我租用了一台运行 Ubuntu 22.04 的虚拟化服务器,并尝试在其中运行 Docker 容器。该服务器使用 qemu-kvm 进行虚拟化。
不幸的是,容器没有网络访问权限。
host:~# docker run -it ubuntu /bin/bash
container:/# apt-get update
APT 更新失败,因为无法访问存储库。从主机 (QEMU VM) 检查存储库,存储库完全正常:
host:~# ping archive.ubuntu.com
我已经尝试过了Docker 容器内没有互联网连接但它不起作用,简单地重新启动 Docker 服务也不是解决方案。
硬件防火墙已停用,并且 ufw 已禁用。
如何在我的容器中访问互联网?
编辑2
将其放在上面是因为这对我来说似乎更相关。
与答案相关这里我相应地设置了 systemd-networkd。docker0接口保留其 172.17.0.1 地址,直到我启动容器。然后 IP 丢失。只要docker0有它的 IP 地址,就会存在以下路由:172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
编辑1
据我了解,QEMU 的网络接口必须明确连接到物理主机网络接口。由于 Docker 为每个网络(或至少 docker0)创建自己的网络接口,因此它不连接到互联网。
假设我的虚拟机中有一个 eth0 接口作为默认网络接口。我可以设置 iptables 以通过 eth0 接口路由 docker0 的流量吗?
系统信息:
路由
default via 87.106.234.1 dev ens6 proto dhcp src [LOCAL_IP] metric 100
87.106.234.1 dev ens6 proto dhcp scope link src [LOCAL_IP] metric 100
212.227.123.16 via 87.106.234.1 dev ens6 proto dhcp src [LOCAL_IP] metric 100
212.227.123.17 via 87.106.234.1 dev ens6 proto dhcp src [LOCAL_IP] metric 100
是否配置
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 02:42:74:19:f6:1a txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet [LOCAL_IP] netmask 255.255.255.255 broadcast 0.0.0.0
inet6 [LOCAL_IP_V6] prefixlen 64 scopeid 0x20<link>
ether 02:01:72:39:35:f9 txqueuelen 1000 (Ethernet)
RX packets 14885 bytes 164716593 (164.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11369 bytes 1415635 (1.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 184 bytes 19073 (19.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 184 bytes 19073 (19.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
nft 列表规则集
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 3317 bytes 150836 jump DOCKER
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
}
table ip filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 0 bytes 0 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
counter packets 0 bytes 0 jump DOCKER-USER
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
chain DOCKER-USER {
counter packets 0 bytes 0 return
}
}
答案1
主机通过更改配置解决了这个问题:
在 中/etc/netplan/50-cloud-init.yaml,替换
match:
name: '*'
和
match:
name: 'en*'
根本问题是docker0网络丢失了 IP 地址,因此无法连接互联网。