站没有加载。
这是 docker network inspect bridge 的结果:
[
{
"Name": "bridge",
"Id": "6d603ebd1c437d0d1f02be8406cf362f7f36d33168e42b9883891bae99834fa9",
"Scope": "local",
"Driver": "bridge",
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Containers": {},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
}
}
]
这是 ifconfig:
docker0 Link encap:Ethernet HWaddr 02:42:9a:29:4a:c2
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:9aff:fe29:4ac2/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:36 errors:0 dropped:0 overruns:0 frame:0
TX packets:55 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2080 (2.0 KB) TX bytes:8498 (8.4 KB)
enx00e09f0004bd Link encap:Ethernet HWaddr 00:e0:9f:00:04:bd
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:70948 errors:0 dropped:1 overruns:0 frame:0
TX packets:14839 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14270948 (14.2 MB) TX bytes:3460691 (3.4 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:3407 errors:0 dropped:0 overruns:0 frame:0
TX packets:3407 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:326405 (326.4 KB) TX bytes:326405 (326.4 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.17.62.55 P-t-P:172.17.62.55 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1406 Metric:1
RX packets:18 errors:0 dropped:0 overruns:0 frame:0
TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:1773 (1.7 KB) TX bytes:1466 (1.4 KB)
wlp6s0 Link encap:Ethernet HWaddr cc:3d:82:1a:1e:1d
inet addr:10.250.9.73 Bcast:10.250.9.255 Mask:255.255.254.0
inet6 addr: fe80::ce3d:82ff:fe1a:1e1d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4381 errors:0 dropped:0 overruns:0 frame:0
TX packets:4398 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2246805 (2.2 MB) TX bytes:835572 (835.5 KB)
I can't build images from a Dockerfile because I can't use --net=host with the build command
这是 docker 守护程序的工作,以便在构建时能够访问 Internet。
您可以通过传递构建时参数来帮助它
docker build --build-arg HTTP_PROXY=http://...
也就是说,如果您在代理后面。
如果你不是,check your DNS settings(这个问题在 boot2docker 的上下文中,这可能与你无关,但它仍然可以提供一些关于要检查的内容的线索)。
这里是 another example of DNS issue.
OP wheeler confirms a dns-related issue
I had to disable
dnsmasqinNetworkManager, not quite sure why it was affecting docker, but DNS resolution started working inside containers when I disabled dnsmasq.
这是一个解决方法seen before here:
- Disable dnsmasq by commenting it out the "
dns=dnsmasq" line in/etc/NetworkManager/NetworkManager.confand restarting the network-manager and docker.io services (sudo service network-manager restart && sudo service docker.io restart).- Alternatively enable the commented out
DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4"line in/etc/default/docker.io(and also restart the docker.io service).
后一种解决方法当然需要 8.8.8.8 / 8.8.4.4 服务器可以从您的网络访问。
OP 添加:
This solution worked to some extent until I used my VPN to work from home, and the subnet of the docker bridge was colliding with my VPN subnet.
他推荐“Set the ip of the Docker bridge with Systemd”
/etc/systemd/system/docker.service.d/docker.confshould contain this:
[Service]
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// --bip=192.168.169.1/24
并且:
systemctl stop docker
# We need a program called brctl to, well, control the bridge, which is part of the bridge-utils package.
sudo apt-get install bridge-utils
#Bring down the docker0 interface:
sudo ip link set docker0 down
# And delete the bridge.
sudo brctl delbr docker0
# Finally, start the Docker daemon
systemctl start docker
我在 Ubuntu 16.04 遇到了这个问题 Here is the fix for this by editing the NetworkManager.conf
sudo nano /etc/NetworkManager/NetworkManager.conf
注释掉 dns=dnsmasq 然后重启 NetworkManager
sudo service network-manager restart
完成!
在 RHEL、CentOS 或 Fedora 上,在 Docker 主机(例如:/usr/lib/systemd/network/80-container-host0.network)的 /usr/lib/systemd/network/ 中编辑 <interface>.network 文件,并在其中添加以下块[网络] 部分。
[Network]
...
IPForward=true
在我的例子中,我将 IPForward=ipv4 添加到 /etc/systemd/network/XX-eth0.network 并解决了问题
注意
sysctl -w net.ipv4.ip_forward=1
没有为我解决这个问题,只有更改主机上的网络接口才有结果
https://docs.docker.com/engine/install/linux-postinstall/#ip-forwarding-problems
对我来说,问题是 QEMU 安装扰乱了到主机的桥接,这可能与 this issue。
为了解决这个问题,我删除了 QEMU 和 libvirt:
sudo apt-get purge qemu qemu-block-extra qemu-slof qemu-system qemu-system-arm qemu-system-common qemu-system-mips qemu-system-misc qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-binfmt qemu-utils libvirt-bin libvirt-daemon libvirt0:amd64.