使用 18.04 LTS。长话短说,我在 Linux 机器上使用 FreeIPA 作为登录服务,这意味着我需要 DNS 解析才能向 IPA 服务器进行身份验证。但是,我的 docker.socket 在 DNS 解析启动之前就启动了,当 docker.socket 尝试从 IPA 解析 docker“组”时,它无法解析,因为它正在查看 FreeIPA 服务器,如果没有 DNS 解析,它就无法解析,这导致 docker.socket 无法正常启动。至少到目前为止,这是我的理论。
我想强制启动我的 docker.socket systemd 服务后我的 DNS 解析已启动。
我的 docker.socket 和 docker.service 文件如下。我尝试将After=、Requires=和 的各种组合添加sssd.service到docker.socket文件以及docker.service和其他各种组合systemd-resolved.service以及其他各种网络服务/目标(例如NetworkManager.service,`network-online.target'),但似乎无法让它们中的任何一个正常工作。
有没有一种简单的方法可以解决我所缺少的这个问题?
2 月 6 日 14:11:00 aiml6 systemd[985]:docker.socket:无法解析组docker:连接被拒绝
docker.socket - Docker Socket for the API
Loaded: loaded (/lib/systemd/system/docker.socket; enabled; vendor preset: enabled)
Active: failed (Result: timeout) since Wed 2019-02-06 14:12:30 CST; 4min 53s ago
Listen: /var/run/docker.sock (Stream)
Feb 06 14:09:30 aiml6 systemd[1]: Starting Docker Socket for the API.
Feb 06 14:11:00 aiml6 systemd[1]: docker.socket: Starting timed out. Stopping.
Feb 06 14:11:00 aiml6 systemd[985]: docker.socket: Failed to resolve group docker: Connection refused
Feb 06 14:12:30 aiml6 systemd[1]: docker.socket: Stopping timed out (2). Killing.
Feb 06 14:12:30 aiml6 systemd[1]: docker.socket: Failed with result 'timeout'.
Feb 06 14:12:30 aiml6 systemd[1]: Failed to listen on Docker Socket for the API.
docker.service文件:
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service
Wants=network-online.target
Requires=docker.socket
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
ExecStart=/usr/bin/dockerd -H fd://
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this option.
TasksMax=infinity
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
[Install]
WantedBy=multi-user.target
docker.socket
[Unit]
Description=Docker Socket for the API
PartOf=docker.service
[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker
[Install]
WantedBy=sockets.target
答案1
我也遇到了同样的问题,并且也使用了 FreeIPA。通过添加以下内容可以解决此问题:
After=network-online.target
Wants=network-online.target
到/lib/systemd/system/docker.socket文件([Unit]就像在文件中一样docker.service)
答案2
我在 Windows Server LDAP 上使用 Ubuntu 20.04.4 LTS 和 SSSD 身份验证,其中定义了我的“docker”组。
虽然这不是 DNS 故障,但我收到了完全相同的错误:
docker.socket: Failed to resolve group docker: Connection refused
我已经按照这个方法修复了这个问题https://github.com/docker/cli/issues/2710 为单元文件 /lib/systemd/system/docker.socket 定义一个 Override
sudo systemctl 编辑 docker.socket
[Unit]
After=nss-user-lookup.target
DefaultDependencies=no
答案3
以防其他人遇到同样的错误信息。我也收到了错误:docker.socket: Failed to resolve group docker。而我的解决方案发布在这个问题解决了错误:
sudo groupadd docker
sudo usermod -aG docker $USER
sudo systemctl enable docker
sudo systemctl start docker