我无法从容器内访问互联网,甚至无法访问本地网络(网络打印机)。例如,ping google.com 的 IP:
docker run --rm busybox ping -c 2 142.250.186.142
输出:
PING 142.250.186.142 (142.250.186.142): 56 data bytes
--- 142.250.186.142 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
使用--network=host,它可以工作:
docker run --rm --network=host busybox ping -c 2 142.250.186.142
主机是 Ubuntu 22.10。直到上周它才开始工作。我的同事使用 Windows 作为主机,可以 ping 通。
我试过:
- 重启docker
- 重启主机
- 卸载和从存储库重新安装 Docker。
更多细节:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.10
Release: 22.10
Codename: kinetic
$ docker info
Client:
Context: default
Debug Mode: false
Plugins:
app: Docker App (Docker Inc., v0.9.1-beta3)
buildx: Docker Buildx (Docker Inc., v0.9.1-docker)
compose: Docker Compose (Docker Inc., v2.12.2)
scan: Docker Scan (Docker Inc., v0.21.0)
Server:
Containers: 1
Running: 0
Paused: 0
Stopped: 1
Images: 1
Server Version: 20.10.21
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: a05d175400b1145e5e6a735a6710579d181e7fb0
runc version: v1.1.4-0-g5fd4c4d
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: default
cgroupns
Kernel Version: 5.19.0-26-generic
Operating System: Ubuntu 22.10
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.4GiB
Name: boris-ThinkPad-T480
ID: ZN24:57QW:KT4M:J5H6:BIHZ:BF6I:KDV2:EAM6:CESL:UWNE:43AL:LUAJ
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 24
Goroutines: 34
System Time: 2022-12-12T20:08:42.528459605+01:00
EventsListeners: 0
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
$ docker version
Client: Docker Engine - Community
Version: 20.10.21
API version: 1.41
Go version: go1.18.7
Git commit: baeda1f
Built: Tue Oct 25 18:01:58 2022
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.21
API version: 1.41 (minimum version 1.12)
Go version: go1.18.7
Git commit: 3056208
Built: Tue Oct 25 17:59:49 2022
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.12
GitCommit: a05d175400b1145e5e6a735a6710579d181e7fb0
runc:
Version: 1.1.4
GitCommit: v1.1.4-0-g5fd4c4d
docker-init:
Version: 0.19.0
GitCommit: de40ad0
$ cat /proc/sys/net/ipv4/ip_forward
1
$ iptables -Z && iptables -nvL > before.txt && docker run --rm busybox ping -c 3 142.250.186.142 > ping.txt && iptables -nvL > after.txt && cat before.txt && cat ping.txt && diff before.txt after.txt
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LIBVIRT_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_FWI (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWO (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_INP (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain LIBVIRT_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
PING 142.250.186.142 (142.250.186.142): 56 data bytes
--- 142.250.186.142 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
1c1
< Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
---
> Chain INPUT (policy ACCEPT 220 packets, 56220 bytes)
3c3
< 0 0 LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0
---
> 220 56220 LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0
5c5
< Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
---
> Chain FORWARD (policy ACCEPT 3 packets, 252 bytes)
7,8c7,8
< 0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
< 0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
---
> 6 504 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
> 6 504 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
11c11
< 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
---
> 3 252 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
13,15c13,15
< 0 0 LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0
< 0 0 LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0
< 0 0 LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0
---
> 3 252 LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0
> 3 252 LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0
> 3 252 LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0
17c17
< Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
---
> Chain OUTPUT (policy ACCEPT 267 packets, 34045 bytes)
19c19
< 0 0 LIBVIRT_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
---
> 267 34045 LIBVIRT_OUT all -- * * 0.0.0.0/0 0.0.0.0/0
26,27c26,27
< 0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
< 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
---
> 3 252 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
> 6 504 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
32c32
< 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
---
> 3 252 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
36c36
< 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
---
> 6 504 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
$ sudo iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
129 46233 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6 504 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
18336 2849K LIBVIRT_PRT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_PRT (1 references)
pkts bytes target prot opt in out source destination
29 2852 RETURN all -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN all -- * * 192.168.122.0/24 255.255.255.255
2 120 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
6 3810 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
2 64 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
答案1
我遇到了这个问题,原来是当网络设置为主机时,Docker + iptables 发生冲突。主机可能正在使用较新的,nftables而 Docker 仍可能使用iptables-legacy。这GitHub 问题问题来解释这个问题。另外,我们的设置是 Docker-in-Docker,容器内的容器没有互联网。
验证您是否有此问题
在容器中运行以下命令来验证是否是这种情况:
ping google.com # Should fail since your container will have no internet
iptables -L
iptables-legacy -L
如果命令输出中没有出现 Docker 规则iptables -L,则存在冲突,我们需要解决它。
解决方案
使用update-alternatives切换到iptables-legacy也可用于你的发行版:https://wiki.debian.org/iptables#Current_status
更改后请务必重新启动 Dockeriptables-legacy以完成此工作,
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
替代技巧
如果您在构建 Docker-in-Docker 容器时遇到此问题,那么一个简单的解决方法是使用 进行构建
--network=host。Bash解决冲突的方案:https://github.com/garutilorenzo/iptables-docker如果什么都不起作用。还没有尝试过,请告诉我这是否对你有用。
答案2
如果您可以使用主机的网络堆栈(--network = host)访问网络,但没有它就无法访问,则意味着容器网络堆栈配置不正确(IP 地址,默认网关......)
防火墙也可能存在问题,导致容器无法访问网络。
您可以使用以下命令检查容器的网络配置:
docker inspect <your_container>
您还可以使用以下方式查看所有活动网络的列表
docker network ls
可以洞察是否存在任何与网络相关的问题,阻止容器访问互联网
答案3
我遇到了同样的问题,并通过禁用 IPv6 解决了该问题。这可以通过 sysctl 完成。
- 将以下内容添加到
/etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
- 使用以下方式应用更改
sudo sysctl -p
答案4
我在 Ubuntu 22.04 LTS 上遇到了同样的问题。我的机器上通过 docker compose 启动的容器没有出站连接。
我注意到,与容器通过“docker run”连接到的默认“bridge”网络相比,通过“docker compose”创建的docker网络没有启用任何选项。
例如,运行“docker network inspect bridge”显示以下选项。
<<snipped>>
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
<snipped>>
我能够通过明确创建一个网络并在 docker-compose 文件中设置相同的选项来修复“docker compose”创建的网络。
version: '3'
services:
busybox:
hostname: busybox
image: "busybox:latest"
restart: always
command: sh -c "while true; do date; sleep 60; done"
links:
- influxdb2
networks:
- default
# "docker compose" on my ubuntu 20.04 seems to not declare default options.
# This is needed... unclear why
networks:
default:
driver: bridge
driver_opts:
com.docker.network.driver.mtu: "1450"
com.docker.network.bridge.default_bridge: "true"
com.docker.network.bridge.enable_icc: "true"
com.docker.network.bridge.enable_ip_masquerade: "true"
com.docker.network.bridge.host_binding_ipv4: "0.0.0.0"
com.docker.network.bridge.name: "docker0"
com.docker.network.driver.mtu: "1500"
从那里,我可以做:
docker compose up -d
docker compose exec -it busybox ping google.com