用docker安装nginx,启动容器 docker run --name nginx-test -p 8080:80 -d nginx,看代码可知 docker虚拟网卡网关是172.17.0.1,容器是172.17.0.2,但是为什么网关能通,容器不通呢,ip route看路由配置也正常
[root@bogon /]# docker inspect -f '{{.Name}} - {{.NetworkSettings.IPAddress }}' $(docker ps -aq)
/nginx-test - 172.17.0.2
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 02:42:1e:d8:51:4b brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:1eff:fed8:514b/64 scope link
valid_lft forever preferred_lft forever
6: veth733562c@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP
link/ether 8a:0b:f2:83:38:c0 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::880b:f2ff:fe83:38c0/64 scope link
valid_lft forever preferred_lft forever
[root@bogon /]# ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
From 172.17.0.1 icmp_seq=1 Destination Host Unreachable
From 172.17.0.1 icmp_seq=2 Destination Host Unreachable
From 172.17.0.1 icmp_seq=3 Destination Host Unreachable
[root@bogon /]# ip route
default via 192.168.2.1 dev eno33554984
169.254.0.0/16 dev eno16777736 scope link metric 1002
169.254.0.0/16 dev eno33554984 scope link metric 1003
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
192.168.1.0/24 dev eno16777736 proto kernel scope link src 192.168.1.201
192.168.2.0/24 dev eno33554984 proto kernel scope link src 192.168.2.164
解决了,需要安装桥接程序bridge-utils,重建网桥,还需要关闭firewalld,开启iptables server
防火墙看了没
容器和宿主机之间的网络是通过docker0虚拟网桥实现的。宿主机和容器之间能够互相通信,但是从宿主机ping容器的时候,报错Destination Host Unreachable,这种情况一般是由于iptables配置不正确导致的。建议您在宿主机上运行以下命令,查看iptables的NAT规则是否正确:
sudo iptables -L -n -t nat
如果没有正确的NAT规则,则使用以下命令进行修复:
sudo iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
这条命令会将容器的IP地址通过docker0虚拟网桥转发到宿主机的网卡上,从而实现容器和宿主机之间的通信。