问题
I have two physical servers connected to each other in a LAN. Server A runs docker with a ubuntu container. Server B runs a MySQL-database (without any docker stuff).
Now I need to access the MySQL-Database on Server B from within a docker-container on Server A.
Server B only has an ipv6-address.
When I run ping6 <ipv6_server_b> on Host A it works. The same command from within the docker-container on Host A gives me a unknown host.
I think I need to create a docker bridge to the ipv6-subnet of Server B. All my efforts led to the same unknown host error. And I don't want to use --network=host.
The public internet is connected on hosts interface ens16 while Server B is in a local security zone connected on interface ens17
Detailed Description
I enabled ipv6 in docker options like this:
DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4 --ipv6 --fixed-cidr-v6=2001:db8:1::/64 "
1. I tried to create a bridge network to the ipv6 subnet of the security zone
docker network create --driver bridge --ipv6 --subnet=fcfc:0:0:1::/64 db-link
2. This is the command I use to start the container and assign the network
docker run -it --network=db-link nicolaka/netshoot
(nicolaka/netshoot contains a lot of useful diagnostic stuff)
3. Trying to ping the Server B address from in the container:
ping6 fcfc::1:24fc:25ff:fe25:c903
PING fcfc::1:24fc:25ff:fe25:c903(fcfc::1:24fc:25ff:fe25:c903) 56 data bytes
From fcfc:0:0:1::2: icmp_seq=1 Destination unreachable: Address unreachable
From fcfc:0:0:1::2: icmp_seq=2 Destination unreachable: Address unreachable
From fcfc:0:0:1::2: icmp_seq=3 Destination unreachable: Address unreachable
ping google.com
PING google.com (172.217.18.14) 56(84) bytes of data.
64 bytes from fra02s19-in-f14.1e100.net (172.217.18.14): icmp_seq=1 ttl=56 time=0.787 ms
64 bytes from fra02s19-in-f14.1e100.net (172.217.18.14): icmp_seq=2 ttl=56 time=0.631 ms
4. This is the output of the ip-commands in the container
ip -6 route show
fcfc:0:0:1::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fcfc:0:0:1::1 dev eth0 metric 1024 pref medium
ip route show
default via 172.21.0.1 dev eth0
172.21.0.0/16 dev eth0 proto kernel scope link src 172.21.0.2
5. I tried to create a macvlan network
docker network create --driver macvlan --ipv6 --subnet=fcfc:0:0:1::/64 -o parent=ens17 db-link
Now I can ping the Server B's IP fcfc::1:24fc:25ff:fe25:c903 but as the macvlan limits access to the distinct interface, I cant connect to public internet.
6. Conclusion
- The bridge network is created but I don't get connection / route to the ipv6 submit of Server B – Why?
- The macvlan network enables the container to ping Server B but its impossible to reach the public internet.
回答1:
Together with the ISP we found a solution:
In /etc/docker/daemon.json we changed the subnet to:
{
"ipv6": true,
"fixed-cidr-v6": "fefe:1234::/80"
}
And then ran the following iptables-commands:
ip6tables -t nat -I POSTROUTING -s fefe:1234::/80 -o ens16 -j MASQUERADE
ip6tables -t nat -A POSTROUTING -s fefe:1234::/80 -d fcfc::1/32 -o ens17 -j MASQUERADE
Now Im able to ping the ipv6 address from inside the container also with proper access to the public internet without usage of any custom bridge or macvlan networks.
来源:https://stackoverflow.com/questions/55493727/how-do-i-connect-to-to-hosts-network-from-within-a-docker-container