我无法从我的 VirtualBox VM(Windows 7 和 Debian Linux)访问互联网。我需要排除故障,以便让这些 VM 重新运行。
我有一台 Debian 笔记本电脑主机,过去一直运行 VMware VM,现在运行 VirtualBox VM,没有任何困难。我的大多数 VM 都通过笔记本电脑的 Wi-Fi 卡设置了桥接网络,我的家用路由器为笔记本电脑及其 VM 提供 DHCP 地址。
最近我也一直在使用 Docker 和 Docker Compose,没有任何问题。我有一个 docker0 桥接器,但我的笔记本电脑的网络管理器还显示了 br-xxxxxxxxxxxx 桥接器以及其他我不熟悉的桥接器,但我注意到每次创建或只是启动 Docker 容器时,我得到的越来越多。
无论如何,我已经能够在 VirtualBox 客户机中使用桥接网络通过 SSH、HTTP 等从主机笔记本电脑连接到客户虚拟机,反之亦然,并从笔记本电脑和客户虚拟机连接到互联网,至少能够 ping 通 Google 的 8.8.8.8。
我不确定这是否是原因,但肯定有所不同:上周末,我从其他来源拼凑起来制作了一个 docker-compose.yaml 文件,并且在我的文件中添加了以下内容,这些内容以前我从未在任何 docker-compose.yaml 中使用过:
networks:
default:
driver: bridge
在我的所有 Docker Compose 文件中,这是唯一带有networks.
当我第一次提出这个问题时docker-compose up,我确信我在网络管理器的通知区域中看到了不同的气泡,但我不确定。
通常情况下,我记得我会得到额外的桥梁,几天或几周后,我就会通过编辑连接并且随着这些多余的桥梁变旧,手动删除它们。
无论如何,我并没有太注意额外的气泡,我的容器没有任何问题。我暴露了端口,并能够通过以下方式浏览它们http://本地主机:nnnn和往常一样,我也没有多想。
今天是一两周以来我第一次启动我的 VirtualBox VM 之一——Windows 7 客户机。启动后,我意识到无法连接到互联网。我启动了命令提示符,发现我甚至无法连接ping 8.8.8.8,并且ipconfig没有报告 IP 地址。
我试过我的一个 Debian VM。同样的事情——无法连接,ping 8.8.8.8并且没有报告 IP 地址/sbin/ifconfig eth0。
主机笔记本电脑非常满意私有 IP 地址,并且我访问http://superuser.com发布这个问题。
我下一步该怎么做才能解决这个问题?
编辑:我不太清楚我做了什么,但我设法让我的虚拟机获取 IP 地址并连接到互联网。
首先,我花了一段时间才打出上面的内容,所以我不知道我是否只需要等一会儿。这似乎很愚蠢,而且我以前从未这样做过。
我记得之前重新启动了主机上的 Docker 守护进程(sudo /etc/init.d/docker restart),但是这样做之后我没有看到任何明显的变化。
在此之前,我重启了笔记本电脑。我记得当它重新启动时,我启动了虚拟机,但虚拟机中的互联网连接仍然无法正常工作。
在重新启动之前,我执行了一些愚蠢的小操作ifdown/ifup和ipconfig /release和ipconfig /renew,然后我开始删除我在网络管理器中提到的那些网桥,但这次我删除了所有网桥 - 甚至是当前的网桥和 docker0 网桥。当时,这似乎没有任何区别。
我还无序地关闭和打开了虚拟机。
就是这样。
更新(2018/3/15):现在情况更糟了;我的虚拟机很难获取 IP 地址,现在根本无法从虚拟机内部 ping 8.8.8.8。VirtualBox 虚拟机和 VMware 虚拟机都存在这种情况。
Docker容器能够毫无困难地访问互联网。
当我运行其中一台 Debian VM 时,这是我在主机笔记本电脑上的桥接器:
# brctl show
bridge name bridge id STP enabled interfaces
br-993886a09e53 8000.02424635b59c no
br-9d3771956e43 8000.0242c5e9afa6 no
br-ce4e98cb7458 8000.0242561fb6fc no
br-ef846b86506c 8000.0242982b55d7 no
br-fd2186a1e375 8000.02426f4ae98a no
docker0 8000.024258c6aaa0 no
虚拟机的网络设置显示其适配器 1 是附于桥接适配器姓名WLAN0。混杂模式设置为拒绝,并且电缆已连接已检查。
以下是我拥有的设备:
# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
link/ether 24:b6:fd:xx:xx:xx brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DORMANT group default qlen 1000
link/ether c0:18:85:xx:xx:xx brd ff:ff:ff:ff:ff:ff
4: vmnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 00:50:56:xx:xx:xx brd ff:ff:ff:ff:ff:ff
5: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 00:50:56:xx:xx:xx brd ff:ff:ff:ff:ff:ff
6: br-ef846b86506c: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:98:xx:xx:xx brd ff:ff:ff:ff:ff:ff
7: br-fd2186a1e375: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:6f:xx:xx:xx brd ff:ff:ff:ff:ff:ff
8: br-993886a09e53: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:46:xx:xx:xx brd ff:ff:ff:ff:ff:ff
9: br-9d3771956e43: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:c5:xx:xx:xx brd ff:ff:ff:ff:ff:ff
10: br-ce4e98cb7458: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:56:xx:xx:xx brd ff:ff:ff:ff:ff:ff
11: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:58:xx:xx:xx brd ff:ff:ff:ff:ff:ff
12: vboxnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 0a:00:27:xx:xx:xx brd ff:ff:ff:ff:ff:ff
13: vboxnet1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 0a:00:27:xx:xx:xx brd ff:ff:ff:ff:ff:ff
ufw这是我的防火墙规则。在我尝试安装并gufw运行它、gufw启用它、然后禁用它之前,列表要短得多。
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain DOCKER (6 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
Chain ufw-before-input (1 references)
target prot opt source destination
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
