为什么docker0需要为混杂模式? [英] why docker0 need to be promiscuous mode?
本文介绍了为什么docker0需要为混杂模式?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
当我使用docker在我的主机之一上以默认桥接模式创建容器时
when I use docker create a container in default bridge mode at one of my host
docker run --name bb -dit busybox
现在我获得了IP:172.17.0.2
now I got an IP: 172.17.0.2
当我ping通此IP时,不起作用
when I ping this ip, not work
但是,当我将tcpdump用于接口docker0时,ping操作有效*
BUT BUT, when I use tcpdump for interface docker0, ping works*
或者将docker0设置为混杂模式,ping也可以工作*
OR put docker0 to promiscuose mode, ping also works*
我的问题是: 为什么我需要将docker0设置为混杂模式(仅此主机),其他主机不需要这样做
My question is: why I need put docker0 into promiscuous mode(only this host), other hosts no need do this
我的iptables结果:
My iptables result:
Chain INPUT (policy ACCEPT 29031 packets, 8703K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 * <hide> 192.168.0.0/24 policy match dir in pol ipsec reqid 8 proto 50
0 0 ACCEPT all -- * eth0 192.168.0.0/24 <hide> policy match dir out pol ipsec reqid 8 proto 50
0 0 ACCEPT all -- eth0 * <hide> 192.168.0.0/24 policy match dir in pol ipsec reqid 8 proto 50
0 0 ACCEPT all -- * eth0 192.168.0.0/24 <hide> policy match dir out pol ipsec reqid 8 proto 50
0 0 ACCEPT all -- eth0 * 10.10.10.0/24 192.168.0.0/24 policy match dir in pol ipsec reqid 8 proto 50
0 0 ACCEPT all -- * eth0 192.168.0.0/24 10.10.10.0/24 policy match dir out pol ipsec reqid 8 proto 50
56 11716 ACCEPT all -- eth0 * <hide> 10.10.1.0/24 policy match dir in pol ipsec reqid 8 proto 50
81 6292 ACCEPT all -- * eth0 10.10.1.0/24 <hide> policy match dir out pol ipsec reqid 8 proto 50
0 0 ACCEPT all -- eth0 * <hide> 10.10.1.0/24 policy match dir in pol ipsec reqid 8 proto 50
0 0 ACCEPT all -- * eth0 10.10.1.0/24 <hide> policy match dir out pol ipsec reqid 8 proto 50
1320 53255 ACCEPT all -- eth0 * 10.10.10.0/24 10.10.1.0/24 policy match dir in pol ipsec reqid 8 proto 50
1344 104K ACCEPT all -- * eth0 10.10.1.0/24 10.10.10.0/24 policy match dir out pol ipsec reqid 8 proto 50
2218 1192K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
2218 1192K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker_gwbridge 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker_gwbridge 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker_gwbridge !docker_gwbridge 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- docker_gwbridge docker_gwbridge 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 27320 packets, 8507K bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker_gwbridge !docker_gwbridge 0.0.0.0/0 0.0.0.0/0
2218 1192K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * docker_gwbridge 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
54846 16M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
--------------------------------------------------------------------------------
nat
Chain PREROUTING (policy ACCEPT 6853 packets, 399K bytes)
pkts bytes target prot opt in out source destination
5353 327K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 5353 packets, 327K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 57595 packets, 3457K bytes)
pkts bytes target prot opt in out source destination
3 252 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 57970 packets, 3481K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
2 224 MASQUERADE all -- * !docker_gwbridge 172.18.0.0/16 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- docker_gwbridge * 0.0.0.0/0 0.0.0.0/0
NETWORK ID NAME DRIVER SCOPE
a20b11f6afaf bridge bridge local
b39d1b268305 docker_gwbridge bridge local
5870d314fa6f host host local
e0883dc1d6d0 none null local
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:15:5d:00:02:10 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.3/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.10.1.3/24 brd 10.10.1.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::215:5dff:fe00:210/64 scope link
valid_lft forever preferred_lft forever
3: docker_gwbridge: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 02:42:0b:48:8e:44 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global docker_gwbridge
valid_lft forever preferred_lft forever
inet6 fe80::42:bff:fe48:8e44/64 scope link
valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:f8:5d:0a:13 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:f8ff:fe5d:a13/64 scope link
valid_lft forever preferred_lft forever
8: vethca01e3e@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
link/ether 62:a0:50:02:72:94 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::60a0:50ff:fe02:7294/64 scope link
valid_lft forever preferred_lft forever
tcpdump -vv -ni vethca01e3e
tcpdump -vv -ni vethca01e3e
tcpdump: listening on vethca01e3e, link-type EN10MB (Ethernet), capture size 65535 bytes
12:20:47.972359 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.17.0.2 tell 172.17.0.1, length 28
12:20:47.972397 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.17.0.2 is-at 02:42:ac:11:00:02, length 28
12:20:48.973716 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.17.0.2 tell 172.17.0.1, length 28
12:20:48.973750 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.17.0.2 is-at 02:42:ac:11:00:02, length 28
12:20:49.975718 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.17.0.2 tell 172.17.0.1, length 28
12:20:49.975742 ARP, Ethernet (len 6), IPv4 (len 4), Reply 172.17.0.2 is-at 02:42:ac:11:00:02, length 28
tcpdump -vvv -p -ni docker0
tcpdump -vvv -p -ni docker0
tcpdump: listening on docker0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:21:05.458191 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.17.0.2 tell 172.17.0.1, length 28
12:21:06.459709 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.17.0.2 tell 172.17.0.1, length 28
12:21:07.461705 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.17.0.2 tell 172.17.0.1, length 28
重新播放arp,但docker0忽略它
推荐答案
我遇到了同样的问题.而且我发现是否删除docker0接口并重新启动docker可以解决我的问题.
I met the same problem. And I find if I remove the docker0 interface and restart the docker can solve my problem.
这篇关于为什么docker0需要为混杂模式?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
