我基于 创建了一个 docker 容器bitnami/dokuwiki。该容器无法访问 dokuwiki 扩展目录。
检查后发现,该容器显然无法连接到任何主机。
这是docker-compose.yml:
version: '2'
services:
dokuwiki:
restart: always
image: 'bitnami/dokuwiki:0'
ports:
- '8080:80'
- '8083:443'
volumes:
- 'dokuwiki_data:/bitnami'
volumes:
dokuwiki_data:
driver: local
容器内部(未安装ping):
root@32e0458db675:/tmp# curl https://dokuwiki.org
curl: (6) Could not resolve host: dokuwiki.org
root@32e0458db675:/tmp# curl http://10.11.11.10
curl: (7) Failed to connect to 10.11.11.10: Connection timed out
root@15998f8657c2:/# curl http://138.201.137.132
curl: (7) Failed to connect to 138.201.137.132 port 80: No route to host
这是输出docker version:
Client: Docker Engine - Community
Version: 19.03.5
API version: 1.39 (downgraded from 1.40)
Go version: go1.12.12
Git commit: 633a0ea
Built: Wed Nov 13 07:25:41 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 18.09.1
API version: 1.39 (minimum version 1.12)
Go version: go1.10.6
Git commit: 4c52b90
Built: Wed Jan 9 19:06:30 2019
OS/Arch: linux/amd64
Experimental: false
这是输出docker info
Client:
Debug Mode: false
Server:
Containers: 2
Running: 1
Paused: 0
Stopped: 1
Images: 2
Server Version: 18.09.1
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: c4446665cb9c30056f4998ed953e6d4ff22c7c39
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.18.0-147.3.1.el8_1.x86_64
Operating System: CentOS Linux 8 (Core)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.787GiB
Name: docker-host
ID: 2IQR:ET7M:JUEC:QZPV:SDVX:3QYI:DWHZ:FGXO:S7KU:OMUG:HUGS:T5RC
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
这些是网络接口:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:53:cc:9d brd ff:ff:ff:ff:ff:ff
inet 10.10.128.88/20 brd 10.10.143.255 scope global dynamic noprefixroute ens160
valid_lft 2522007sec preferred_lft 2522007sec
inet6 fe80::7a1b:8123:b0b3:df66/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: br-cc94c4303069: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:20:ce:c3:26 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-cc94c4303069
valid_lft forever preferred_lft forever
inet6 fe80::42:20ff:fece:c326/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:3a:a7:ab:f8 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
6: veth6899757@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-cc94c4303069 state UP group default
link/ether 2a:a4:d1:03:ac:4e brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::28a4:d1ff:fe03:ac4e/64 scope link
valid_lft forever preferred_lft forever
这些是当前的 IPTables 规则:
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-cc94c4303069 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-cc94c4303069 -j DOCKER
-A FORWARD -i br-cc94c4303069 ! -o br-cc94c4303069 -j ACCEPT
-A FORWARD -i br-cc94c4303069 -o br-cc94c4303069 -j ACCEPT
-A FORWARD -i docker0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o docker0 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-cc94c4303069 -o br-cc94c4303069 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-cc94c4303069 -o br-cc94c4303069 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-cc94c4303069 ! -o br-cc94c4303069 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-cc94c4303069 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
我的问题:如何为 Docker 容器启用传出网络?
答案1
解决了问题:
$ firewall-cmd --get-active-zones
$ firewall-cmd --get-zone-of-interface=docker0
$ nmcli connection modify docker0 connection.zone public
$ firewall-cmd --zone=public --add-masquerade --permanent
$ firewall-cmd --reload