Назад | Перейти на главную страницу

Контейнер Docker не может подключаться к публичным IP-адресам

Я создал док-контейнер на основе bitnami/dokuwiki. Этот контейнер не может получить доступ к каталогу расширений dokuwiki.

После проверки стало ясно, что этот контейнер не может подключиться ни к одному хосту.

Это docker-compose.yml:

version: '2'
services:
  dokuwiki:
    restart: always
    image: 'bitnami/dokuwiki:0'
    ports:
      - '8080:80'
      - '8083:443'
    volumes:
      - 'dokuwiki_data:/bitnami'
volumes:
  dokuwiki_data:
    driver: local

Внутри контейнера (ping не установлен):

root@32e0458db675:/tmp# curl https://dokuwiki.org
curl: (6) Could not resolve host: dokuwiki.org

root@32e0458db675:/tmp# curl http://10.11.11.10
curl: (7) Failed to connect to 10.11.11.10: Connection timed out

root@15998f8657c2:/# curl http://138.201.137.132
curl: (7) Failed to connect to 138.201.137.132 port 80: No route to host

Это результат docker version:

Client: Docker Engine - Community
 Version:           19.03.5
 API version:       1.39 (downgraded from 1.40)
 Go version:        go1.12.12
 Git commit:        633a0ea
 Built:             Wed Nov 13 07:25:41 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.1
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.6
  Git commit:       4c52b90
  Built:            Wed Jan  9 19:06:30 2019
  OS/Arch:          linux/amd64
  Experimental:     false

Это результат docker info

Client:
 Debug Mode: false

Server:
 Containers: 2
  Running: 1
  Paused: 0
  Stopped: 1
 Images: 2
 Server Version: 18.09.1
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: c4446665cb9c30056f4998ed953e6d4ff22c7c39
 runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 4.18.0-147.3.1.el8_1.x86_64
 Operating System: CentOS Linux 8 (Core)
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 1.787GiB
 Name: docker-host
 ID: 2IQR:ET7M:JUEC:QZPV:SDVX:3QYI:DWHZ:FGXO:S7KU:OMUG:HUGS:T5RC
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

Это сетевые интерфейсы:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:53:cc:9d brd ff:ff:ff:ff:ff:ff
    inet 10.10.128.88/20 brd 10.10.143.255 scope global dynamic noprefixroute ens160
       valid_lft 2522007sec preferred_lft 2522007sec
    inet6 fe80::7a1b:8123:b0b3:df66/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: br-cc94c4303069: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:20:ce:c3:26 brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.1/16 brd 172.19.255.255 scope global br-cc94c4303069
       valid_lft forever preferred_lft forever
    inet6 fe80::42:20ff:fece:c326/64 scope link
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:3a:a7:ab:f8 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
6: veth6899757@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-cc94c4303069 state UP group default
    link/ether 2a:a4:d1:03:ac:4e brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::28a4:d1ff:fe03:ac4e/64 scope link
       valid_lft forever preferred_lft forever

Это текущие правила IPTables:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-cc94c4303069 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-cc94c4303069 -j DOCKER
-A FORWARD -i br-cc94c4303069 ! -o br-cc94c4303069 -j ACCEPT
-A FORWARD -i br-cc94c4303069 -o br-cc94c4303069 -j ACCEPT
-A FORWARD -i docker0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o docker0 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-cc94c4303069 -o br-cc94c4303069 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-cc94c4303069 -o br-cc94c4303069 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-cc94c4303069 ! -o br-cc94c4303069 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-cc94c4303069 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN

Мой вопрос: как включить исходящую сеть для контейнера докеров?

Решил проблему:

$ firewall-cmd --get-active-zones
$ firewall-cmd --get-zone-of-interface=docker0
$ nmcli connection modify docker0 connection.zone public
$ firewall-cmd --zone=public --add-masquerade --permanent
$ firewall-cmd --reload