docker macvlan-没有路由到主机(容器) [英] docker macvlan - no route to host (container)

问题描述

我正在尝试了解"macvlan"网络从码头工人.我创建了一个新网络:

Im trying to understand the "macvlan" network from docker. I create a new network:

docker network create -d macvlan \
  --subnet=192.168.2.0/24 \
  --gateway=192.168.2.1 \
  -o parent=eno1 \
  pub_net

并使用新的网络启动新的容器:

And start new container with the new network:

docker run --rm -d --net=pub_net --ip=192.168.2.74 --name=whoami -t jwilder/whoami

当我尝试从容器中访问服务或对其进行ping操作时，我会得到:

When i try to access the service from the container or ping it i get:

curl: (7) Failed to connect to 192.168.2.74 port 8000: no route to host

已在Ubuntu 16.04，Ubuntu 18.04&CentOS的7.从docker主机本身或网络上的其他客户端都无法访问该容器.

Tested with Ubuntu 16.04, Ubuntu 18.04 & CentOS 7. Neither from the docker host itself or other clients on the network can reach the container.

我在码头工人站点上跟踪了此示例: https://docs.docker.com/network/network-tutorial-macvlan/#bridge-example

I followed the example fromt he docker site: https://docs.docker.com/network/network-tutorial-macvlan/#bridge-example

我还缺少什么?

我在此处阅读在Docker macvlan中绑定地址以执行这些命令(不知道如何解决)他们的工作):

I read here Bind address in Docker macvlan to execute these commands (no clue what they do):

sudo ip link add pub_net link eno1 type macvlan mode bridge
sudo ip addr add 192.168.2.22/24 dev pub_net

但这对我的机器没有任何作用

But this does nothing on my machine(s)

推荐答案

我认为，主机设计上无法通过macvlan网络访问其自己的容器.我将其留给其他人解释为什么会这样，但是要验证这是您的问题所在，您可以尝试从网络上的另一台主机甚至 192.168.2.74 ping您的容器来自同一主机上的另一个容器或虚拟机.如果您可以从其他计算机而不是主机访问容器，则一切正常.

I believe it is by design that host cannot reach its own containers through a macvlan network. I leave it to others to explain why exactly this is so, but to verify that this is where your problem lies, you can try to ping your container at 192.168.2.74 from another host on the network or even from another container or vm on the same host. If you can reach the container from other machines but not from the host, everything is working as it should.

根据此博客文章，您仍然可以通过在主机 sub -接口上创建macvlan接口，然后在主机中创建macvlan接口，以允许其访问容器的macvlan，来允许主机与容器的通信.在里面.

According to this blog post, you can nevertheless allow for host-container communication by creating a macvlan interface on the host sub-interface and then create a macvlan interface in host in order to let it access the macvlan that the container is in.

我自己还没有尝试过，我不确定确切的结果，所以我引用了

I have not tried this myself yet and I'm not sure about the exact consequences, so I quote the instructions from the blog post here so that others can add to it where necessary:

在主机子接口上创建一个macvlan接口:

Create a macvlan interface on host sub-interface:

docker network create -d macvlan \
–subnet=192.168.0.0/16 \
–ip-range=192.168.2.0/24 \
-o macvlan_mode=bridge \
-o parent=eth2.70 macvlan70

在该macvlan界面上创建容器:

Create container on that macvlan interface:

docker run -d –net=macvlan70 –name nginx nginx

找到容器的IP地址:

docker inspect nginx | grep IPAddress
"SecondaryIPAddresses": null,
"IPAddress": "",
"IPAddress": "192.168.2.1",

目前，我们无法从主机ping容器IP"192.168.2.1".

At this point, we cannot ping container IP "192.168.2.1" from host machine.

现在，让我们在同一网络中的地址为"192.168.2.10"的主机中创建macvlan接口.

Now, let’s create macvlan interface in host with address "192.168.2.10" in same network.

sudo ip link add mymacvlan70 link eth2.70 type macvlan mode bridge
sudo ip addr add 192.168.2.10/24 dev mymacvlan70
sudo ifconfig mymacvlan70 up

现在，我们应该能够ping通容器IP并从主机访问"nginx"容器.

Now, we should be able to ping the Container IP as well as access "nginx" container from host machine.

$ ping -c1 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: seq=0 ttl=64 time=0.112 ms

— 192.168.2.1 ping statistics —
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.112/0.112/0.112 ms

这篇关于docker macvlan-没有路由到主机(容器)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！