我有一个在 cloudfoundry 下运行的 Ubuntu 16.04 x86_64 系统。
安装了最新的 docker ce,然后我也尝试了 beta 版。
目前
Docker 版本为 17.09.0-ce,构建版本为 afdb6d4
我在 docker 下运行 Hadoop(HDP 2.6.1),它公开了大量端口,可以从 docker 主机正常访问这些端口。
但是我似乎无法从其他系统访问这些端口。据我所知
- 内核中启用了转发(参见下面的 sysctl -a)
- 我认为 iptables 还可以
- CF 网络内的外部防火墙设置为允许这些端口 - 事实上,我使用与运行几乎相同代码的系统(不是 docker)相同的安全组之一,并且它可以工作,表明防火墙配置很好。
该docker镜像正在运行:
93b77a0480c7 sandbox-hdp “/usr/sbin/sshd -D” 12 hours ago Up 12 hours 0.0.0.0:1000->1000/tcp, 0.0.0.0:1100->1100/tcp, 0.0.0.0:1220->1220/tcp, 0.0.0.0:1988->1988/tcp, 0.0.0.0:2100->2100/tcp, 0.0.0.0:2181->2181/tcp, 0.0.0.0:4040->4040/tcp, 0.0.0.0:4200->4200/tcp, 0.0.0.0:5007->5007/tcp, 0.0.0.0:5011->5011/tcp, 0.0.0.0:6001->6001/tcp, 0.0.0.0:6003->6003/tcp, 0.0.0.0:6008->6008/tcp, 0.0.0.0:6080->6080/tcp, 0.0.0.0:6188->6188/tcp, 0.0.0.0:8000->8000/tcp, 0.0.0.0:8005->8005/tcp, 0.0.0.0:8020->8020/tcp, 0.0.0.0:8040->8040/tcp, 0.0.0.0:8042->8042/tcp, 0.0.0.0:8050->8050/tcp, 0.0.0.0:8080->8080/tcp, 0.0.0.0:8082->8082/tcp, 0.0.0.0:8086->8086/tcp, 0.0.0.0:8088->8088/tcp, 0.0.0.0:8090-8091->8090-8091/tcp, 0.0.0.0:8188->8188/tcp, 0.0.0.0:8443->8443/tcp, 0.0.0.0:8744->8744/tcp, 0.0.0.0:8765->8765/tcp, 0.0.0.0:8886->8886/tcp, 0.0.0.0:8888-8889->8888-8889/tcp, 0.0.0.0:8983->8983/tcp, 0.0.0.0:8993->8993/tcp, 0.0.0.0:9000->9000/tcp, 0.0.0.0:9090->9090/tcp, 0.0.0.0:9995-9996->9995-9996/tcp, 0.0.0.0:10000-10001->10000-10001/tcp, 0.0.0.0:10500->10500/tcp, 0.0.0.0:11000->11000/tcp, 0.0.0.0:15000->15000/tcp, 0.0.0.0:16010->16010/tcp, 0.0.0.0:16030->16030/tcp, 0.0.0.0:18080->18080/tcp, 0.0.0.0:19888->19888/tcp, 0.0.0.0:21000->21000/tcp, 0.0.0.0:42111->42111/tcp, 0.0.0.0:50070->50070/tcp, 0.0.0.0:50075->50075/tcp, 0.0.0.0:50095->50095/tcp, 0.0.0.0:50111->50111/tcp, 0.0.0.0:60000->60000/tcp, 0.0.0.0:60080->60080/tcp, 0.0.0.0:61888->61888/tcp, 0.0.0.0:2222->22/tcp sandbox
内核转发似乎没问题:
云度
sr@dev:~$ sudo sysctl -a | grep '.forwarding’
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.docker0.forwarding = 1
net.ipv4.conf.ens3.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.veth61e5501.forwarding = 1
sysctl: reading key "net.ipv6.conf.all.stable_secret"
net.ipv6.conf.all.forwarding = 1
sysctl: reading key "net.ipv6.conf.default.stable_secret"
net.ipv6.conf.default.forwarding = 1
sysctl: reading key "net.ipv6.conf.docker0.stable_secret"
net.ipv6.conf.docker0.forwarding = 1
sysctl: reading key "net.ipv6.conf.ens3.stable_secret"
net.ipv6.conf.ens3.forwarding = 1
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.ipv6.conf.lo.forwarding = 1
sysctl: reading key "net.ipv6.conf.veth61e5501.stable_secret"
net.ipv6.conf.veth61e5501.forwarding = 1
我觉得 Iptables 还不错
cloudusr@dev:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:61888
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:60080
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:60000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:50111
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:50095
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:50075
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:50070
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:42111
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:21000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:19888
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:18080
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:16030
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:16010
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:15000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:11000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:10500
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:10001
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:webmin
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9996
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9995
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9090
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8993
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8983
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8889
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8888
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8886
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8765
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8744
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8443
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8188
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8091
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8090
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:omniorb
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8086
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8082
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:http-alt
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8050
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8042
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8040
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8020
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8005
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:8000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:6188
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:6080
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:6008
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:x11-3
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:x11-1
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:5011
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:5007
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:4200
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:4040
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:2181
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:2100
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:1988
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:1220
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:1100
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:1000
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:ssh
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all – anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere
Ubuntu 本身是最新的 - 当前内核是
cloudusr@dev:~$ uname -a
Linux dev 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux