我无法从 docker 容器(CentOS) ping 通任何公共 IP,这与主机名或任何 DNS 无关,而是与 IP 有关,可以 ping 通 docker0 网络 IP 172.17.0.1,但不能 ping 通互联网 IP
[root@09ae7f091d98 /]# ping 172.17.0.1
PING 172.17.0.1 (172.17.0.1) 56(84) bytes of data.
64 bytes from 172.17.0.1: icmp_seq=1 ttl=64 time=0.059 ms
64 bytes from 172.17.0.1: icmp_seq=2 ttl=64 time=0.076 ms
^C
--- 172.17.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.059/0.067/0.076/0.011 ms
网关配置正确
[root@09ae7f091d98 /]# ip route
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2
容器 IP 已正确配置
[root@09ae7f091d98 /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
DNS
[root@09ae7f091d98 /]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.20.0.1
nameserver 8.8.8.8
主机也有正确的 IP 和网关
[root@centos7-client ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:fb:4c:9e brd ff:ff:ff:ff:ff:ff
inet 10.20.0.23/16 brd 10.20.255.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::f15d:3d1c:5ff5:4473/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:50:e9:22:83 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:50ff:fee9:2283/64 scope link
valid_lft forever preferred_lft forever
7: veth1183670@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 0e:86:53:9c:c1:ef brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::c86:53ff:fe9c:c1ef/64 scope link
valid_lft forever preferred_lft forever
[root@centos7-client ~]# ip route
default via 10.20.0.1 dev ens33 proto static metric 100
10.20.0.0/16 dev ens33 proto kernel scope link src 10.20.0.23 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
我还暂时禁用了 SELinux 和 Firewalld,但仍然无法找出问题所在
[root@centos7-client ~]# getenforce
Permissive
[root@centos7-client ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Wed 2022-03-02 11:29:54 PKT; 10min ago
Docs: man:firewalld(1)
Process: 744 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 744 (code=exited, status=0/SUCCESS)
Mar 02 09:49:08 centos7-client firewalld[744]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/targ... that name.
Mar 02 09:49:08 centos7-client firewalld[744]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/targ... that name.
Mar 02 09:49:08 centos7-client firewalld[744]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/targ... that name.
Mar 02 09:49:08 centos7-client firewalld[744]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/targ... that name.
Mar 02 09:49:08 centos7-client firewalld[744]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Mar 02 09:49:08 centos7-client firewalld[744]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Mar 02 09:49:09 centos7-client firewalld[744]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (...at chain?).
Mar 02 09:49:10 centos7-client firewalld[744]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (...at chain?).
Mar 02 11:29:53 centos7-client systemd[1]: Stopping firewalld - dynamic firewall daemon...
Mar 02 11:29:54 centos7-client systemd[1]: Stopped firewalld - dynamic firewall daemon.
Hint: Some lines were ellipsized, use -l to show in full.
请注意,docker 服务运行良好,但是当我使用 dockerd 时,它显示以下错误,也尝试重新安装 docker-ce,但仍然显示相同的错误
[root@centos7-client ~]# systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2022-03-02 11:32:07 PKT; 10min ago
Docs: https://docs.docker.com
Main PID: 2530 (dockerd)
Tasks: 10
Memory: 38.1M
CGroup: /system.slice/docker.service
└─2530 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
Mar 02 11:32:06 centos7-client dockerd[2530]: time="2022-03-02T11:32:06.531081666+05:00" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///run/contai...module=grpc
Mar 02 11:32:06 centos7-client dockerd[2530]: time="2022-03-02T11:32:06.531098252+05:00" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
Mar 02 11:32:06 centos7-client dockerd[2530]: time="2022-03-02T11:32:06.543719460+05:00" level=info msg="[graphdriver] using prior storage driver: overlay2"
Mar 02 11:32:06 centos7-client dockerd[2530]: time="2022-03-02T11:32:06.559064109+05:00" level=info msg="Loading containers: start."
Mar 02 11:32:06 centos7-client dockerd[2530]: time="2022-03-02T11:32:06.890565609+05:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17...IP address"
Mar 02 11:32:06 centos7-client dockerd[2530]: time="2022-03-02T11:32:06.984869372+05:00" level=info msg="Loading containers: done."
Mar 02 11:32:07 centos7-client dockerd[2530]: time="2022-03-02T11:32:07.024522345+05:00" level=info msg="Docker daemon" commit=459d0df graphdriver(s)=overlay2 version=20.10.12
Mar 02 11:32:07 centos7-client dockerd[2530]: time="2022-03-02T11:32:07.024716059+05:00" level=info msg="Daemon has completed initialization"
Mar 02 11:32:07 centos7-client systemd[1]: Started Docker Application Container Engine.
Mar 02 11:32:07 centos7-client dockerd[2530]: time="2022-03-02T11:32:07.054705588+05:00" level=info msg="API listen on /var/run/docker.sock"
Hint: Some lines were ellipsized, use -l to show in full.
[root@centos7-client ~]# dockerd
INFO[2022-03-02T11:42:16.512435705+05:00] Starting up
failed to start daemon: pid file found, ensure docker is not running or delete /var/run/docker.pid
在主机上使用 CentOS Linux 版本 7.9.2009 (Core)(这是我使用 docker 的虚拟机,在 vmware 设置中,网络适配器设置为桥接模式)主机可以 ping 通公共 IP
[root@centos7-client ~]# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=1 time=7.19 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=1 time=5.94 ms
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 5.945/6.571/7.198/0.631 ms
但容器不能
[root@centos7-client ~]# docker attach sad_ellis
[root@09ae7f091d98 /]# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
^C
--- 1.1.1.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4000ms
有人能指导我如何解决这个问题吗,我不知道配置出了什么问题
谢谢
编辑:
[root@centos7-workstation ~]# iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-N OUTPUT_direct
-N POSTROUTING_ZONES
-N POSTROUTING_ZONES_SOURCE
-N POSTROUTING_direct
-N POST_docker
-N POST_docker_allow
-N POST_docker_deny
-N POST_docker_log
-N POST_public
-N POST_public_allow
-N POST_public_deny
-N POST_public_log
-N PREROUTING_ZONES
-N PREROUTING_ZONES_SOURCE
-N PREROUTING_direct
-N PRE_docker
-N PRE_docker_allow
-N PRE_docker_deny
-N PRE_docker_log
-N PRE_public
-N PRE_public_allow
-N PRE_public_deny
-N PRE_public_log
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -j OUTPUT_direct
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A DOCKER -i docker0 -j RETURN
-A POSTROUTING_ZONES -o docker0 -g POST_docker
-A POSTROUTING_ZONES -o ens33 -g POST_public
-A POSTROUTING_ZONES -g POST_public
-A POST_docker -j POST_docker_log
-A POST_docker -j POST_docker_deny
-A POST_docker -j POST_docker_allow
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -i docker0 -g PRE_docker
-A PREROUTING_ZONES -i ens33 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_docker -j PRE_docker_log
-A PRE_docker -j PRE_docker_deny
-A PRE_docker -j PRE_docker_allow
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
[root@centos7-workstation ~]# cat /proc/sys/net/ipv4/ip_forward
1