暴露的端口实际上没有暴露？ - RHEL7运行RHEL7 docker镜像

Question

我无法联系在RHEL 7中运行的RHEL 7 docker容器。问题出现在来自同一网络中的其他计算机。 主机可以联系其自己的Docker容器中运行的烧瓶服务器。容器是裸金属，没有firewalld或iptables。

我docker-compose连接mysql:latest图片和裸金属rhel7正在运行的python烧瓶。我有一台运行在同一RHEL 7主机上的mysql服务器，我可以nc完全可以从同一网络中的另一台计算机上运行它。我没有关于特定rhel图像是如何构建的信息，也没有关闭它的信息，所以我必须解决这个问题，但mysql图像来自registry.access.redhat.com。

一些输出

某些私人信息被???

取代

Docker信息

$ docker info
Containers: 22
 Running: 2
 Paused: 0
 Stopped: 20
Images: 67
Server Version: 1.12.6
Storage Driver: devicemapper
 Pool Name: docker-253:1-117440691-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 13.65 GB
 Data Space Total: 107.4 GB
 Data Space Available: 89.54 GB
 Metadata Space Used: 15.32 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.132 GB
 Thin Pool Minimum Free Space: 10.74 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: true
 Deferred Deletion Enabled: true
 Deferred Deleted Device Count: 0
 Data loop file: ???
 WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
 Metadata loop file: ???
 Library Version: 1.02.140-RHEL7 (2017-05-03)
Logging Driver: journald
Cgroup Driver: systemd
Plugins:
 Volume: local
 Network: bridge null host overlay
 Authorization: rhel-push-plugin
Swarm: inactive
Runtimes: docker-runc runc
Default Runtime: docker-runc
Security Options: seccomp selinux
Kernel Version: 3.10.0-693.1.1.el7.x86_64
Operating System: Red Hat Enterprise Linux Server 7.4 (Maipo)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 3
CPUs: 2
Total Memory: 11.58 GiB
Name: ???
ID: ???
Docker Root Dir: ???
Debug Mode (client): false
Debug Mode (server): false
Http Proxy: http://???.com:82
Https Proxy: http://???.com:82
Registry: https://???.com/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Insecure Registries:
 127.0.0.0/8
Registries: ???.com (secure), registry.access.redhat.com (secure), docker.io (secure)

正在运行docker ps

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
db053a1518e3        ???_server         "/usr/bin/python Laun"   54 minutes ago      Up 54 minutes       0.0.0.0:8087->8087/tcp   ???_server_1
69d512050bb9        ???_db             "docker-entrypoint.sh"   54 minutes ago      Up 54 minutes       0.0.0.0:3306->3306/tcp   ???_db_1

运行netstat

对于mysql：

 $ sudo netstat -anp | grep 3306
tcp6       0      0 :::3306                 :::*                    LISTEN      30338/docker-proxy-

对于烧瓶：

$ sudo netstat -anp | grep 8087
tcp6       0      0 :::8087                 :::*                    LISTEN      30454/docker-proxy- 
unix  3      [ ]         STREAM     CONNECTED     368087   21392/dockerd-curre  /var/run/docker.sock

为什么我认为这是容器的错误 - 使用nc / telnet

我相信mysql容器正在使用ubuntu，它可能具有与RHEL不同的权限。来自同一网络中另一台计算机的nc给了我：

$ nc 100.71.26.29 3306
J5.7.19{)EOm3ÿÿÁQZBTm%KM-mysql_native_password

哪个很多，但至少我们知道它正在运行。

现在，我从同一个基本映像创建了一个测试泊坞窗映像，并安装了nc。我运行了以下内容：

$  nc -l 8088
hello world!

hello world!来自我的主机的telnet连接：

$ telnet localhost 8088
Trying ::1...
Connected to localhost.
Escape character is '^]'.
hello world!
^]
telnet> Connection closed.

这意味着它可以在同一台计算机上运行。

现在，让我们在单独的计算机上进行尝试。

单独的机器无法连接：

$ telnet 100.71.26.29 8088
Trying 100.71.26.29... # hangs forever
telnet: connect to address 100.71.26.29: Connection timed out

为什么我认为这是容器的错误 - 使用curl

在localhost中为特定端口运行curl，这正是我想要的烧瓶服务器：

$ curl localhost:8087


                ... A lot of HTML ...
                <div>
                    <input id = "get-csv" type = "submit" class = "custom-button">
                </div>
            </td>
        </tr>
    </table>
</div>

执行以下命令运行curl INSIDE docker：

$ docker exec -it server:latest /bin/bash
...
docker$ curl localhost:8087


                ... A lot of HTML ...
                <div>
                    <input id = "get-csv" type = "submit" class = "custom-button">
                </div>
            </td>
        </tr>
    </table>
</div>

但是从另一台计算机运行curl失败：

$ curl 100.71.26.29:8087 # hangs for like 2 minutes:

<FONT face="Helvetica">
<big>Network Error (tcp_error)</big>
<BR>
<BR>
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
A communication error occurred: "Operation timed out"
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica" SIZE=2>
<BR>
For assistance, contact your network support team.
</FONT>
</TD></TR>
</TABLE>
</blockquote>
</FONT>
</BODY></HTML>

那么有没有人对这里发生的事情有任何想法？谢谢！