我正在迁移现有的AWS(ubuntu)+ Docker配置以开始使用 flex 网络接口(interface),以便在DNS中拥有永久IP。在实例启动时,我附加了ENI,效果很好:
aws ec2 attach-network-interface --network-interface-id ${ENI} --instance-id ${INSTANCE_ID} --region ${REGION} --device-index 1
ETH1=/etc/network/interfaces.d/eth1.cfg
echo "auto eth1" > ${ETH1}
echo "iface eth1 inet dhcp" >> ${ETH1}
echo " up ip route add default via ${INSTANCE_SUBNET}.1 dev eth1 tab 2" >> ${ETH1}
echo " up ip rule add from ${IP2}/32 tab 2" >> ${ETH1}
echo " up ip rule add to ${IP2}/32 tab 2" >> ${ETH1}
echo " up ip route flush cache" >> ${ETH1}
ifup eth1
我可以远程或在主机上本地ping和ssh到eth1上的ENI地址。一切都很好。除了... Docker。从容器内部,我可以连接到主机的eth0接口(interface),但不能连接到eth1。 (出于本文的目的, eth0 ==。207 和 eth1 ==。213 。)
在主机上,启动为.207:
[[email protected] ~]$ ping 10.180.11.207
PING 10.180.11.207 (10.180.11.207) 56(84) bytes of data.
64 bytes from 10.180.11.207: icmp_seq=1 ttl=64 time=0.028 ms
64 bytes from 10.180.11.207: icmp_seq=2 ttl=64 time=0.039 ms
^C
--- 10.180.11.207 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.028/0.033/0.039/0.008 ms
[[email protected] ~]$ ping 10.180.11.213
PING 10.180.11.213 (10.180.11.213) 56(84) bytes of data.
64 bytes from 10.180.11.213: icmp_seq=1 ttl=64 time=0.030 ms
64 bytes from 10.180.11.213: icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from 10.180.11.213: icmp_seq=3 ttl=64 time=0.037 ms
^C
--- 10.180.11.213 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.030/0.034/0.037/0.007 ms
在docker内部:
[[email protected] ~]$ docker run -t -i ubuntu /bin/bash
root@42e0b7d1d484:/# (apt update && apt install -y iputils-ping) > /dev/null
root@42e0b7d1d484:/# ping 10.180.11.207
PING 10.180.11.207 (10.180.11.207) 56(84) bytes of data.
64 bytes from 10.180.11.207: icmp_seq=1 ttl=64 time=0.047 ms
64 bytes from 10.180.11.207: icmp_seq=2 ttl=64 time=0.053 ms
^C
--- 10.180.11.207 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.047/0.050/0.053/0.003 ms
root@42e0b7d1d484:/# ping 10.180.11.213
PING 10.180.11.213 (10.180.11.213) 56(84) bytes of data.
^C
--- 10.180.11.213 ping statistics ---
13 packets transmitted, 0 received, 100% packet loss, time 12095ms
root@42e0b7d1d484:/#
回到主持人,对我来说一切都很好...
[[email protected] ~]$ ifconfig -a
docker0 Link encap:Ethernet HWaddr 02:42:70:51:aa:6a
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:70ff:fe51:aa6a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:35525 errors:0 dropped:0 overruns:0 frame:0
TX packets:42531 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2099259 (2.0 MB) TX bytes:120243109 (120.2 MB)
eth0 Link encap:Ethernet HWaddr 06:8c:bb:46:24:10
inet addr:10.180.11.207 Bcast:10.180.11.255 Mask:255.255.255.0
inet6 addr: fe80::48c:bbff:fe46:2410/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:132933 errors:0 dropped:0 overruns:0 frame:0
TX packets:49069 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:182046681 (182.0 MB) TX bytes:4131332 (4.1 MB)
eth1 Link encap:Ethernet HWaddr 06:b9:f0:13:06:4a
inet addr:10.180.11.213 Bcast:10.180.11.255 Mask:255.255.255.0
inet6 addr: fe80::4b9:f0ff:fe13:64a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:33623 errors:0 dropped:0 overruns:0 frame:0
TX packets:32080 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1877291 (1.8 MB) TX bytes:14361232 (14.3 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:244 errors:0 dropped:0 overruns:0 frame:0
TX packets:244 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:21188 (21.1 KB) TX bytes:21188 (21.1 KB)
vethfd8cd11 Link encap:Ethernet HWaddr aa:81:86:18:db:f4
inet6 addr: fe80::a881:86ff:fe18:dbf4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17230 errors:0 dropped:0 overruns:0 frame:0
TX packets:18203 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1340186 (1.3 MB) TX bytes:40751823 (40.7 MB)
路线表中没有什么对我有影响
[[email protected] ~]$ ip route list
default via 10.180.11.1 dev eth0
10.180.11.0/24 dev eth0 proto kernel scope link src 10.180.11.207
10.180.11.0/24 dev eth1 proto kernel scope link src 10.180.11.213
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
或iptables
[[email protected] ~]$ iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
我可以在docker0上看到数据包。我在eth0(或eth1)上没有看到任何内容,但我想无论如何应该进行回送?
