让 docker 使用 IPv4 进行端口绑定 [英] Make docker use IPv4 for port binding
问题描述
我有一个 docker 主机,里面有一个容器.
I have docker host and inside I have one container.
docker 主机仅在 IPv6 接口上绑定端口,而不是在 IPv4 上.
The docker host is binding the port on IPv6 interface only, not on IPv4.
这是输出
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:55082 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::40280 :::* LISTEN -
tcp6 0 0 :::5432 :::* LISTEN -
tcp6 0 0 :::40122 :::* LISTEN -
tcp6 0 0 :::36378 :::* LISTEN -
tcp6 0 0 :::40543 :::* LISTEN -
tcp6 0 0 :::111 :::* LISTEN -
现在我在主机上有 40122 端口可以与容器上的端口 22 链接.
Now I have 40122 port on host to link with port 22 on container.
我想通过 SSH 连接到那个容器,但我不能,因为它只绑定到 IPv6
I want to SSH into that container but I am not able to as its only bound to IPv6
这是我的docker版本Docker version 1.5.0, build a8a31ef
This is my docker version Docker version 1.5.0, build a8a31ef
docker ps
201bde6c839a myapp:latest "supervisord -n" 3 weeks ago Up 2 hours 0.0.0.0:40122->22/tcp, 0.0.0.0:40280->80/tcp, 0.0.0.0:40543->443/tcp myapp
我使用 docker run -d -P -p 40122:22
netstat -tlna
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3031 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::6379 :::* LISTEN
ps 辅助
root 1 0.0 0.8 52440 16668 ? Ss 00:53 0:03 /usr/bin/python /usr/bin/supervisord -n
root 49 0.0 0.1 17980 3048 ? S 01:32 0:00 bash
root 64 0.0 0.1 46632 2712 ? S 01:32 0:00 su -l vagrant
vagrant 65 0.0 0.1 21308 3760 ? S 01:32 0:00 -su
root 288 0.0 0.1 17980 3088 ? S 02:01 0:00 bash
root 304 0.0 0.1 46632 2720 ? S 02:01 0:00 su -l vagrant
vagrant 305 0.0 0.1 21304 3804 ? S 02:01 0:00 -su
vagrant 308 0.0 3.7 429616 75840 ? Sl+ 02:01 0:05 python ./manage.py shell_plus
root 654 0.0 0.4 47596 9848 ? S 03:12 0:01 /usr/local/bin/uwsgi --die-on-term --ini /var/www/conf/uwsgi.ini
root 655 0.0 0.3 90280 7732 ? S 03:12 0:00 nginx: master process /usr/sbin/nginx
www-data 656 0.0 0.1 90600 3624 ? S 03:12 0:00 nginx: worker process
www-data 657 0.0 0.1 90600 3624 ? S 03:12 0:00 nginx: worker process
www-data 658 0.0 0.1 90600 3624 ? S 03:12 0:00 nginx: worker process
www-data 659 0.0 0.2 90940 4500 ? S 03:12 0:00 nginx: worker process
root 660 0.0 0.2 61372 5332 ? S 03:12 0:00 /usr/sbin/sshd -D
root 669 0.0 0.4 37004 8892 ? Sl 03:12 0:01 redis-server *:6379
root 856 8.0 2.8 388720 57792 ? Sl 04:07 0:18 /usr/local/bin/uwsgi --die-on-term --ini /var/www/conf/uwsgi.ini
root 857 8.0 2.8 388720 57792 ? Sl 04:07 0:18 /usr/local/bin/uwsgi --die-on-term --ini /var/www/conf/uwsgi.ini
root 858 8.0 2.8 388720 57792 ? Sl 04:07 0:18 /usr/local/bin/uwsgi --die-on-term --ini /var/www/conf/uwsgi.ini
root 859 8.0 2.8 388720 57792 ? Sl 04:07 0:18 /usr/local/bin/uwsgi --die-on-term --ini /var/www/conf/uwsgi.ini
vagrant 889 0.0 0.1 18692 2508 ? R+ 04:11 0:00 ps aux
推荐答案
正如@daniel-t 在评论中指出的:github.com/docker/docker/issues/2174 是关于在 netstat
中显示仅绑定到 IPv6,但这不是问题.正如 github 问题所述:
As @daniel-t points out in the comment: github.com/docker/docker/issues/2174 is about showing binding only to IPv6 in netstat
, but that is not an issue. As that github issues states:
在设置代理时,Docker 请求回送地址127.0.0.1",Linux 意识到这是一个存在于 IPv6 中的地址(作为 ::0)并且在两者上都打开(但它在形式上是一个 IPv6 套接字).当您运行 netstat 时,它会看到并告诉您它是 IPv6 - 但它仍在侦听 IPv4.如果您对设置进行了一些尝试,那么您可能已经禁用了 Linux 所做的这个技巧 - 通过设置 net.ipv6.bindv6only = 1.
When setting up the proxy, Docker requests the loopback address '127.0.0.1', Linux realises this is an address that exists in IPv6 (as ::0) and opens on both (but it is formally an IPv6 socket). When you run netstat it sees this and tells you it is an IPv6 - but it is still listening on IPv4. If you have played with your settings a little, you may have disabled this trick Linux does - by setting net.ipv6.bindv6only = 1.
换句话说,仅仅因为您仅将其视为 IPv6,它仍然能够在 IPv4 上进行通信,除非您将 IPv6 设置为仅在具有 net.ipv6.bindv6only 设置的 IPv6 上绑定.需要明确的是,net.ipv6.bindv6only 应该是 0 - 你可以运行 sysctl net.ipv6.bindv6only
来验证.
In other words, just because you see it as IPv6 only, it is still able to communicate on IPv4 unless you have IPv6 set to only bind on IPv6 with the net.ipv6.bindv6only setting. To be clear, net.ipv6.bindv6only should be 0 - you can run sysctl net.ipv6.bindv6only
to verify.
这篇关于让 docker 使用 IPv4 进行端口绑定的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!