Docker组成的容器无法访问Internet,除非在主机网络-IPv6仅使用服务器
我使用的是Docker仅在IPv6上撰写的Debian 11服务器。我很难从容器中获得互联网访问。容器之间的通信就像魅力一样。但是,与我们的边界建立联系并没有。当我连接到“主机”网络时,我只能ping到外界(出于安全原因我不想这样做):
docker run -it --rm --network=host registry.ipv6.docker.com/library/alpine ping6 -c 2 google.com
^这解决了地址并正确。使用默认或桥梁网络,我得到ping6:坏地址'google.com'< / code>
我的主要问题:什么是问题 /我如何对此进行故障排除?
我尝试(以各种组合为组合):
- 撰写文件network_mode选项,
- 在/etc/docker/daemon.json中提供明显的DNS,
- 在容器定义中为组合文件
- 启用IPv6 +提供明确的DNS,以启用了ipv6 +提供固定的cidr-v6 DAEMON.JSON
- 检查 /etc /hosts和/etc/resolv.conf
{
"ipv6": true,
"fixed-cidr-v6": "fd00::/80",
"dns": ["2a01:7c8:7000:195::8:195:8", "2a01:7c8:7000:195::135:195:135"]
}
注意:我首先没有安装防火墙。在故障排除期间,我安装了UWF,我没有配置,目前已禁用。
希望此输出会有所帮助:
使用-network =主机
> docker run -it --rm --network=host registry.ipv6.docker.com/library/alpine cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 my-network
::1 my-network
> docker run -it --rm --network=host registry.ipv6.docker.com/library/alpine cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.
nameserver 2a01:7c8:7000:195::8:195:8
nameserver 2a01:7c8:7000:195::135:195:135
> docker run -it --rm --network=host registry.ipv6.docker.com/library/alpine ping6 -c 2 google.com
PING google.com (2a00:1450:400e:810::200e): 56 data bytes
64 bytes from 2a00:1450:400e:810::200e: seq=0 ttl=118 time=3.365 ms
64 bytes from 2a00:1450:400e:810::200e: seq=1 ttl=118 time=2.848 ms
没有任何网络
> docker run -it --rm registry.ipv6.docker.com/library/alpine cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 e484aa610139
fd00::242:ac11:2 e484aa610139
> docker run -it --rm registry.ipv6.docker.com/library/alpine cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.
nameserver 2a01:7c8:7000:195::8:195:8
nameserver 2a01:7c8:7000:195::135:195:135
> docker run -it --rm registry.ipv6.docker.com/library/alpine ping6 -c 2 google.com
ping6: bad address 'google.com'
任何帮助都将非常感谢!
I am using docker compose on a IPv6 only Debian 11 server. I am having trouble getting internet access from the containers. Communication between the containers works like a charm. However connecting to the ourside world does not. I can only ping to the outside world when I connect to the 'host' network (which I don't want to do for security reasons):
docker run -it --rm --network=host registry.ipv6.docker.com/library/alpine ping6 -c 2 google.com
^This resolved the address and pings alright. With the default or the bridge network I get ping6: bad address 'google.com'
My main question: What is the problem / how do I troubleshoot this?
I tried (in various combinations):
- Compose files network_mode options
- Providing explicit DNS in /etc/docker/daemon.json
- Providing explicit DNS in the container definition for the compose file
- Enabled ipv6 + provide fixed-cidr-v6 in /etc/docker/daemon.json
- Checking the /etc/hosts and /etc/resolv.conf
{
"ipv6": true,
"fixed-cidr-v6": "fd00::/80",
"dns": ["2a01:7c8:7000:195::8:195:8", "2a01:7c8:7000:195::135:195:135"]
}
Note: I did not install a firewall at first. During troubleshooting I installed uwf, which I did not configure and is currently disabled.
Hopefully this output will be helpful:
With --network=host
> docker run -it --rm --network=host registry.ipv6.docker.com/library/alpine cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 my-network
::1 my-network
> docker run -it --rm --network=host registry.ipv6.docker.com/library/alpine cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.
nameserver 2a01:7c8:7000:195::8:195:8
nameserver 2a01:7c8:7000:195::135:195:135
> docker run -it --rm --network=host registry.ipv6.docker.com/library/alpine ping6 -c 2 google.com
PING google.com (2a00:1450:400e:810::200e): 56 data bytes
64 bytes from 2a00:1450:400e:810::200e: seq=0 ttl=118 time=3.365 ms
64 bytes from 2a00:1450:400e:810::200e: seq=1 ttl=118 time=2.848 ms
Without any network
> docker run -it --rm registry.ipv6.docker.com/library/alpine cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 e484aa610139
fd00::242:ac11:2 e484aa610139
> docker run -it --rm registry.ipv6.docker.com/library/alpine cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.
nameserver 2a01:7c8:7000:195::8:195:8
nameserver 2a01:7c8:7000:195::135:195:135
> docker run -it --rm registry.ipv6.docker.com/library/alpine ping6 -c 2 google.com
ping6: bad address 'google.com'
Any help is greatly appreciated!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您要么需要手动将主机上的IPv6流量转发到指定的Docker网络,要么添加
到您的守护程序。
这是一篇文章更多详细信息并解释更多替代方案(例如IPv6-NAT Docker Image)。
确保您的CIDR-V6是私人地址范围的一部分(fc00 :: to fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff),否则它可以公开曝光和访问而无需nat而不会变得不安全。
这仍然是实验性的,并且在Docker上的总体IPv6,尤其是Docker-Compose并不是很好
You either need to manually forward IPv6 traffic on your host to the specified docker network, or add:
to your daemon.json which does this for you (like with IPv4).
Here is an Article going into more detail and explaining more alternatives (like the ipv6-nat docker image).
Be sure your cidr-v6 is part of the private Address range (fc00:: to fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff), otherwise it could be publicly exposed and accessed without a NAT thus becoming insecure.
This is still experimental, and overall IPv6 on docker, especially docker-compose is not great