[[email protected] ~]$ tcpdump -n -i docker0 port not 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:12:44.497216 ARP, Request who-has 172.17.0.2 tell 172.17.0.1, length 28
18:12:44.497274 ARP, Reply 172.17.0.2 is-at 02:42:ac:11:00:02, length 28
18:12:46.522555 IP 172.17.0.2 > 10.180.11.207: ICMP echo request, id 297, seq 1, length 64
18:12:46.522590 IP 10.180.11.207 > 172.17.0.2: ICMP echo reply, id 297, seq 1, length 64
18:12:47.521557 IP 172.17.0.2 > 10.180.11.207: ICMP echo request, id 297, seq 2, length 64
18:12:47.521595 IP 10.180.11.207 > 172.17.0.2: ICMP echo reply, id 297, seq 2, length 64
18:12:48.521272 IP 172.17.0.2 > 10.180.11.207: ICMP echo request, id 297, seq 3, length 64
18:12:48.521311 IP 10.180.11.207 > 172.17.0.2: ICMP echo reply, id 297, seq 3, length 64
18:12:57.207506 IP 172.17.0.2 > 10.180.11.213: ICMP echo request, id 298, seq 1, length 64
18:12:58.215426 IP 172.17.0.2 > 10.180.11.213: ICMP echo request, id 298, seq 2, length 64
18:12:59.223387 IP 172.17.0.2 > 10.180.11.213: ICMP echo request, id 298, seq 3, length 64
18:13:00.231388 IP 172.17.0.2 > 10.180.11.213: ICMP echo request, id 298, seq 4, length 64
18:13:01.239439 IP 172.17.0.2 > 10.180.11.213: ICMP echo request, id 298, seq 5, length 64
18:13:02.247412 IP 172.17.0.2 > 10.180.11.213: ICMP echo request, id 298, seq 6, length 64
18:13:03.255409 IP 172.17.0.2 > 10.180.11.213: ICMP echo request, id 298, seq 7, length 64
路由决策看起来不错:
[[email protected] ~]$ ip route get 10.180.11.213 from 172.17.0.1
local 10.180.11.213 from 172.17.0.1 dev lo
cache <local>
[[email protected] ~]$ ip route get 10.180.11.207 from 172.17.0.1
local 10.180.11.207 from 172.17.0.1 dev lo
cache <local>
[[email protected] ~]$ ip route get 10.180.11.213 from 10.180.11.207
local 10.180.11.213 from 10.180.11.207 dev lo
cache <local>
有任何想法吗?我已经尽我所知的所有技巧。
最佳答案
我认为问题在于网桥的配置方式。 docker0是eth0的桥梁。您需要到eth1的另一个网桥,然后将该网桥作为另一个网络连接到容器。
一个示例可能是:
docker network create -d bridge \
--subnet=172.30.0.32/24 \
--opt com.docker.network.bridge.enable_ip_masquerade=true \
--opt com.docker.network.bridge.host_binding_ipv4=10.180.11.213 \
--opt com.docker.network.bridge.name=docker1 \
docker1
重要的部分是
com.docker.network.bridge.host_binding_ipv4
,它是eth1 IP。然后将容器连接到该网桥:
docker network connect docker1 container-name