我的公司有一台 CentOS 7 服务器,上面运行着一些 docker 容器。通常我可以从我的个人电脑连接到它。但有时我docker-compose up在服务器上运行命令后,就无法再连接到它了(我尝试通过 ssh ping / 连接,但它就永远挂起了)。当发生这种情况时,我必须从另一台计算机 ssh 到服务器,运行docker-compose down,然后一切都恢复正常。
我没有在 docker-compose.yml 文件中定义任何网络,我总是让 docker 自己处理网络。
我的问题:目前我团队中有几个人无法连接到服务器。我认为这可能与 docker 有关,因为它默认操纵 iptables(我在服务器上使用 iptables 而不是防火墙)。一个人甚至曾经能够连接,但在他“重置 wifi”(ncpa.cpl--> 禁用 --> 启用,他的 IP 发生变化)后,他无法再连接。
我只是想问一下这是否是一个常见问题,有没有人遇到过类似的问题,或者有什么建议可以解决这个问题。我真的被困在这里了。
我不知道这是否有帮助,但这是我的iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER-INGRESS all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (9 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.5 tcp dpt:9494
ACCEPT tcp -- anywhere 172.25.0.2 tcp dpt:XmlIpcRegSvc
ACCEPT tcp -- anywhere 172.25.0.3 tcp dpt:eforward
ACCEPT tcp -- anywhere 172.17.0.12 tcp dpt:8484
ACCEPT tcp -- anywhere 172.17.0.16 tcp dpt:cslistener
ACCEPT tcp -- anywhere 172.17.0.8 tcp dpt:8282
ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:tproxy
ACCEPT tcp -- anywhere 172.17.0.10 tcp dpt:xmltec-xmlmail
ACCEPT tcp -- anywhere 172.17.0.6 tcp dpt:8282
ACCEPT tcp -- anywhere 172.29.0.2 tcp dpt:cslistener
ACCEPT tcp -- anywhere 172.31.0.2 tcp dpt:27017
ACCEPT tcp -- anywhere 172.31.0.3 tcp dpt:27017
ACCEPT tcp -- anywhere 192.168.48.3 tcp dpt:webcache
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:commplex-main
ACCEPT tcp -- anywhere 172.17.0.7 tcp dpt:domaintime
ACCEPT tcp -- anywhere 172.17.0.9 tcp dpt:intermapper
ACCEPT tcp -- anywhere 172.17.0.11 tcp dpt:8808
ACCEPT tcp -- anywhere 172.17.0.14 tcp dpt:8585
ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:sun-as-jpda
ACCEPT tcp -- anywhere 172.17.0.13 tcp dpt:pds
Chain DOCKER-INGRESS (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (9 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
这是我的docker network ls
NETWORK ID NAME DRIVER SCOPE
ffdf3af963da bridge bridge local
592d75d9d5b9 coeeventifytestoldversion_default bridge local
c4a9765aa44f docker_gwbridge bridge local
06e4cb827a9c FE_default bridge local
5fa4ecb69ec6 servicecode_net bridge local
63cbe32ab786 healthcheck_default bridge local
9238d2095aec host host local
e67bc4a01511 kafka_default bridge local
f2ae14c5c4f6 myApp_default bridge local
724a03d36011 none null local
7e62d26d7c7c sourcecode_default bridge local
答案1
如果您的 docker 守护进程使用的 IP 地址与您公司网络中使用的 IP 地址相同,则可能会发生这种情况。假设您的一个队友的 IP 地址为 192.168.160.2,并且您的一个 docker 容器也获得相同的 IP 地址 192.168.160.2。当容器尝试向您的队友发送响应时,它无法联系到他,因为数据包将被发送到容器本身。
您应该确保您的 docker 守护程序使用与本地网络完全不同的子网。您可以使用它docker network inspect来查看特定 docker 网络正在使用哪些 IP 地址。
要更改 docker 使用的 IP 地址,请参阅配置 Docker 以不使用 172.17.0.0 范围