我使用以下方式将 Tomcat 部署为 docker 容器
docker run -d --name tomcatalive -p 9000:8080 -m 1G -e CATALINA_OPTS="$CATALINA_OPTS -Xmx1g" tomcat:9.0.5-jre8
问题 1:容器内部无法访问互联网。
主机上的互联网访问正常。当我使用具有网络类型主机的 docker 容器时,互联网访问正常。其他 docker 镜像也存在此问题,例如 tomcat:9.0.44-jdk11-adoptopenjdk-hotspot。
docker exec -it tomcatalive /bin/bash
root@98692dae37ef:/usr/local/tomcat# curl -v https://www.jenkins.io/
* Could not resolve host: www.jenkins.io
* Closing connection 0
curl: (6) Could not resolve host: www.jenkins.io
DNS 设置似乎是正确的,无论是在主机还是容器上我都看到:
root@earth:/usr/local/tomcat# cat /etc/resolv.conf
nameserver 213.133.98.98
nameserver 213.133.100.100
nameserver 213.133.99.99
问题2:无法创建新的docker网桥。
docker network create -d bridge --subnet 10.0.0.1/24 testbridge
Error response from daemon: Failed to program FILTER chain: iptables failed: iptables --wait -I FORWARD -o br-58b48862a864 -j DOCKER: iptables v1.8.2 (nf_tables): RULE_INSERT failed (Invalid argument): rule in chain FORWARD
(exit status 4)
我怀疑 iptables 存在问题。如能提供任何帮助以解决问题,我将不胜感激。
我尝试重新启动 docker,但没有效果:
sudo systemctl restart docker
相关信息:
uname -a
Linux earth 3.16.0-4-amd64 #1 SMP Debian 3.16.51-3 (2017-12-13) x86_64 GNU/Linux
lsb_release -a
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
docker version
Client: Docker Engine - Community
Version: 20.10.5
API version: 1.40
Go version: go1.13.15
Git commit: 55c4c88
Built: Tue Mar 2 20:17:50 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 19.03.13
API version: 1.40 (minimum version 1.12)
Go version: go1.13.15
Git commit: 4484c46d9d
Built: Wed Sep 16 17:01:25 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.4
GitCommit: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
runc:
Version: 1.0.0-rc93
GitCommit: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
docker-init:
Version: 0.18.0
Docker 容器中的网络接口
root@98692dae37ef:/usr/local/tomcat# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
316: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
主机的docker0网络接口
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP gr oup default
link/ether 02:42:55:06:26:a5 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:55ff:fe06:26a5/64 scope link
valid_lft forever preferred_lft forever
iptables 列表
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-USER
-N DOCKER-ISOLATION-STAGE-2
-A FORWARD -i br-58b48862a864 ! -o br-58b48862a864 -j ACCEPT
-A FORWARD -i br-58b48862a864 -o br-58b48862a864 -j ACCEPT
-A FORWARD -i br-b1c11aa2dbf5 ! -o br-b1c11aa2dbf5 -j ACCEPT
-A FORWARD -i br-b1c11aa2dbf5 -o br-b1c11aa2dbf5 -j ACCEPT
-A FORWARD -i br-a1c2c4de885a ! -o br-a1c2c4de885a -j ACCEPT
-A FORWARD -i br-a1c2c4de885a -o br-a1c2c4de885a -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -i br-1c2fa77afc27 ! -o br-1c2fa77afc27 -j ACCEPT
-A FORWARD -i br-1c2fa77afc27 -o br-1c2fa77afc27 -j ACCEPT
-A FORWARD -i br-254792c3bc2d ! -o br-254792c3bc2d -j ACCEPT
-A FORWARD -i br-254792c3bc2d -o br-254792c3bc2d -j ACCEPT
-A FORWARD -i br-07e0ed65bae4 ! -o br-07e0ed65bae4 -j ACCEPT
-A FORWARD -i br-07e0ed65bae4 -o br-07e0ed65bae4 -j ACCEPT
-A FORWARD -i br-fd89fe6e8887 ! -o br-fd89fe6e8887 -j ACCEPT
-A FORWARD -i br-fd89fe6e8887 -o br-fd89fe6e8887 -j ACCEPT
-A FORWARD -i br-104bfec68f50 ! -o br-104bfec68f50 -j ACCEPT
-A FORWARD -i br-104bfec68f50 -o br-104bfec68f50 -j ACCEPT
-A FORWARD -i br-a40e22d1ac6f ! -o br-a40e22d1ac6f -j ACCEPT
-A FORWARD -i br-a40e22d1ac6f -o br-a40e22d1ac6f -j ACCEPT
-A FORWARD -i br-6626dff882c8 ! -o br-6626dff882c8 -j ACCEPT
-A FORWARD -i br-6626dff882c8 -o br-6626dff882c8 -j ACCEPT
-A FORWARD -i br-5e05d9b7b4bb ! -o br-5e05d9b7b4bb -j ACCEPT
-A FORWARD -i br-5e05d9b7b4bb -o br-5e05d9b7b4bb -j ACCEPT
-A FORWARD -i br-994968cc70f2 ! -o br-994968cc70f2 -j ACCEPT
-A FORWARD -i br-994968cc70f2 -o br-994968cc70f2 -j ACCEPT
-A FORWARD -i br-a27382ef713c ! -o br-a27382ef713c -j ACCEPT
