码头网络是否以某种方式阻止某些IP访问其主机?
码头网络是否以某种方式阻止某些IP访问其主机?
提问于 2019-09-03 10:32:52
我的公司有一个CentOS 7服务器,带有一些正在运行的码头容器。通常我可以从我的个人电脑连接到它。但是,有时在服务器上运行docker-compose up命令之后,我就不能再连接到它了(我尝试通过ssh进行ping / connect,它只会永远挂起)。当发生这种情况时,我必须从另一台计算机到服务器,运行docker-compose down,然后一切都恢复正常。
我没有在docker-compose.yml文件中定义任何网络,我总是让docker自己处理网络。
我的问题是:目前我的团队中有几个人无法连接到服务器。我认为这可能与docker有关,因为它在默认情况下操作iptables (我在服务器上使用iptables,而不是firewalld)。一个人甚至曾经能够连接,但是在他“重置wifi”(ncpa.cpl ->禁用-> enable,他的IP更改)之后,他就不能再连接了。
我只想问一问,这是否是一个常见的问题,是否有人面临类似的问题,或就如何解决这一问题提出任何建议。我真的被困在这里了。
我不知道这是否有帮助,但这是我的iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DOCKER-INGRESS all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (9 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.5 tcp dpt:9494
ACCEPT tcp -- anywhere 172.25.0.2 tcp dpt:XmlIpcRegSvc
ACCEPT tcp -- anywhere 172.25.0.3 tcp dpt:eforward
ACCEPT tcp -- anywhere 172.17.0.12 tcp dpt:8484
ACCEPT tcp -- anywhere 172.17.0.16 tcp dpt:cslistener
ACCEPT tcp -- anywhere 172.17.0.8 tcp dpt:8282
ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:tproxy
ACCEPT tcp -- anywhere 172.17.0.10 tcp dpt:xmltec-xmlmail
ACCEPT tcp -- anywhere 172.17.0.6 tcp dpt:8282
ACCEPT tcp -- anywhere 172.29.0.2 tcp dpt:cslistener
ACCEPT tcp -- anywhere 172.31.0.2 tcp dpt:27017
ACCEPT tcp -- anywhere 172.31.0.3 tcp dpt:27017
ACCEPT tcp -- anywhere 192.168.48.3 tcp dpt:webcache
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:commplex-main
ACCEPT tcp -- anywhere 172.17.0.7 tcp dpt:domaintime
ACCEPT tcp -- anywhere 172.17.0.9 tcp dpt:intermapper
ACCEPT tcp -- anywhere 172.17.0.11 tcp dpt:8808
ACCEPT tcp -- anywhere 172.17.0.14 tcp dpt:8585
ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:sun-as-jpda
ACCEPT tcp -- anywhere 172.17.0.13 tcp dpt:pds
Chain DOCKER-INGRESS (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (9 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere 这是我的docker network ls
NETWORK ID NAME DRIVER SCOPE
ffdf3af963da bridge bridge local
592d75d9d5b9 coeeventifytestoldversion_default bridge local
c4a9765aa44f docker_gwbridge bridge local
06e4cb827a9c FE_default bridge local
5fa4ecb69ec6 servicecode_net bridge local
63cbe32ab786 healthcheck_default bridge local
9238d2095aec host host local
e67bc4a01511 kafka_default bridge local
f2ae14c5c4f6 myApp_default bridge local
724a03d36011 none null local
7e62d26d7c7c sourcecode_default bridge local回答 1
Server Fault用户
回答已采纳
发布于 2019-09-05 19:24:40
如果您的停靠守护进程使用的IP地址也在您的公司网络中使用,则会发生这种情况。假设您的一个队友的IP地址为192.168.160.2,而您的一个码头容器也获得了相同的IP地址192.168.160.2。当容器试图向您的队友发送响应时,它无法到达他,因为数据包将被发送到容器本身。
您应该确保您的停靠守护进程使用与本地网络完全不同的子网。您可以使用docker network inspect查看特定的停靠网络正在使用哪些IP地址。
若要更改docker使用的IP地址,请参阅将码头配置为不使用172.17.0.0范围
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/981665
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号