我尝试/etc/sysctl.d/bridge.conf使用以下内容创建:
# Reference: https://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
然后就跑了sysctl -p。
dhclient eth0我尝试在主机笔记本电脑上运行 Wireshark 和 tcpdump,并观察在虚拟机内运行时发生的情况:
# tcpdump -ni wlan0 port 67
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:03:45.275713 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:03:45.275788 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:03:45.418183 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:03:45.418277 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:03:49.220658 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:03:49.220749 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:03:51.953865 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:03:51.953936 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:03:45.275713 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:03:45.275788 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:03:45.418183 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:03:45.418277 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:03:49.220658 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:03:49.220749 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:03:51.953865 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:03:51.953936 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:04:04.084840 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:04:04.084909 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:04:16.898585 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:04:16.898688 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:04:26.201038 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
19:04:26.201150 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:29:xx:xx:xx, length 300
如果我做的一切都正确,这告诉我交通状况离开可以通过桥梁但无法返回,所以这是入口问题?
今天我还注意到,同一家庭网络上的另一台笔记本电脑无法通过 SSH 登录到这台笔记本电脑;我不确定这是否相关。
我可以通过 SSH 从笔记本电脑本身连接到它:
$ ssh user@localhost
$ ssh [email protected]
但是,如果我尝试从另一台笔记本电脑通过 WinSCP 进行连接,它似乎会超时。Wireshark 显示从另一台笔记本电脑进入这台笔记本电脑的活动完全不存在。
这台笔记本电脑大约六周前可以连接。
我检查了路由器的配置,似乎没有任何异常。
同样,我尝试使用 ConnectBot 应用程序从 Android 手机通过 SSH 进行连接。这以前也能正常工作,但现在我在 ConnectBot 输出中看到以下内容:
Connecting to 192.168.1.8:22 via ssh
Connection Lost
recvfrom failed: ECONNRESET (Connection reset by peer)
recvfrom failed: ECONNRESET (Connection reset by peer)
答案1
虽然我认为根据提供的数据我无法给您一个明确的答案,但我可以提供一些通常可以帮助您解决此问题的步骤。
首先,如果问题再次发生,并且您正在使用常规 Linux 桥接,则可以使用它brctl show来获取桥接器和连接设备的列表,如下所示:
$ brctl show
bridge name bridge id STP enabled interfaces
bridge0 8000.fc4ee55116da no eno1
vnet0
vnet1
docker0 8000.0242e112327f no vethb4eb5fc
virbr0 8000.5254004579e4 yes virbr0-nic
在上面,bridge0 有我的以太网卡和两个虚拟机,每个虚拟机都有一个接口。我还运行 Docker 并有一个 docker 桥接器,并且有一个 NAT'd libvirt 网络,它生成 virtio 作为桥接器(但我现在没有任何虚拟机使用它)。我想如果你的桥接器遇到问题,可能会断开连接或不显示在桥接器下。您可以使用它ip link show来查看存在哪些设备。
如果一切正常,则可能是防火墙/netfilter 阻止了桥接流量。您可以阅读更多有关此内容的信息这里在 Libvirt 的文档页面上(我知道您正在使用 VirtualBox,但这适用于整个桥梁,而不仅仅是任何一种虚拟化机制)。
最后,您可能想看看流量是否到达虚拟机。您可以使用 tcpdump 来执行此操作,但如果您不熟悉网络,可能很难解读流量。只需选择一个接口并点击它;我建议您点击网桥以查看是否可以看到来自虚拟机的 DHCP 流量。步骤如下:
在虚拟机上,运行
dhclient eth0或适当的进程以尝试从 DHCP 服务器获取 IP 地址。在主机上,点击桥接器并检查 DHCP 流量(UDP 端口 67)。
$ sudo tcpdump -ni bridge0 port 67 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bridge0, link-type EN10MB (Ethernet), capture size 262144 bytes如果你看到经过的流量带有虚拟机的 MAC 地址,则流量离开桥接器,但可能无法重新接入,这意味着我们遇到了入口问题。如果您看不到任何流量,请以
vnet与桥接器本身相同的方式点击设备,看看是否看到 DHCP 流量;如果看到,则流量不是离开桥,意味着我们在出口方面有问题。两者都可能需要查看防火墙规则/sysctls/netfilter。
答案2
重启家用路由器解决了这两个问题。路由器重启后,远程笔记本电脑能够通过 SSH 连接到我的 Debian 笔记本电脑,我的虚拟机的互联网访问和 LAN 访问再次正常运行。