따라서 저는 최근에 타워와 노트북의 일일 드라이버를 Manjaro로 전환했습니다. 두 경우 모두 동일한 문제에 직면했습니다. Docker 컨테이너가 인터넷에 연결할 수 없습니다. 으로 이것을 테스트하고 있습니다 docker run --rm -it alpine ping 8.8.8.8. 해당 옵션을 사용하면 --net=host전체 명령이 다음과 같으며 docker run --rm --net=host -it alpine ping 8.8.8.8컨테이너가 ping을 수행할 수 있습니다. 하지만 이 옵션을 올바르게 이해하면 컨테이너는 서로 통신할 수 없습니다. 내 커널 버전은 5.2.21-1입니다.
사소한 원격 가능성을 위해 두 컴퓨터 모두 NAT 뒤에 있고 장치의 MAC 주소를 기반으로 필터링된(및 할당된 IP) 네트워크에 있습니다.
컨테이너가 실행 중이고 ip a출력을 핑하려고 하면(실제 MAC를 지웠음)
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s31f6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 10.173.136.22/16 brd 10.173.255.255 scope global dynamic noprefixroute wlp3s0
valid_lft 83012sec preferred_lft 83012sec
inet6 fe80::48d7:85d5:4c9d:4dd/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:8e:6f:31:71 brd ff:ff:ff:ff:ff:ff
inet 172.31.0.1/16 brd 172.31.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:8eff:fe6f:3171/64 scope link
valid_lft forever preferred_lft forever
8: veth65af0a1@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether b2:40:b4:8c:6c:f1 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::b040:b4ff:fe8c:6cf1/64 scope link
valid_lft forever preferred_lft forever
내가 지금까지 시도한 것 :
/etc/systemd/network/dockerForward.network다음과 같이 파일을 생성합니다이 위키피디아 기사내용이 있는
[Match]
Name=wlp3s0
[Network]
IPForward=true
networkctl때문에 살펴봤습니다이 기사. 하지만 출력이 되므로
$ networkctl
WARNING: systemd-networkd is not running, output will be incomplete.
IDX LINK TYPE OPERATIONAL SETUP
1 lo loopback n/a unmanaged
2 enp0s31f6 ether n/a unmanaged
3 wlp3s0 wlan n/a unmanaged
4 docker0 bridge n/a unmanaged
실행도 되지 않는 것으로 보아 범인은 아닌 것으로 추정됩니다.
또한 IP 범위가 겹치지 않는지 확인했습니다(예:이 댓글). 내가 그것을 실행하면 $ docker inspect --format '{{ .NetworkSettings.IPAddress }}' 56fe5d704cd9그것은 나에게 IP를 제공합니다 172.31.0.2.
좋은 측정을 위해 내 iptables -L결과는 다음과 같습니다.
$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
나는 여기서 약간 길을 잃었습니다. 올바른 방향에 대한 조언을 주시면 크게 감사하겠습니다.
편집하다:
의견에서 언급했듯이 출력은 다음과 같습니다 iptables-save -c.
$ iptables-save -c
# Generated by iptables-save v1.8.3 on Fri Nov 15 10:11:51 2019
*filter
:INPUT ACCEPT [1299:403836]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:26907]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[27:2268] -A FORWARD -j DOCKER-USER
[27:2268] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[27:2268] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[27:2268] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[27:2268] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[27:2268] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[27:2268] -A DOCKER-USER -j RETURN
COMMIT
# Generated by iptables-save v1.8.3 on Fri Nov 15 10:11:51 2019
*nat
:PREROUTING ACCEPT [107:22651]
:INPUT ACCEPT [90:18175]
:OUTPUT ACCEPT [7:1549]
:POSTROUTING ACCEPT [7:1549]
:DOCKER - [0:0]
[6:2978] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[1:84] -A POSTROUTING -s 172.31.0.0/16 ! -o docker0 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
COMMIT
의견에 언급된 추가 출력:
$ docker network inspect bridge
[
{
"Name": "bridge",
"Id": "53ce5b5c85f1ecd2e67118496f38141193398f5786c959305f0453ac15f96c63",
"Created": "2019-11-16T12:36:27.244838753+01:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.31.0.1/16",
"Gateway": "172.31.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Ingress": false,
"ConfigFrom": {
"Network": ""
},
"ConfigOnly": false,
"Containers": {},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
}
]
$ docker run --rm -it alpine ip r
default via 172.31.0.1 dev eth0
172.31.0.0/16 dev eth0 scope link src 172.31.0.2
내가 실행한 연결이 실패한 정확한 위치를 추적하려고 합니다.
$ docker run -it --rm gophernet/traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 46 byte packets
1 172.31.0.1 (172.31.0.1) 0.005 ms 0.051 ms 0.016 ms
2 xxx.xxx.xxx.1 (xxx.xxx.xxx.1) 15.092 ms 0.570 ms 0.656 ms
3 * * *
4 * * *
[...]
xxx.xxx.xxx.136내 NAT의 실제 전역 주소가 됩니다.
$ ip route
default via 10.173.1.1 dev wlp3s0 proto dhcp metric 600
10.173.0.0/16 dev wlp3s0 proto kernel scope link src 10.173.136.22 metric 600
172.31.0.0/16 dev docker0 proto kernel scope link src 172.31.0.1 linkdown