ubuntu 无法从Docker主机 curl 到容器

insrf1ej  于 2023-10-17  发布在  Docker
关注(0)|答案(1)|浏览(109)

寻求帮助解决Docker的奇怪问题。
我有:

  • Ubuntu 18.04.6 LTS主机
  • Docker版本20.10.18,构建版本b40 c2 f6
  • 使用Sonatype Nexus编写docker:
version: '3.6'
services:
  nexus:
    image: sonatype/nexus3
    container_name: nexus
    volumes:
      - "nexus-data:/nexus-data"
    ports:
      - "127.0.0.1:91:8081"
      - "INTERNAL_ADDRESS:91:8081"
      - "EXTERNAL_ADDRESS:91:8081"
    networks:
      - nexus
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1  
volumes:
  nexus-data: {}
networks:
  nexus:
    driver: bridge
    name: docker_network
    enable_ipv6: false
    ipam:
      driver: default
      config:
        - subnet: "172.1.0.0/16"
          gateway: "172.1.0.1"
    driver_opts:
      com.docker.network.enable_ipv6: "false"
      com.docker.network.bridge.name: docker_network

所以. container正常启动,我可以打开网页:http://EXTERNAL_ADDRESS:91/(来自互联网),http://INTERNAL_ADDRESS:91/(来自本地网络)
我也可以从互联网上做curl http://EXTERNAL_ADDRESS:91/
我不能从主机本身执行curl http://***:91/

curl -v http://localhost:91/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 91 (#0)
> GET / HTTP/1.1
> Host: localhost:91
> User-Agent: curl/7.58.0
> Accept: */*
>

curl -v http://INTERNAL_ADDRESS:91/
* Trying INTERNAL_ADDRESS...
* TCP_NODELAY set

(!!! and that all for this address)

我也有iptables启用和主机上设置,我试图完全禁用它们,它没有帮助.它们是:

# clean table
sudo iptables -F DOCKER-USER
# allow outgoing from docker and established
sudo iptables -A DOCKER-USER -i docker0 -j RETURN
sudo iptables -A DOCKER-USER -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A DOCKER-USER -i docker_network -j RETURN
sudo iptables -A DOCKER-USER -o docker_network -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# allow custom ip and localhost/internal network
sudo iptables -A DOCKER-USER -o docker0 -s MY_OWN_IP_ADDRESS -p tcp -j RETURN
sudo iptables -A DOCKER-USER -o docker_network -s MY_OWN_IP_ADDRESS -p tcp -j RETURN
sudo iptables -A DOCKER-USER -i $INTERNAL_INTERFACE -p tcp -j RETURN
sudo iptables -A DOCKER-USER -i $LOCALHOST_INTERFACE -p tcp -j RETURN
# reject all other
sudo iptables -A DOCKER-USER -j REJECT

其他服务(不在Docker中)可以以任何方式完全访问:web page,curl,wget.
有什么建议来解决吗?

rryofs0p

rryofs0p1#

经过两天的调查,我找到了问题的原因:我的iptables规则
在规则列表的末尾,我有这个(阻止所有不符合其他允许规则的请求):

iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP

所有对Docker容器的请求都被阻止了。我已经为docker网络添加了2条规则(在DROP之前),curl现在可以工作了:

iptables -A INPUT -i docker_network -j ACCEPT
iptables -A OUTPUT -o docker_network -j ACCEPT

相关问题