如何使Docker容器通过第二个界面与另一个节点进行通信? [英] How do I make my Docker container communicate with another node through a 2nd interface?
问题描述
我正在努力进行一个可悲的测试,涉及到sandbox01网络中的服务器和在我的Docker主机服务器中运行的Docker容器之间的通信(该机器与其中的其他节点在同一子网中) sandbox01网络,即它在10. *地址/范围上有一个名为ens34的接口,它还具有一个eth0接口,在9. *网络上,允许它访问外部世界:下载包,码头图像,等等)。
I am struggling to perform a pathetic test that involves the communication between a server in a sandbox01 network and a Docker container that is running in my "Docker Host" server (this machine is in the same subnet as the other nodes in the sandbox01 network. i.e., it has an interface called ens34, on the 10.* address/range. It also has an eth0 interface, on the 9.* network, which allows it to access the outside world: download packages, docker images, etc. etc.).
无论如何,这里是一个简单的示意图来说明我有什么:
Anyway, here is a little diagram to illustrate what I have:
问题:
在沙箱子网(10. *网络)中的节点和容器之间无法通信。
例如,someserver.sandbox01→mydocker2:ens34 :: docker0 :: vethXXX→container
通信只有当我停止iptables才能工作,这使得事情真的神秘!只是想知道你是否面临任何类似的问题..任何想法将非常感激。
The problem: Cannot communicate between a node in sandbox01 subnet (10.* network) and the container. e.g., someserver.sandbox01 → mydocker2 : ens34 :: docker0 :: vethXXX → container The communication only works when I stop iptables, which makes things really mysterious!!! Just wondering if you faced any similar issues.. any ideas would be extremely appreciated.
神秘:
经过多次测试,确认容器可以与10. *网络中的任何其他节点通信 - 它的行为不如预期的那样:它应该通过其网关docker0(172.17.0.1)产生响应,并通过路由表中的docker主机与someserver.sandbox01通信(10.1.21.59)。
它仅在我们让它处理iptables中的MASQUARADE时有效。但是,Docker会自动添加此规则: -A POSTROUTING -s 172.17.0.0/16! -o docker0 -c 0 0 -j MASQUERADE
**请注意!-o docker0,Docker不想我们掩饰发送请求的IP地址?这是一个混乱的通信,不知何故...
**Note the " ! -o docker0" there, so Docker doesn't want us to mask the ip addresses that are sending requests??? This is messing up the communication somehow...
容器对通过IP 9. *(eth0)的任何通信进行响应 - 即我可以发送请求从我的笔记本电脑,但从未通过10. *(ens34)。如果我在容器内运行一个终端,容器可以ping所有的IP地址,利用所有的映射路由,例如EXCEPT! IP地址在10. *范围内。为什么?
The container responds ok to any communication coming through the IP 9.* (eth0) -- i.e., I can send requests from my laptop -- but never through the 10.* (ens34). If I run a terminal within the container, the container can ping ALL the IP addresses leveraging all the mapped routes, EXCEPT, EXCEPT!!! the IP addresses in the 10.* range. Why??????
[root@mydocker2 my-nc-server]# docker run -it -p 8080:8080 --name nc-server nc-server /bin/sh
sh-4.2# ping 9.83.90.55
PING 9.83.92.20 (9.83.90.55) 56(84) bytes of data.
64 bytes from 9.83.90.55: icmp_seq=1 ttl=117 time=124 ms
64 bytes from 9.83.90.55: icmp_seq=2 ttl=117 time=170 ms
^C
--- 9.83.90.55 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 124.422/147.465/170.509/23.046 ms
sh-4.2# ping 9.32.145.98
PING 9.32.148.67 (9.32.145.98) 56(84) bytes of data.
64 bytes from 9.32.145.98: icmp_seq=1 ttl=63 time=1.37 ms
64 bytes from 9.32.145.98: icmp_seq=2 ttl=63 time=0.837 ms
^C
--- 9.32.145.98 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.837/1.104/1.372/0.269 ms
sh-4.2# ping 10.1.21.5
PING 10.1.21.5 (10.1.21.5) 56(84) bytes of data.
^C
--- 10.1.21.5 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms
sh-4.2# ping 10.1.21.60
PING 10.1.21.60 (10.1.21.60) 56(84) bytes of data.
^C
--- 10.1.21.60 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms
由于某种原因,此接口与Docker不兼容:
For some reason, this interface here doesn't play well with Docker:
ens34: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.21.18 netmask 255.255.255.0 broadcast 10.1.21.255
这个事实是eth0是这个Docker主机的主要NIC?
Could this be related to the fact that the eth0 is the primary NIC for this Docker host?
解决方法:
在mydocker2中,我们需要停止iptables并添加一个新的子 - 接口在ens34→
The workaround: In mydocker2 we need to stop iptables and add a new sub-interface under ens34 →
service iptables stop
ifconfig ens34:0 10.171.171.171 netmask 255.255.255.0
而在someserver.sandbox01中,我们需要添加一条新的路线→
And in someserver.sandbox01 we need to add a new route →
route add -net 10.171.171.0 netmask 255.255.255.0 gw 10.1.21.18
然后之间的沟通工作。我知道..奇怪,对吗?
Then the communication between then works. I know.. bizarre, right?
如果有人想问,不,我不想使用 -net = host 选项将接口从docker主机复制到我的容器。
In case any of you wants to ask, no, I don't want to use the " --net=host " option to replicate the interfaces from the docker host to my container.
那么想法?建议?想法?
So, thoughts? Suggestions? Ideas?
推荐答案
SOLVED !!!
SOLVED!!!
Inside / etc / sysconfig / network-scripts有两个文件:
route-ens34和rule-ens34 -
Inside /etc/sysconfig/network-scripts, there were 2 files: route-ens34 and rule-ens34-
如果你删除那些,并重新启动网络,应该开始工作。
if you remove those, and restart the network, it should start working.
干杯!
这篇关于如何使Docker容器通过第二个界面与另一个节点进行通信?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
