Docker 阻止传入连接
Docker blocks incoming connections
我已经在 docker 容器中部署了一个简单的 Flask 服务器。该应用程序接受端口 7005 上的连接,我已经在 docker 上公开了端口 7005。我可以看到 docker 正在主动阻止连接,但我无法找出原因。
我尝试为端口 7005 添加 DOCKER-USER 链的 ACCEPT;将所有 FORWARD 的政策更改为接受;禁用 ufw - 但无法访问烧瓶应用程序。
Docker运行日志:
sudo docker run --gpus all -p 7005:7005 simplify:1.0
* Serving Flask app 'app' (lazy loading)
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: off
* Running on http://127.0.0.1:7005/ (Press CTRL+C to quit)
tshark抓包:
sudo tshark 'tcp port 7005'
Running as user "root" and group "root". This could be dangerous.
Capturing on 'docker0'
1 0.000000000 172.17.0.1 → 172.17.0.2 TCP 74 43230 → 7005 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=153584425 TSecr=0 WS=128
2 0.000052241 172.17.0.2 → 172.17.0.1 TCP 54 7005 → 43230 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3 0.003889881 172.17.0.1 → 172.17.0.2 TCP 74 43234 → 7005 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=153584429 TSecr=0 WS=128
4 0.003934021 172.17.0.2 → 172.17.0.1 TCP 54 7005 → 43234 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
^C4 packets captured
iptables 策略:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Running on http://127.0.0.1:7005/ (Press CTRL+C to quit)
您已将服务器绑定到容器中的本地主机绑定。
您需要将它绑定到容器中的 0.0.0.0:7005,以便它可以 -p发布。
我已经在 docker 容器中部署了一个简单的 Flask 服务器。该应用程序接受端口 7005 上的连接,我已经在 docker 上公开了端口 7005。我可以看到 docker 正在主动阻止连接,但我无法找出原因。
我尝试为端口 7005 添加 DOCKER-USER 链的 ACCEPT;将所有 FORWARD 的政策更改为接受;禁用 ufw - 但无法访问烧瓶应用程序。
Docker运行日志:
sudo docker run --gpus all -p 7005:7005 simplify:1.0
* Serving Flask app 'app' (lazy loading)
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: off
* Running on http://127.0.0.1:7005/ (Press CTRL+C to quit)
tshark抓包:
sudo tshark 'tcp port 7005'
Running as user "root" and group "root". This could be dangerous.
Capturing on 'docker0'
1 0.000000000 172.17.0.1 → 172.17.0.2 TCP 74 43230 → 7005 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=153584425 TSecr=0 WS=128
2 0.000052241 172.17.0.2 → 172.17.0.1 TCP 54 7005 → 43230 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
3 0.003889881 172.17.0.1 → 172.17.0.2 TCP 74 43234 → 7005 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=153584429 TSecr=0 WS=128
4 0.003934021 172.17.0.2 → 172.17.0.1 TCP 54 7005 → 43234 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
^C4 packets captured
iptables 策略:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Running on http://127.0.0.1:7005/ (Press CTRL+C to quit)
您已将服务器绑定到容器中的本地主机绑定。
您需要将它绑定到容器中的 0.0.0.0:7005,以便它可以 -p发布。