在无根模式下运行时，对接器与主机的连接如何工作？

Question

我目前正试图根据文档：https://docs.docker.com/engine/security/rootless/在无根模式下运行docker守护进程。

当netcat命令在运行docker时以“正常方式”运行时，例如：sudo docker run --rm -it --name custom

bash：

(根据您尝试的码头映像，在此阶段您可能必须在容器内安装netcat包)

root@a390456c8d0b:/# nc -vz 172.17.0.1 5432
Connection to 172.17.0.1 5432 port [tcp/postgresql] succeeded!

它不使用无根模式：

root@a390456c8d0b:/# nc -vr 172.17.0.1 5432
nc: connect to 172.17.0.1 port 5432 (tcp) failed: Connection refused

在我看来，网关172.17.0.1只在使用sudo以正常方式运行时才可用/使用，而不是在新的无根模式下使用。但这只是猜测。

有人知道如何解决这个问题吗?我怎样才能在主机上的任何端口(Ubuntu21.10/22.04dev)中从任何无根的码头容器中切换？(在本例中，我平postgres默认端口5432，但它可以是您选择的任何端口)。

信息：

$ docker --version
Docker version 20.10.12, build e91ed57

$ uname -mor
5.13.0-19-generic x86_64 GNU/Linux

在无根状态下，码头服务的状态如下：

$ systemctl --user status docker
● docker.service - Docker Application Container Engine (Rootless)
     Loaded: loaded (/home/sk/.config/systemd/user/docker.service; disabled; vendor preset: enabled)
     Active: active (running) since Sun 2022-01-02 21:59:07 CET; 25min ago
       Docs: https://docs.docker.com/go/rootless/
   Main PID: 37085 (rootlesskit)
      Tasks: 58
     Memory: 57.5M
        CPU: 5.553s
     CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/docker.service
             ├─37085 rootlesskit --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy->
             ├─37096 /proc/self/exe --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --co>
             ├─37114 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 37096 tap0
             ├─37121 dockerd
             ├─37143 containerd --config /run/user/1000/docker/containerd/containerd.toml --log-level info
             └─37393 /usr/bin/containerd-shim-runc-v2 -namespace moby -id a370455c8d0bc3e2fd796e788d52d4315c06fc44befe38aa8eb5466f1128e787 -address /run/user/1000/docker/>

Jan 02 21:59:07 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:07.957623453+01:00" level=warning msg="Unable to find io controller"
Jan 02 21:59:07 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:07.957626649+01:00" level=warning msg="Unable to find cpuset controller"
Jan 02 21:59:07 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:07.957716164+01:00" level=info msg="Loading containers: start."
Jan 02 21:59:08 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:08.007912512+01:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. D>
Jan 02 21:59:08 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:08.077361354+01:00" level=info msg="Loading containers: done."
Jan 02 21:59:08 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:08.080978248+01:00" level=warning msg="Not using native diff for overlay2, this may cause degraded performan>
Jan 02 21:59:08 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:08.081081192+01:00" level=info msg="Docker daemon" commit=459d0df graphdriver(s)=overlay2 version=20.10.12
Jan 02 21:59:08 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:08.081102319+01:00" level=info msg="Daemon has completed initialization"
Jan 02 21:59:08 sk-Laptop dockerd-rootless.sh[37121]: time="2022-01-02T21:59:08.091292835+01:00" level=info msg="API listen on /run/user/1000/docker.sock"
Jan 02 22:00:30 sk-Laptop dockerd-rootless.sh[37143]: time="2022-01-02T22:00:30.603612706+01:00" level=info msg="starting signal loop" namespace=moby path=/run/.ro995659387/user/1000/do>

当使用sudo运行时，systemctl输出显示“根”守护进程不活动，这是正常的：

$ sudo systemctl status docker
○ docker.service - Docker Application Container Engine
     Loaded: loaded (/lib/systemd/system/docker.service; disabled; vendor preset: enabled)
     Active: inactive (dead)
TriggeredBy: ○ docker.socket
       Docs: https://docs.docker.com

Jan 02 21:55:39 sk-Laptop dockerd[36685]: time="2022-01-02T21:55:39.318284987+01:00" level=info msg="Daemon has completed initialization"
Jan 02 21:55:39 sk-Laptop systemd[1]: Started Docker Application Container Engine.
Jan 02 21:55:39 sk-Laptop dockerd[36685]: time="2022-01-02T21:55:39.329132562+01:00" level=info msg="API listen on /run/docker.sock"
Jan 02 21:56:14 sk-Laptop systemd[1]: Stopping Docker Application Container Engine...
Jan 02 21:56:14 sk-Laptop dockerd[36685]: time="2022-01-02T21:56:14.005854836+01:00" level=info msg="Processing signal 'terminated'"
Jan 02 21:56:14 sk-Laptop dockerd[36685]: time="2022-01-02T21:56:14.006211665+01:00" level=info msg="stopping event stream following graceful shutdown" error="" module=l>
Jan 02 21:56:14 sk-Laptop dockerd[36685]: time="2022-01-02T21:56:14.006356148+01:00" level=info msg="Daemon shutdown complete"
Jan 02 21:56:14 sk-Laptop dockerd[36685]: time="2022-01-02T21:56:14.006382673+01:00" level=info msg="stopping event stream following graceful shutdown" error="context cancele>
Jan 02 21:56:14 sk-Laptop systemd[1]: docker.service: Deactivated successfully.
Jan 02 21:56:14 sk-Laptop systemd[1]: Stopped Docker Application Container Engine.

Answer 1

下面是一个理论__，但我手头上没有一个可以以无根模式进行测试的坞主机。

在无根模式下运行时，停靠守护进程所能做的事情有一些限制。

我不知道他们是如何实现无根网络的，但是没有根目录的对接者不能直接在主机的命名空间中创建通用的对接接口，这是有意义的。在常规根模式下，当我键入ip address时，我可以看到一个接口：

4: docker0:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:88:1f:3d:89 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:88ff:fe1f:3d89/64 scope link 
       valid_lft forever preferred_lft forever

我的理论是，如果docker不能创建这个程序，那么您的问题不是无法与主机对话，而是您的应用程序(postgresql)没有监听172.17.0.1。这可能是无根模式对接器的无记录限制。

幸运的是，您的应用程序(postgresql)仍然应该侦听其他IP地址，例如您的LAN或WiFi ip地址。如果您的码头集装箱可以到达外部世界(从互联网访问任何东西)，那么它应该能够在IP上与您的主机对话。

您可以使用命令ip address查找本地ip地址，然后使用该地址。