将端口 http 和 https 暴露给 docker 容器但仍然无法通信

将端口 http 和 https 暴露给 docker 容器但仍然无法通信

编辑#3:

通过禁用 FirewallD 来修复。原来是因为我对 CentOS 缺乏了解。我之前没有遇到过这个问题,因为阿里云认为最好先禁用防火墙。

Docker 使用 iptables,而 CentOS 有自己的 iptables 版本,即 firewalld,但有趣的是 firewalld 仍然使用 iptables 命令与 netfilter 内核钩子进行通信。

$ systemctl stop firewalld
$ systemctl disable firewalld
$ systemctl mask firewalld
$ yum install iptables-services

编辑#2:

不要遵循这个快速解决方法

这破坏了 NGINX 代理 IP 地址日志(而不是真实 IP 地址,NGINX 日志 172.21.0.1)。

卷/nginx/proxy.conf

proxy_set_header X-Real-IP $remote_addr;

编辑:

快速修复,您觉得怎么样?

$ firewall-cmd --zone=public --add-masquerade --permanent && firewall-cmd --reload

该问题与 UpCloud centos 8.0 发行版有关。

我对 UpCloud 和 Cloudflare 都很陌生。我决定使用 Cloudflare 而不是阿里云 DNS(高延迟会减慢 TTFB),并计划使用 UpCloud 托管较小的项目,因为 UpCloud 的出口定价比阿里云便宜 10 倍,因此我可以接触到较小的客户。

我以前使用过阿里云及其 DNS 产品,没有遇到过这个问题,ACME 挑战失败,所以我使用快速修复来解决docker no route to host的问题。

预期行为

ACME 挑战成功

当前行为

来自 docker 容器的 ping 请求

$ ping acme-v02.api.letsencrypt.org
ping: bad address 'acme-v02.api.letsencrypt.org'
$ ping google.com
ping: bad address 'google.com'

ACME 挑战失败。

letsencrypt       | An unexpected error occurred:
letsencrypt       | Traceback (most recent call last):
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connection.py", line 159, in _new_conn
letsencrypt       |     conn = connection.create_connection(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/util/connection.py", line 61, in create_connection
letsencrypt       |     for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
letsencrypt       |   File "/usr/lib/python3.8/socket.py", line 918, in getaddrinfo
letsencrypt       |     for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
letsencrypt       | socket.gaierror: [Errno -3] Try again
letsencrypt       |
letsencrypt       | During handling of the above exception, another exception occurred:
letsencrypt       |
letsencrypt       | Traceback (most recent call last):
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 670, in urlopen
letsencrypt       |     httplib_response = self._make_request(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 381, in _make_request
letsencrypt       |     self._validate_conn(conn)
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 976, in _validate_conn
letsencrypt       |     conn.connect()
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connection.py", line 308, in connect
letsencrypt       |     conn = self._new_conn()
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connection.py", line 171, in _new_conn
letsencrypt       |     raise NewConnectionError(
letsencrypt       | urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x7f3c380fd730>: Failed to establish a new connection: [Errno -3] Try again
letsencrypt       |
letsencrypt       | During handling of the above exception, another exception occurred:
letsencrypt       |
letsencrypt       | Traceback (most recent call last):
letsencrypt       |   File "/usr/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
letsencrypt       |     resp = conn.urlopen(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 724, in urlopen
letsencrypt       |     retries = retries.increment(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/util/retry.py", line 439, in increment
letsencrypt       |     raise MaxRetryError(_pool, url, error or ResponseError(cause))
letsencrypt       | urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f3c380fd730>: Failed to establish a new connection: [Errno -3] Try again'))
letsencrypt       |
letsencrypt       | During handling of the above exception, another exception occurred:
letsencrypt       |
letsencrypt       | requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f3c380fd730>: Failed to establish a new connection: [Errno -3] Try again'))
letsencrypt       | Please see the logfiles in /var/log/letsencrypt for more details.
letsencrypt       | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

重现步骤

  1. git 克隆https://github.com/tempatkerja/docker-odoo
  2. 按照说明操作
  3. 快速修复 Docker 没有路由到主机的问题“我使用云提供商阿里云,我从来不用这样做”

我不知道为什么,但是 UpCloud 的 centos 发行版与 Docker 的行为很奇怪,我的意思是 Docker 容器无法在容器之间通信,尽管端口已暴露或容器已链接。

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 4 -i docker0 -j ACCEPT && firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=172.17.0.0/16 accept' && firewall-cmd --reload
sysctl net.bridge.bridge-nf-call-iptables=0
sysctl net.bridge.bridge-nf-call-arptables=0
sysctl net.bridge.bridge-nf-call-ip6tables=0
systemctl restart docker

环境

操作系统:Centos 8.0

CPU 架构:我不知道。

如何安装docker服务: https://github.com/jasononggo/docs/blob/master/DOCKER.md

用于创建 docker 容器的命令(run/create/compose/screenshot)