-A FORWARD -i br-a27382ef713c -o br-a27382ef713c -j ACCEPT
-A FORWARD -i br-9057932215bd ! -o br-9057932215bd -j ACCEPT
-A FORWARD -i br-9057932215bd -o br-9057932215bd -j ACCEPT
-A FORWARD -i br-23def51354ff ! -o br-23def51354ff -j ACCEPT
-A FORWARD -i br-23def51354ff -o br-23def51354ff -j ACCEPT
-A FORWARD -i br-bf355b0f48b9 ! -o br-bf355b0f48b9 -j ACCEPT
-A FORWARD -i br-bf355b0f48b9 -o br-bf355b0f48b9 -j ACCEPT
-A FORWARD -i br-d7dcd6e73c07 ! -o br-d7dcd6e73c07 -j ACCEPT
-A FORWARD -i br-d7dcd6e73c07 -o br-d7dcd6e73c07 -j ACCEPT
-A FORWARD -i br-ea1e61ddb2d8 ! -o br-ea1e61ddb2d8 -j ACCEPT
-A FORWARD -i br-ea1e61ddb2d8 -o br-ea1e61ddb2d8 -j ACCEPT
-A FORWARD -i br-b84535a5f723 ! -o br-b84535a5f723 -j ACCEPT
-A FORWARD -i br-b84535a5f723 -o br-b84535a5f723 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 8080 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-USER -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
iptables 遗留列表
sudo iptables-legacy -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
已保存的 iptables 列表
cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.0 on Thu Apr 16 00:40:29 2020
*filter
:INPUT ACCEPT [1962:615653]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2075:623476]
COMMIT
# Completed on Thu Apr 16 00:40:29 2020
# Generated by iptables-save v1.6.0 on Thu Apr 16 00:40:29 2020
*nat
:PREROUTING ACCEPT [65:3673]
:INPUT ACCEPT [65:3673]
:OUTPUT ACCEPT [64:3840]
:POSTROUTING ACCEPT [64:3840]
COMMIT
# Completed on Thu Apr 16 00:40:29 2020
可能与 netfilter-persistent 相关的问题(安装 bridge-utils 时)
Setting up netfilter-persistent (1.0.11+deb10u1) ...
Job for netfilter-persistent.service failed because the control process exited with error code.
See "systemctl status netfilter-persistent.service" and "journalctl -xe" for details.
invoke-rc.d: initscript netfilter-persistent, action "restart" failed.
- netfilter persistent configuration
Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2021-04-08 15:20:15 CEST; 54ms ago
Process: 26125 ExecStart=/usr/sbin/netfilter-persistent start (code=exited, status=1/FAILURE)
Main PID: 26125 (code=exited, status=1/FAILURE)
Apr 08 15:20:15 earth netfilter-persistent[26125]: iptables-restore v1.8.2 (nf_tables):
Apr 08 15:20:15 earth netfilter-persistent[26125]: line 2: TABLE_FLUSH failed (Device or resource busy): table filter
Apr 08 15:20:15 earth netfilter-persistent[26125]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables exited with return code 4
Apr 08 15:20:15 earth netfilter-persistent[26125]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Apr 08 15:20:15 earth netfilter-persistent[26125]: ip6tables-restore v1.8.2 (nf_tables):
Apr 08 15:20:15 earth netfilter-persistent[26125]: line 2: TABLE_FLUSH failed (Device or resource busy): table filter
Apr 08 15:20:15 earth netfilter-persistent[26125]: run-parts: /usr/share/netfilter-persistent/plugins.d/25-ip6tables exited with return code 4
Apr 08 15:20:15 earth systemd[1]: netfilter-persistent.service: Main process exited, code=exited, status=1/FAILURE
Apr 08 15:20:15 earth systemd[1]: netfilter-persistent.service: Failed with result 'exit-code'.
Apr 08 15:20:15 earth systemd[1]: Failed to start netfilter persistent configuration.
dpkg: error processing package netfilter-persistent (--configure):
installed netfilter-persistent package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of iptables-persistent:
iptables-persistent depends on netfilter-persistent (= 1.0.11+deb10u1); however:
Package netfilter-persistent is not configured yet.
dpkg: error processing package iptables-persistent (--configure):
dependency problems - leaving unconfigured
Processing triggers for man-db (2.8.5-2) ...
Errors were encountered while processing:
netfilter-persistent
iptables-persistent
Error: Timeout was reached
E: Sub-process /usr/bin/dpkg returned an error code (1)