我目前正在尝试根据文档以无根模式运行 docker 守护进程:https://docs.docker.com/engine/security/rootless/
虽然此netcat命令在以“正常方式”运行时有效docker,例如
sudo docker run --rm -it --name custom <options> <image> bash:
(根据您尝试的 docker 映像,您可能必须netcat在此阶段将软件包安装在容器内)
root@a390456c8d0b:/# nc -vz 172.17.0.1 5432
Connection to 172.17.0.1 5432 port [tcp/postgresql] succeeded!
它不适用于无根模式:
root@a390456c8d0b:/# nc -vr 172.17.0.1 5432
nc: connect to 172.17.0.1 port 5432 (tcp) failed: Connection refused
在我看来,网关172.17.0.1仅在 docker 以正常方式运行(使用 sudo)时才可用/使用,而不是在新的无根模式下。但这只是一个猜测。
有谁知道如何解决这个问题以及如何从任何无根 Docker 容器 ping 主机(Ubuntu 21.10/22.04 dev)上的任何端口? (在本例中,我 ping postgres 默认端口 5432,但它可以是您选择的任何端口)。
信息:
$ docker --version
Docker version 20.10.12, build e91ed57
$ uname -mor
5.13.0-19-generic x86_64 GNU/Linux
在rootless状态下,docker服务的状态如下:
$ systemctl --user status docker
● docker.service - Docker Application Container Engine (Rootless)
Loaded: loaded (/home/sk/.config/systemd/user/docker.service; disabled; vendor preset: enabled)
Active: active (running) since Sun 2022-01-02 21:59:07 CET; 25min ago
Docs: https://docs.docker.com/go/rootless/
Main PID: 37085 (rootlesskit)
Tasks: 58
Memory: 57.5M
CPU: 5.553s
CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/docker.service
├─37085 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy->
├─37096 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --co>
├─37114 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 37096 tap0
├─37121 dockerd
├─37143 containerd --config /run/user/1000/docker/containerd/containerd.toml --log-level info
└─37393 /usr/bin/containerd-shim-runc-v2 -namespace moby -id a370455c8d0bc3e2fd796e788d52d4315c06fc44befe38aa8eb5466f1128e787 -address /run/user/1000/docker/>
Jan 02 21:59:07 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:07.957623453+01:00" level=warning msg="Unable to find io controller"
Jan 02 21:59:07 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:07.957626649+01:00" level=warning msg="Unable to find cpuset controller"
Jan 02 21:59:07 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:07.957716164+01:00" level=info msg="Loading containers: start."
Jan 02 21:59:08 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:08.007912512+01:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. D>
Jan 02 21:59:08 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:08.077361354+01:00" level=info msg="Loading containers: done."
Jan 02 21:59:08 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:08.080978248+01:00" level=warning msg="Not using native diff for overlay2, this may cause degraded performan>
Jan 02 21:59:08 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:08.081081192+01:00" level=info msg="Docker daemon" commit=459d0df graphdriver(s)=overlay2 version=20.10.12
Jan 02 21:59:08 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:08.081102319+01:00" level=info msg="Daemon has completed initialization"
Jan 02 21:59:08 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:08.091292835+01:00" level=info msg="API listen on /run/user/1000/docker.sock"
Jan 02 22:00:30 sk-Laptop dockerd-rootless.sh[37143]: time="2022-01-02T22:00:30.603612706+01:00" level=info msg="starting signal loop" namespace=moby path=/run/.ro995659387/user/1000/do>
当使用 sudo 运行时,systemctl输出显示“root”守护进程未激活,这是正常的:
$ sudo systemctl status docker
○ docker.service - Docker Application Container Engine
Loaded: loaded (/lib/systemd/system/docker.service; disabled; vendor preset: enabled)
Active: inactive (dead)
TriggeredBy: ○ docker.socket
Docs: https://docs.docker.com
Jan 02 21:55:39 sk-Laptop dockerd[36685]: time="2022-01-02T21:55:39.318284987+01:00" level=info msg="Daemon has completed initialization"
Jan 02 21:55:39 sk-Laptop systemd[1]: Started Docker Application Container Engine.
Jan 02 21:55:39 sk-Laptop dockerd[36685]: time="2022-01-02T21:55:39.329132562+01:00" level=info msg="API listen on /run/docker.sock"
Jan 02 21:56:14 sk-Laptop systemd[1]: Stopping Docker Application Container Engine...
Jan 02 21:56:14 sk-Laptop dockerd[36685]: time="2022-01-02T21:56:14.005854836+01:00" level=info msg="Processing signal 'terminated'"
Jan 02 21:56:14 sk-Laptop dockerd[36685]: time="2022-01-02T21:56:14.006211665+01:00" level=info msg="stopping event stream following graceful shutdown" error="<nil>" module=l>
Jan 02 21:56:14 sk-Laptop dockerd[36685]: time="2022-01-02T21:56:14.006356148+01:00" level=info msg="Daemon shutdown complete"
Jan 02 21:56:14 sk-Laptop dockerd[36685]: time="2022-01-02T21:56:14.006382673+01:00" level=info msg="stopping event stream following graceful shutdown" error="context cancele>
Jan 02 21:56:14 sk-Laptop systemd[1]: docker.service: Deactivated successfully.
Jan 02 21:56:14 sk-Laptop systemd[1]: Stopped Docker Application Container Engine.
答案1
下面是一个理论,但我手头没有可以放入无根模式进行测试的 docker 主机。
当在无根模式下运行时,docker 守护进程可以执行的操作存在一些限制。
我根本不知道他们是如何实现无根网络的,但是无根 docker 无法直接在主机的命名空间中创建常用的 docker 接口是有道理的。在常规 root 模式下,当我输入以下命令时,我可以看到一个界面ip address:
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:88:1f:3d:89 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:88ff:fe1f:3d89/64 scope link
valid_lft forever preferred_lft forever
我的理论是,如果 docker 无法创建这个,那么你的问题不是你无法与主机对话,而只是你的应用程序(postgresql)没有监听172.17.0.1.这可能是无根模式 docker 的未记录限制。
幸运的是,您的应用程序 (postgresql) 应该仍在侦听其他 IP 地址,例如您的 LAN 或 WiFi IP 地址。如果您的 Docker 容器可以访问外部世界(访问互联网上的任何内容),那么它应该能够与该 IP 上的主机进行通信。
您可以使用该命令ip address查找您的本地 IP 地址,然后使用它。