iptables = false的docker互联网连接 [英] docker internet connectivity with iptables=false

问题描述

我放弃。我正在使用经过UFW加固的ubuntu 16.04下使用Docker 1.12.0。

I give up. I'm using Docker 1.12.0 under ubuntu 16.04 hardened with UFW.

该机器具有2个接口-一个公共（eth0）和一个至私有网络（eth1）

The machine has 2 interfaces - one public (eth0) and one to private network (eth1)

Server Version: 1.12.3
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 15
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: null bridge host overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-47-generic
Operating System: Ubuntu 16.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 488.5 MiB
Name: image-base
ID: 2473:FGJQ:MEEC:CEWY:BSLR:SYB5:EXMO:WJBE:7MMM:DIZH:NJQF:L5NA
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
 127.0.0.0/8

就像以前的版本一样，我将 iptables配置为false，因此docker不会更改防火墙。

Just like I did with previous versions I configured "iptables" to be false so docker won't change my firewall.

但是在最新版本的docker中（ 11+），此命令有副作用-重新启动后-Docker容器停止获取网络访问权限（ping www.google.com）。

But in latest versions of docker (11+) this command has a side-effect - after reboot - docker containers stops getting network access (ping www.google.com).

我一次又一次地确认。
如何复制：
-停止docker daemon

I confirmed it again and again. How to reproduce: - stop docker daemon

sudo systemctl stop docker

我通过添加文件/etc/docker/daemon.json配置iptables = false：

I configure iptables=false by adding a file /etc/docker/daemon.json:

{
  "iptables" : false
}

（这是那里的唯一配置）

(This is the only configuration there)

启动守护程序：

sudo systemctl start docker

docker run --rm python ping www.google.com

即使它对您有用-如果重新启动系统-它也将停止工作...您有任何解决方案吗？

Even if it will work for you - if you reboot the system - it will stop working... Do you have any solution?

我检查了iptables规则，并在重新启动系统后丢失了这些规则：

I checked my iptables rules and after restarting the system I'm missing those rules:

:PREROUTING ACCEPT [8:496]      
:INPUT ACCEPT [0:0]     
:OUTPUT ACCEPT [0:0]        
:POSTROUTING ACCEPT [0:0]       
:DOCKER - [0:0]     
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER        
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER       
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE      
-A POSTROUTING -s 172.18.0.0/16 ! -o br-a0b355ce53ac -j MASQUERADE      
-A DOCKER -i docker0 -j RETURN      
-A DOCKER -i br-a0b355ce53ac -j RETURN
 # same
:DOCKER - [0:0]     
:DOCKER-ISOLATION - [0:0]
# same
    -A FORWARD -j DOCKER-ISOLATION      
-A FORWARD -o docker0 -j DOCKER     
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT      
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT        
-A FORWARD -i docker0 -o docker0 -j ACCEPT      
-A FORWARD -o br-a0b355ce53ac -j DOCKER     
-A FORWARD -o br-a0b355ce53ac -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT      
-A FORWARD -i br-a0b355ce53ac ! -o br-a0b355ce53ac -j ACCEPT        
-A FORWARD -i br-a0b355ce53ac -o br-a0b355ce53ac -j ACCEPT
# same
    -A DOCKER-ISOLATION -i br-a0b355ce53ac -o docker0 -j DROP       
-A DOCKER-ISOLATION -i docker0 -o br-a0b355ce53ac -j DROP       
-A DOCKER-ISOLATION -j RETURN

谢谢！

推荐答案

docker网络模型使用iptables进行设置容器的Internet连接。仅当您明确不希望使用网桥或覆盖网络驱动程序的容器完全具有任何网络连接性时，我才会设置iptables = false。

The docker network model uses iptables to set up internet connectivity for your containers. I would only set iptables=false if you explicitly do not want your containers that are using bridge or overlay network drivers to have any network connectivity at all.

iptables = true的守护程序，它将在防火墙中设置所需的规则。当docker关闭时，我不认为它会破坏这些规则，因此它们会坚持下去。这就是为什么在使用iptables = false启动docker备份后获得Internet连接的原因。如果您想在重启后的下次Docker启动时保留这些规则，最好的方法是保持iptables = true。

When you start the daemon with iptables=true, it will set up the required rules in your firewall. When docker shuts down, I don't believe it tears those rules down, so they stick around. This is why you get internet connectivity after starting docker back up with iptables=false. If you want to preserve those rules on the next docker startup after a reboot, the best way is to keep iptables=true.

这篇关于iptables = false的docker互联网连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！