我更改了 URL、DNSPLUGIN 和 EMAIL 参数。 docker-compose.yml

Docker 日志

letsencrypt       | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
letsencrypt       | [s6-init] ensuring user provided files have correct perms...exited 0.
letsencrypt       | [fix-attrs.d] applying ownership & permissions fixes...
letsencrypt       | [fix-attrs.d] done.
letsencrypt       | [cont-init.d] executing container initialization scripts...
letsencrypt       | [cont-init.d] 01-envfile: executing...
letsencrypt       | [cont-init.d] 01-envfile: exited 0.
letsencrypt       | [cont-init.d] 10-adduser: executing...
letsencrypt       | usermod: no changes
letsencrypt       |
letsencrypt       | -------------------------------------
letsencrypt       |           _         ()
letsencrypt       |          | |  ___   _    __
letsencrypt       |          | | / __| | |  /  \
letsencrypt       |          | | \__ \ | | | () |
letsencrypt       |          |_| |___/ |_|  \__/
letsencrypt       |
letsencrypt       |
letsencrypt       | Brought to you by linuxserver.io
letsencrypt       | -------------------------------------
letsencrypt       |
letsencrypt       | To support the app dev(s) visit:
letsencrypt       | Let's Encrypt: https://letsencrypt.org/donate/
letsencrypt       |
letsencrypt       | To support LSIO projects visit:
letsencrypt       | https://www.linuxserver.io/donate/
letsencrypt       | -------------------------------------
letsencrypt       | GID/UID
letsencrypt       | -------------------------------------
letsencrypt       |
letsencrypt       | User uid:    1000
letsencrypt       | User gid:    1000
letsencrypt       | -------------------------------------
letsencrypt       |
letsencrypt       | [cont-init.d] 10-adduser: exited 0.
letsencrypt       | [cont-init.d] 20-config: executing...
letsencrypt       | [cont-init.d] 20-config: exited 0.
letsencrypt       | [cont-init.d] 30-keygen: executing...
letsencrypt       | using keys found in /config/keys
letsencrypt       | [cont-init.d] 30-keygen: exited 0.
letsencrypt       | [cont-init.d] 50-config: executing...
letsencrypt       | Variables set:
letsencrypt       | PUID=1000
letsencrypt       | PGID=1000
letsencrypt       | TZ=UTC
letsencrypt       | SUBDOMAINS=www,
letsencrypt       | EXTRA_DOMAINS=
letsencrypt       | ONLY_SUBDOMAINS=false
letsencrypt       | DHLEVEL=4096
letsencrypt       | VALIDATION=dns
letsencrypt       | DNSPLUGIN=cloudflare
letsencrypt       | STAGING=
letsencrypt       |
letsencrypt       | 4096 bit DH parameters present
letsencrypt       | SUBDOMAINS entered, processing
letsencrypt       | SUBDOMAINS entered, processing
letsencrypt       | dns validation via cloudflare plugin is selected
letsencrypt       | Generating new certificate
letsencrypt       | Saving debug log to /var/log/letsencrypt/letsencrypt.log
letsencrypt       | Plugins selected: Authenticator dns-cloudflare, Installer None
letsencrypt       | An unexpected error occurred:
letsencrypt       | Traceback (most recent call last):
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connection.py", line 159, in _new_conn
letsencrypt       |     conn = connection.create_connection(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/util/connection.py", line 61, in create_connection
letsencrypt       |     for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
letsencrypt       |   File "/usr/lib/python3.8/socket.py", line 918, in getaddrinfo
letsencrypt       |     for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
letsencrypt       | socket.gaierror: [Errno -3] Try again
letsencrypt       |
letsencrypt       | During handling of the above exception, another exception occurred:
letsencrypt       |
letsencrypt       | Traceback (most recent call last):
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 670, in urlopen
letsencrypt       |     httplib_response = self._make_request(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 381, in _make_request
letsencrypt       |     self._validate_conn(conn)
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 976, in _validate_conn
letsencrypt       |     conn.connect()
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connection.py", line 308, in connect
letsencrypt       |     conn = self._new_conn()
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connection.py", line 171, in _new_conn
letsencrypt       |     raise NewConnectionError(
letsencrypt       | urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x7f3c380fd730>: Failed to establish a new connection: [Errno -3] Try again
letsencrypt       |
letsencrypt       | During handling of the above exception, another exception occurred:
letsencrypt       |
letsencrypt       | Traceback (most recent call last):
letsencrypt       |   File "/usr/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
letsencrypt       |     resp = conn.urlopen(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/connectionpool.py", line 724, in urlopen
letsencrypt       |     retries = retries.increment(
letsencrypt       |   File "/usr/lib/python3.8/site-packages/urllib3/util/retry.py", line 439, in increment
letsencrypt       |     raise MaxRetryError(_pool, url, error or ResponseError(cause))
letsencrypt       | urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f3c380fd730>: Failed to establish a new connection: [Errno -3] Try again'))
letsencrypt       |
letsencrypt       | During handling of the above exception, another exception occurred:
letsencrypt       |
letsencrypt       | requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f3c380fd730>: Failed to establish a new connection: [Errno -3] Try again'))
letsencrypt       | Please see the logfiles in /var/log/letsencrypt for more details.
letsencrypt       | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

诚挚的,杰森

相关内容