Docker 服务在主机 IP 上无法访问，但在本地主机上可以访问

2024-6-1 • tag-icon

我遇到了与此帖子类似的问题，但我不认为我的 IP 范围发生冲突：https://forums.docker.com/t/service-is-unreachable-on-host-ip-localhost-works/78515

我在端口 443 上通过 docker 公开了一个 Web 服务器，我可以通过主机127.0.0.1:443以及从主机外部访问它。我无法通过主机 IP 访问该 Web 服务器，我为此绞尽脑汁，不知道为什么会这样。

为了使事情可重现，让我启动一个 netcat 容器（监听容器内的所有接口）——我在端口 443 上显然遇到了同样的问题：

$ docker run -ti --rm -p 8182:8182 chilcano/netcat:jessie -vvl -p 8182
->>>>>> (Executing '/bin/netcat -vvl -p 8182') <<<<<<-
listening on [any] 8182 ...

Docker 正在监听 8182 上的所有本地接口✅

$  lsof -i :8182
COMMAND     PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
docker-pr 11152 root    4u  IPv4 1183427772      0t0  TCP *:8182 (LISTEN)

使用 localhost ✅ 时，可以从主机连接到 docker 中的 netcat

$  nc -vz 127.0.0.1 8182
localhost [127.0.0.1] 8182 open

问题开始于使用本地主机的 IP 并尝试访问 docker 容器就像这样❌

$  nc -vz 192.168.176.111 8182
ramirez.domain.local [192.168.176.111] 8182: Network is unreachable

我可以正常 ping 主机并通过其 IP 访问在主机上运行的其他东西（例如，netcat -vvl -p 8182直接在主机上运行而不是在 docker 容器上运行，一切正常）。

当从网络中的另一台设备调用同一 IP 时，一切正常✅，所以这是 docker 主机的本地问题

$  nc -vz 192.168.176.111 8182
Connection to 192.168.176.111 8182 port [tcp/*] succeeded!

路由表和 iptables 对我来说看起来很好，但我不是专家。

$ ip a
# anonymized mac address
6: ovs_eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1
    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.176.111/24 brd 192.168.176.255 scope global ovs_eth0
       valid_lft forever preferred_lft forever

路线：

$  ip route
default via 192.168.176.1 dev ovs_eth0  src 192.168.176.111
169.254.0.0/16 dev ovs_eth1  proto kernel  scope link  src 169.254.106.154 dead linkdown
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1
192.168.127.0/24 dev docker-976f9fbf  proto kernel  scope link  src 192.168.127.1
192.168.128.0/24 dev docker-bd2edfee  proto kernel  scope link  src 192.168.128.1
192.168.176.0/24 dev ovs_eth0  proto kernel  scope link  src 192.168.176.111
192.168.254.0/24 dev docker-2de11f77  proto kernel  scope link  src 192.168.254.1

iptables：

$  iptables -L -v -n
Chain INPUT (policy ACCEPT 78080 packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination
 210M  299G DOS_PROTECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 218M  241G DEFAULT_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 76525 packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DEFAULT_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
 230K  276M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 231K  276M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker-8cfed06e  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker-8cfed06e  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker-8cfed06e !docker-8cfed06e  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker-8cfed06e docker-8cfed06e  0.0.0.0/0            0.0.0.0/0
7254K   23G ACCEPT     all  --  *      docker-f06ef418  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
19005 1140K DOCKER     all  --  *      docker-f06ef418  0.0.0.0/0            0.0.0.0/0
4614K 1362M ACCEPT     all  --  docker-f06ef418 !docker-f06ef418  0.0.0.0/0            0.0.0.0/0
19005 1140K ACCEPT     all  --  docker-f06ef418 docker-f06ef418  0.0.0.0/0            0.0.0.0/0
2270K 2424M ACCEPT     all  --  *      docker-f95cea99  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
1549K  101M DOCKER     all  --  *      docker-f95cea99  0.0.0.0/0            0.0.0.0/0
1814K 1273M ACCEPT     all  --  docker-f95cea99 !docker-f95cea99  0.0.0.0/0            0.0.0.0/0
1549K  101M ACCEPT     all  --  docker-f95cea99 docker-f95cea99  0.0.0.0/0            0.0.0.0/0
  14M 8442M ACCEPT     all  --  *      docker-45bb17c5  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
14118  846K DOCKER     all  --  *      docker-45bb17c5  0.0.0.0/0            0.0.0.0/0
 7237  714K ACCEPT     all  --  docker-45bb17c5 !docker-45bb17c5  0.0.0.0/0            0.0.0.0/0
14118  846K ACCEPT     all  --  docker-45bb17c5 docker-45bb17c5  0.0.0.0/0            0.0.0.0/0
 5238   23M ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
 3332  216K ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain DOCKER (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !docker-45bb17c5 docker-45bb17c5  0.0.0.0/0            192.168.254.254      tcp dpt:2375
    0     0 ACCEPT     tcp  --  !docker-f95cea99 docker-f95cea99  0.0.0.0/0            192.168.127.127      tcp dpt:8888
    0     0 ACCEPT     tcp  --  !docker-f95cea99 docker-f95cea99  0.0.0.0/0            192.168.127.168      tcp dpt:8080
    0     0 ACCEPT     tcp  --  !docker-f95cea99 docker-f95cea99  0.0.0.0/0            192.168.127.168      tcp dpt:443
    0     0 ACCEPT     tcp  --  !docker-f95cea99 docker-f95cea99  0.0.0.0/0            192.168.127.168      tcp dpt:80
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:8182

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker-8cfed06e !docker-8cfed06e  0.0.0.0/0            0.0.0.0/0
4614K 1362M DOCKER-ISOLATION-STAGE-2  all  --  docker-f06ef418 !docker-f06ef418  0.0.0.0/0            0.0.0.0/0
1814K 1273M DOCKER-ISOLATION-STAGE-2  all  --  docker-f95cea99 !docker-f95cea99  0.0.0.0/0            0.0.0.0/0
 7237  714K DOCKER-ISOLATION-STAGE-2  all  --  docker-45bb17c5 !docker-45bb17c5  0.0.0.0/0            0.0.0.0/0
 3332  216K DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
 211M  239G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker-8cfed06e  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker-f06ef418  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker-f95cea99  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      docker-45bb17c5  0.0.0.0/0            0.0.0.0/0
98306 8258K DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
  38M   19G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 211M  239G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOS_PROTECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
   13   876 RETURN     icmp --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1000/sec burst 5
    0     0 DROP       icmp --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            icmptype 8
 270K   11M RETURN     tcp  --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x04 limit: avg 1/sec burst 5
16881  675K DROP       tcp  --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x04
 347K   20M RETURN     tcp  --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 10000/sec burst 100
    0     0 DROP       tcp  --  ovs_eth0 *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02

ip rule

0:      from all lookup local
2:      from all lookup static-table
7:      from 192.168.178.188 lookup eth0-table
5210:   from all fwmark 0x80000/0xff0000 lookup main
5230:   from all fwmark 0x80000/0xff0000 lookup default
5250:   from all fwmark 0x80000/0xff0000 unreachable
5270:   from all lookup 52
32766:  from all lookup main
32767:  from all lookup default

答案1

我最近遇到了同样的问题。

看起来系统已经为docker创建了特定的规则：

> ip rule
0:      from all lookup local
32765:  from 192.168.16.45 lookup routes3
32766:  from all lookup main
32767:  from all lookup default

一旦我删除规则，问题就消失了。

> ip rule delete from 192.168.16.45 lookup routes3

如果它对您有用，请告诉我。

答案1

相关内容