场景

服务器启动了一个容器服务,映射到外网端口为8888。服务启动成功,日志无报错,但是外网无法访问。

简单排查

  • 刚开始以为是防火墙策略问题,遂查看防火墙,发现防火墙是关闭状态。
  • 尝试curl localhost:8888 报错拒绝连接。
  • 获取docker容器内部ip 主机直接ping它却ping不通 感觉问题就是这里了

完整排查

检查网桥

bridge name	bridge id		STP enabled	interfaces
docker0		8000.02426feb08c0	no		veth96992f9

检查ip 

[root@hecs-98661 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:16:3e:70:c8:56 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.142/24 brd 192.168.0.255 scope global noprefixroute dynamic eth0
       valid_lft 57306sec preferred_lft 57306sec
    inet6 fe80::f816:3eff:fe70:c856/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:6f:eb:08:c0 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:6fff:feeb:8c0/64 scope link 
       valid_lft forever preferred_lft forever

由此可看到docker创建的虚拟网卡docker0的网段为172.17.10.1/24

查看路由

[root@hecs-98661 ~]# ip route
default via 192.168.0.1 dev eth0 proto dhcp metric 100 
169.254.169.254 via 192.168.0.254 dev eth0 proto dhcp metric 100 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.142 metric 100

 即172.17.0.0/16网段的包均通过docker0网桥来转发.

查看容器的ip

[root@hecs-98661 ~]# docker exec -it 容器id ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN   
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00  
    inet 127.0.0.1/8 scope host lo  
       valid_lft forever preferred_lft forever  
129: eth0@if130: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP   
    link/ether 02:42:ac:11:0a:02 brd ff:ff:ff:ff:ff:ff  
    inet 172.17.10.2/24 brd 172.17.10.255 scope global eth0  
       valid_lft forever preferred_lft forever

可看到虚拟网卡eth0的ip为172.17.10.2

查看容器内的路由

[root@hecs-98661 ~]# docker exec -it 容器id ip route
default via 172.17.10.1 dev eth0   
172.17.10.0/24 dev eth0 scope link  src 172.17.10.2

由此可知172.17.10.0网段的包均走容器内的eth0,默认网关为172.17.10.1 

删除原有网桥配置

systemctl stop docker
ip link set dev docker0 down  
brctl delbr docker0  
iptables -t nat -F POSTROUTING

创建新的网桥配置

brctl addbr docker0  
ip addr add 172.17.10.1/24 dev docker0  
ip link set dev docker0 up

修改docker配置

在/etc/docker/daemon.json中追加bip配置项  

vim /etc/docker/daemon.json
{

  "bip": "172.17.10.1/24"
}

重启docker

systemctl  restart  docker

=

一沙一世界,一花一天堂。君掌盛无边,刹那成永恒。