networking - Docker容器无法访问Internet，仅可以ping

Question

经过数小时的搜索和尝试解决方案，我终于结束了。

当我在Centos7机器上启动Docker容器时，会发生以下情况:

无法通过TCP通讯(例如，运行apt update)。 ping正常。

将网络模式切换为--net=host可以解决此问题，但是我想使用默认的bridge

我在net.ipv4.ip_forward=1中添加了/etc/sysctl.conf

容器已在通过docker network inspect bridge看到的桥网中注册

DNS配置正确，可以ping主机名和地址。

更多信息

运行apt update将显示以下消息:

Ign http://security.debian.org jessie/updates InRelease
Err http://security.debian.org jessie/updates Release.gpg
  Unable to connect to security.debian.org:http: [IP: 212.211.132.32 80]

iptables配置:

$ iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
           tcp  --  anywhere             anywhere             tcp dpt:http /* HTTP-IN */
           tcp  --  anywhere             anywhere             tcp dpt:http flags:FIN,SYN,RST,ACK/SYN /* HTTP-SYN */
           tcp  --  anywhere             anywhere             tcp dpt:https /* HTTPS-IN */
           tcp  --  anywhere             anywhere             tcp dpt:https flags:FIN,SYN,RST,ACK/SYN /* HTTPS-SYN */
ACCEPT     tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh match-set avast_internal src
ACCEPT     udp  --  anywhere             anywhere             udp dpt:snmp match-set avast_internal src
ACCEPT     tcp  --  anywhere             anywhere             tcp match-set avast_internal src

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-ISOLATION  all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
           tcp  --  anywhere             anywhere             tcp spt:http /* HTTP-OUT */
           tcp  --  anywhere             anywhere             tcp spt:https /* HTTPS-OUT */

Chain DOCKER (2 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

这可能是什么原因？

编辑:

使用以下命令打开防火墙后，我能够从Docker容器连接到Internet:

sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X

但是，在重置规则以找出造成问题的确切原因之后，即使清除了所有iptables规则并重新启动docker守护程序，我也无法使其恢复工作状态。

编辑2:

原来raw表中也有一些规则，我以前没有看到过。以下规则阻止了Internet上的Docker容器:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

CT         tcp  --  anywhere             anywhere             NOTRACK

Answer 1

如你所说

Ign http://security.debian.org jessie/updates InRelease
Err http://security.debian.org jessie/updates Release.gpg
  Unable to connect to security.debian.org:http: [IP: 212.211.132.32 80]

当未为Docker容器配置 DNS时，会出现这种问题。[在我的环境中，也是类似的问题]。

以下过程将有助于解决DOCKER容器时的DNS问题。

第一步是检查容器的外部连接性:

# docker run busybox ping -c 2 192.203.230.10
PING 192.203.230.10 (192.203.230.10): 56 data bytes
64 bytes from 192.203.230.10: seq=0 ttl=56 time=66.724 ms
64 bytes from 192.203.230.10: seq=1 ttl=56 time=54.786 ms

当您尝试使用容器ping到google.com时，由于DNS问题而无法访问。

# docker run busybox nslookup google.com
Server:    8.8.8.8
Address 1: 8.8.8.8
nslookup: can't resolve 'google.com'

找出您的计算机中使用的DNS服务器:

# nm-tool  |grep DNS
    DNS:             172.24.100.50
    DNS:             10.1.100.50

使用上述步骤中解决DNS问题的DNS IP再次运行它:

# docker run --dns 172.24.100.50 busybox nslookup google.com
Server:    172.24.100.50
Address 1: 172.24.100.50 indc01.radisys.com
Name:      google.com
Address 1: 2607:f8b0:4009:80c::200e ord36s01-in-x0e.1e100.net
Address 2: 172.217.4.110 ord36s04-in-f14.1e100.net

要解决此问题，请将以下内容永久添加到新文件中:

# cat /etc/docker/daemon.json
{
    "dns" : ["172.24.100.50", "8.8.8.8"]
}

有关Docker DNS配置的更多信息:https://docs.docker.com/engine/userguide/networking/configure-dns/

重新启动docker服务并再次检查连接性:

# docker run busybox nslookup google.com
Server:    172.24.100.50
Address 1: 172.24.100.50 indc01.radisys.com
Name:      google.com
Address 1: 2607:f8b0:4009:801::200e ord30s31-in-x0e.1e100.net
Address 2: 172.217.4.238 ord30s31-in-f14.1e100.net

通过运行另一个容器来检查它:

# docker run -it e02e811dd08f
/ # ping google.com
PING google.com (172.217.4.238): 56 data bytes
64 bytes from 172.217.4.238: seq=0 ttl=47 time=251.506 ms
64 bytes from 172.217.4.238: seq=1 ttl=47 time=245.621 ms