容器

tag-icon tag-icon linux networking docker
容器

希望你做得很好。

两天来我一直在努力解决主机系统和容器之间的连接问题。看来我在“传输”到容器的过程中随机丢失了数据包(100 个中有 47 个)。

我可以看到数据包“离开”主机接口 docker0,但是有时它们永远不会到达容器。无论使用什么镜像(不同的软件而不是版本),这种情况都是可以重现的。

我真的非常感谢大家的指点,因为我现在一无所知。感谢您的时间!

容器

tcpdump 主机 172.17.0.6 和 icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:34:22.406364 IP 172.17.0.1 > files.local: ICMP echo request, id 19794, seq 1, length 64
13:34:22.406397 IP files.local > 172.17.0.1: ICMP echo reply, id 19794, seq 1, length 64
>> missing seq# 2 <<
13:34:24.451683 IP 172.17.0.1 > files.local: ICMP echo request, id 19794, seq 3, length 64
13:34:24.451721 IP files.local > 172.17.0.1: ICMP echo reply, id 19794, seq 3, length 64
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

主持人

Debian GNU/Linux 10 (buster)
Kernel 4.19.0-10-amd64 (Debian 4.19.132-1)
Docker version 19.03.12, build 48a66213fe

ping 172.17.0.6-c3

PING 172.17.0.6 (172.17.0.6) 56(84) bytes of data.
64 bytes from 172.17.0.6: icmp_seq=1 ttl=64 time=0.111 ms
>> missing seq# 2 <<
64 bytes from 172.17.0.6: icmp_seq=3 ttl=64 time=0.097 ms

--- 172.17.0.6 ping statistics ---
3 packets transmitted, 2 received, 33.3333% packet loss, time 47ms
rtt min/avg/max/mdev = 0.097/0.104/0.111/0.007 ms

tcpdump -i docker0 主机 172.17.0.6 和 icmp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:34:22.406332 IP 172.17.0.1 > 172.17.0.6: ICMP echo request, id 19794, seq 1, length 64
15:34:22.406401 IP 172.17.0.6 > 172.17.0.1: ICMP echo reply, id 19794, seq 1, length 64
15:34:23.427549 IP 172.17.0.1 > 172.17.0.6: ICMP echo request, id 19794, seq 2, length 64
15:34:24.451657 IP 172.17.0.1 > 172.17.0.6: ICMP echo request, id 19794, seq 3, length 64
15:34:24.451725 IP 172.17.0.6 > 172.17.0.1: ICMP echo reply, id 19794, seq 3, length 64
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel

docker 网络检查桥接

[
    {
        "Name": "bridge",
        "Id": "fbd2aea6a1c634c95ea3e0ac628daf0c266f77cdda63edc573d978d142c57ed8",
        "Created": "2020-08-21T22:13:41.905418474+02:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "90f16aa06342932ae2bb258c0f1b67a833db3de8142336dbec1cda4468ddf76e": {
                "Name": "container-test",
                "EndpointID": "6e3b17d55b1836d6a1a12219011ceb31950c0fc421fb17923a983eea3c2d559a",
                "MacAddress": "02:42:ac:11:00:07",
                "IPv4Address": "172.17.0.6/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

更新 1

我创建了一个具有最少选项的新桥接网络,并且对于在新网络中运行的容器,问题似乎已得到解决。

docker network create --subnet=172.20.0.0/24 --gateway=172.20.0.1 docker20

唯一的区别似乎是相关选项。新版本没有相关选项,而旧版本有:

        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },

将会做更多调查。

答案1

总结不要使用默认桥接网络,始终创建用户定义的网络。

经过一夜的彻底重做网络后,一切都按预期运行。我只能假设它在一段时间后出现了问题,因为用户定义桥和默认桥

以下是我的解决步骤:

  1. 停止所有容器docker stop <container>
  2. 从桥上移除所有容器:docker network disconnect bridge <container>
  3. 停止守护进程:systemctl stop docker
  4. 创造daemon.jsonvim /etc/docker/daemon.json
{
        "bridge": "none"
}
  1. 启动dockersystemctl start docker
  2. 创建新网络:docker network create --subnet=172.17.0.0/24 --gateway=172.17.0.1 -o "com.docker.network.bridge.name=docker1" docker1
  3. 我无法docker network connect --ip=<ip> docker1 <container>重新连接我的容器,因此我重新部署了它们。--ip可选择设置容器要使用的 IP。

步骤 4 的替代方法是使用 启动 docker 守护进程--bridge=none

有一个小缺点:部署容器时,需要将它们专门放入网络( )。理论上,可以通过在步骤 6 之后将更改为并重新启动守护进程--net <network>来避免这种情况,但我遇到了“重叠 IP”的问题,尽管我在 172.17.0.0/16 中没有其他主机。有关手册,请参阅daemon.json{ "bridge": "docker1" }守护进程配置文件这也解释了 CLI 参数。

如果您还保留着旧docker0桥并且想将其拆除,您可以发出ip link delete docker0

相关内容