我正在努力让我的 Debian VM (5.10.0-15-amd64) 接受托管在 Docker 上的普通 nginx Web 服务器的传入请求。当直接在 docker-compose.yaml 文件中绑定 IPv6 地址时,我收到“服务器回复为空”错误:
curl -v sub.domain.id:8030
* Trying 2003:a:b:c:d:e:fe40:1611:8030...
* Connected to sub.domain.id (2003:a:b:c:d:e:fe40:1611) port 8030 (#0)
> GET / HTTP/1.1
> Host: sub.domain.id:8030
> User-Agent: curl/7.79.1
> Accept: */*
>
* Empty reply from server
* Closing connection 0
curl: (52) Empty reply from server
---
version: "2.2"
services:
website:
image: nginx
ports:
- "2003:a:b:c:d:e:fe40:1611:8030:80"
restart: always
networks:
- nginxnet
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
networks:
nginxnet:
enable_ipv6: true
ipam:
config:
- subnet: "fe80:aaaa:bbbb:ccc::/64"
当我仅映射端口时,连接正在被对端重置:
curl -v sub.domain.id:8030
* Trying 2003:a:b:c:d:e:fe40:1611:8030...
* Connected to sub.domain.id (2003:a:b:c:d:e:fe40:1611) port 8030 (#0)
> GET / HTTP/1.1
> Host: sub.domain.id:8030
> User-Agent: curl/7.79.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
cat docker-compose.yaml
---
version: "2.2"
services:
website:
image: nginx
ports:
- 8030:80
restart: always
networks:
- nginxnet
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
networks:
nginxnet:
enable_ipv6: true
ipam:
config:
- subnet: "fe80:aaaa:bbbb:ccc::/64"
插座正确暴露:
ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:6881 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:3478 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:111 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:10001 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:1900 0.0.0.0:*
udp UNCONN 0 0 [::]:111 [::]:*
tcp LISTEN 0 64 0.0.0.0:45311 0.0.0.0:*
tcp LISTEN 0 4096 0.0.0.0:6881 0.0.0.0:*
tcp LISTEN 0 4096 0.0.0.0:6789 0.0.0.0:*
tcp LISTEN 0 4096 0.0.0.0:5514 0.0.0.0:*
tcp LISTEN 0 4096 0.0.0.0:8843 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:44427 0.0.0.0:*
tcp LISTEN 0 4096 0.0.0.0:111 0.0.0.0:*
tcp LISTEN 0 4096 0.0.0.0:8080 0.0.0.0:*
tcp LISTEN 0 4096 0.0.0.0:8880 0.0.0.0:*
tcp LISTEN 0 4096 0.0.0.0:8081 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 4096 0.0.0.0:8443 0.0.0.0:*
tcp LISTEN 0 4096 [2003:a:b:c:d:e:fe40:1611]:8030 [::]:*
tcp LISTEN 0 4096 [::]:111 [::]:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 64 [::]:40733 [::]:*
对于 Debian,我已从 nftables 切换回 iptables/6:
sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
sudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
并且存在以下 iptables:
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (9 references)
target prot opt source destination
ACCEPT udp -- anywhere 172.18.0.2 udp dpt:10001
ACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:tproxy
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:8880
ACCEPT tcp -- anywhere 172.19.0.2 tcp dpt:6881
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:8843
ACCEPT udp -- anywhere 172.19.0.2 udp dpt:6881
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:8443
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:http-alt
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:6789
ACCEPT tcp -- anywhere 172.18.0.2 tcp dpt:5514
ACCEPT udp -- anywhere 172.18.0.2 udp dpt:3478
ACCEPT udp -- anywhere 172.18.0.2 udp dpt:1900
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (9 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
sudo ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp anywhere anywhere state NEW tcp dpt:8030
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-ISOLATION-STAGE-1 all anywhere anywhere
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all anywhere anywhere
RETURN all anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (8 references)
target prot opt source destination
DROP all anywhere anywhere
DROP all anywhere anywhere
DROP all anywhere anywhere
DROP all anywhere anywhere
DROP all anywhere anywhere
DROP all anywhere anywhere
DROP all anywhere anywhere
DROP all anywhere anywhere
RETURN all anywhere anywhere
网络接口配置:
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:a0:98:40:16:11 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.10/24 brd 192.168.2.255 scope global enp0s3
valid_lft forever preferred_lft forever
inet6 2003:a:b:c:d:e:fe40:1611/64 scope global dynamic mngtmpaddr
valid_lft 7003sec preferred_lft 1133sec
inet6 fe80::2a0:98ff:fe40:1611/64 scope link
valid_lft forever preferred_lft forever
非常感谢您的帮助,因为我已经为此奋斗了数周,但仍无法理解。
答案1
我认为您这里的问题是您为您的子网分配了一个来自链路本地地址范围的地址nginxnet。
我已通过以下方式在 Docker 中启用 ipv6 /etc/docker/daemon.json:
{
"ipv6": true,
"fixed-cidr-v6": "fd4a:5a20:acde:8e7a::/64"
}
我的主机已为接口分配以下 IPv6 地址eth1:
$ ip addr show eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether d0:c2:4e:46:ce:00 brd ff:ff:ff:ff:ff:ff
altname enp14s0u1u1
inet 10.20.22.189/24 brd 10.20.22.255 scope global dynamic noprefixroute eth1
valid_lft 82961sec preferred_lft 82961sec
inet6 2620:52:0:1416:7cc4:ed2b:33c:5a5/64 scope global dynamic noprefixroute
valid_lft 2591894sec preferred_lft 604694sec
inet6 fe80::ff3d:758a:eebb:b9de/64 scope link noprefixroute
valid_lft forever preferred_lft forever
如果我使用这个docker-compose.yaml...
version: "3"
services:
website:
image: docker.io/nginx:mainline
ports:
- "[2620:52:0:1416:7cc4:ed2b:33c:5a5]:8030:80"
networks:
- nginxnet
networks:
nginxnet:
enable_ipv6: true
ipam:
config:
- subnet: "fd4a:5a20:acde:cafe::/64"
...它按预期工作;一旦 nginx 启动并运行,我就可以成功运行:
$ curl 'http://[2620:52:0:1416:7cc4:ed2b:33c:5a5]:8030'
但我修改了配置以使用您尝试使用的相同子网:
networks:
nginxnet:
enable_ipv6: true
ipam:
config:
- subnet: "fe80:aaaa:bbbb:ccc::/64"
我看到了你在问题中描述的相同行为:
$ curl 'http://[2620:52:0:1416:7cc4:ed2b:33c:5a5]:8030'
curl: (56) Recv failure: Connection reset by peer