Question

我正在迁移现有的AWS（ubuntu）+ Docker配置以开始使用弹性网络接口，以便在DNS中拥有永久IP。在实例启动时，我附加了ENI，它运行良好：

  aws ec2 attach-network-interface --network-interface-id ${ENI} --instance-id ${INSTANCE_ID} --region ${REGION} --device-index 1

  ETH1=/etc/network/interfaces.d/eth1.cfg
  echo "auto eth1" > ${ETH1}
  echo "iface eth1 inet dhcp" >> ${ETH1}
  echo " up ip route add default via ${INSTANCE_SUBNET}.1 dev eth1 tab 2" >> ${ETH1}
  echo " up ip rule add from ${IP2}/32 tab 2" >> ${ETH1}
  echo " up ip rule add to ${IP2}/32 tab 2" >> ${ETH1}
  echo " up ip route flush cache" >> ${ETH1}
  ifup eth1

我能够远程ping并ssh到eth1上的ENI地址以及主机上的本地。一切都很好。除了... Docker。从容器内部，我可以连接到主机的eth0接口，但不能连接到eth1。（出于这篇文章的目的， eth0 ==。207 和 eth1 ==。213 。）

在启动为.207的主机上：

[root@10.180.11.207 ~]$ ping 10.180.11.207
PING 10.180.11.207 (10.180.11.207) 56(84) bytes of data.
64 bytes from 10.180.11.207: icmp_seq=1 ttl=64 time=0.028 ms
64 bytes from 10.180.11.207: icmp_seq=2 ttl=64 time=0.039 ms
^C
--- 10.180.11.207 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.028/0.033/0.039/0.008 ms
[root@10.180.11.207 ~]$ ping 10.180.11.213
PING 10.180.11.213 (10.180.11.213) 56(84) bytes of data.
64 bytes from 10.180.11.213: icmp_seq=1 ttl=64 time=0.030 ms
64 bytes from 10.180.11.213: icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from 10.180.11.213: icmp_seq=3 ttl=64 time=0.037 ms
^C
--- 10.180.11.213 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.030/0.034/0.037/0.007 ms

泊坞窗内部：

[root@10.180.11.207 ~]$ docker run -t -i ubuntu /bin/bash
root@42e0b7d1d484:/# (apt update && apt install -y iputils-ping) > /dev/null
root@42e0b7d1d484:/# ping 10.180.11.207
PING 10.180.11.207 (10.180.11.207) 56(84) bytes of data.
64 bytes from 10.180.11.207: icmp_seq=1 ttl=64 time=0.047 ms
64 bytes from 10.180.11.207: icmp_seq=2 ttl=64 time=0.053 ms
^C
--- 10.180.11.207 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.047/0.050/0.053/0.003 ms
root@42e0b7d1d484:/# ping 10.180.11.213
PING 10.180.11.213 (10.180.11.213) 56(84) bytes of data.
^C
--- 10.180.11.213 ping statistics ---
13 packets transmitted, 0 received, 100% packet loss, time 12095ms

root@42e0b7d1d484:/#

回到主持人，对我来说一切都很好...

[root@10.180.11.207 ~]$ ifconfig -a
docker0   Link encap:Ethernet  HWaddr 02:42:70:51:aa:6a
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:70ff:fe51:aa6a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:35525 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42531 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2099259 (2.0 MB)  TX bytes:120243109 (120.2 MB)

eth0      Link encap:Ethernet  HWaddr 06:8c:bb:46:24:10
          inet addr:10.180.11.207  Bcast:10.180.11.255  Mask:255.255.255.0
          inet6 addr: fe80::48c:bbff:fe46:2410/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:132933 errors:0 dropped:0 overruns:0 frame:0
          TX packets:49069 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:182046681 (182.0 MB)  TX bytes:4131332 (4.1 MB)

eth1      Link encap:Ethernet  HWaddr 06:b9:f0:13:06:4a
          inet addr:10.180.11.213  Bcast:10.180.11.255  Mask:255.255.255.0
          inet6 addr: fe80::4b9:f0ff:fe13:64a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:33623 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32080 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1877291 (1.8 MB)  TX bytes:14361232 (14.3 MB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:244 errors:0 dropped:0 overruns:0 frame:0
          TX packets:244 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:21188 (21.1 KB)  TX bytes:21188 (21.1 KB)

vethfd8cd11 Link encap:Ethernet  HWaddr aa:81:86:18:db:f4
          inet6 addr: fe80::a881:86ff:fe18:dbf4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17230 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18203 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1340186 (1.3 MB)  TX bytes:40751823 (40.7 MB)

在路线表中没有什么对我有帮助

[root@10.180.11.207 ~]$ ip route list
default via 10.180.11.1 dev eth0
10.180.11.0/24 dev eth0  proto kernel  scope link  src 10.180.11.207
10.180.11.0/24 dev eth1  proto kernel  scope link  src 10.180.11.213
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1

或iptables

[root@10.180.11.207 ~]$ iptables --list

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-ISOLATION  all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

我可以在docker0上看到数据包。我在eth0（或eth1）上看不到任何东西，但我想还是应该回送吗？

[root@10.180.11.207 ~]$ tcpdump -n -i docker0 port not 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on docker0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:12:44.497216 ARP, Request who-has 172.17.0.2 tell 172.17.0.1, length 28
18:12:44.497274 ARP, Reply 172.17.0.2 is-at 02:42:ac:11:00:02, length 28
18:12:46.522555 IP 172.17.0.2 > 10.180.11.207: ICMP echo request, id 297, seq 1, length 64
18:12:46.522590 IP 10.180.11.207 > 172.17.0.2: ICMP echo reply, id 297, seq 1, length 64
18:12:47.521557 IP 172.17.0.2 > 10.180.11.207: ICMP echo request, id 297, seq 2, length 64
18:12:47.521595 IP 10.180.11.207 > 172.17.0.2: ICMP echo reply, id 297, seq 2, length 64
18:12:48.521272 IP 172.17.0.2 > 10.180.11.207: ICMP echo request, id 297, seq 3, length 64
18:12:48.521311 IP 10.180.11.207 > 172.17.0.2: ICMP echo reply, id 297, seq 3, length 64
18:12:57.207506 IP 172.17.0.2 > 10.180.11.213: ICMP echo request, id 298, seq 1, length 64
18:12:58.215426 IP 172.17.0.2 > 10.180.11.213: ICMP echo request, id 298, seq 2, length 64
18:12:59.223387 IP 172.17.0.2 > 10.180.11.213: ICMP echo request, id 298, seq 3, length 64
18:13:00.231388 IP 172.17.0.2 > 10.180.11.213: ICMP echo request, id 298, seq 4, length 64
18:13:01.239439 IP 172.17.0.2 > 10.180.11.213: ICMP echo request, id 298, seq 5, length 64
18:13:02.247412 IP 172.17.0.2 > 10.180.11.213: ICMP echo request, id 298, seq 6, length 64
18:13:03.255409 IP 172.17.0.2 > 10.180.11.213: ICMP echo request, id 298, seq 7, length 64

路由选择看起来不错：

[root@10.180.11.207 ~]$ ip route get 10.180.11.213 from 172.17.0.1
local 10.180.11.213 from 172.17.0.1 dev lo
    cache <local>
[root@10.180.11.207 ~]$ ip route get 10.180.11.207 from 172.17.0.1
local 10.180.11.207 from 172.17.0.1 dev lo
    cache <local>
[root@10.180.11.207 ~]$ ip route get 10.180.11.213 from 10.180.11.207
local 10.180.11.213 from 10.180.11.207 dev lo
    cache <local>

有什么想法吗？我已经筋疲力尽了。

Answer 1

我认为问题出在网桥的配置方式上。 docker0是eth0的桥梁。您需要到eth1的另一个网桥，然后将该网桥作为另一个网络连接到容器。

一个例子可能是：

docker network create -d bridge \
--subnet=172.30.0.32/24 \
--opt com.docker.network.bridge.enable_ip_masquerade=true \
--opt com.docker.network.bridge.host_binding_ipv4=10.180.11.213 \
--opt com.docker.network.bridge.name=docker1 \
docker1

重要的部分是com.docker.network.bridge.host_binding_ipv4，它是eth1 IP。

然后将容器连接到该网桥：

docker network connect docker1 container-name

从Docker容器内部连接到主机的辅助IP

1 个答案: